Context Navigation

misc.te @ 79

Last change on this file since 79 was 79, checked in by presbrey, 17 years ago
vixie-cron executes as the user under SELinux SELinux policy for afsd and afsagent
File size: 1.2 KB

Rev	Line
[28]	1	policy_module(misc,1.0.0)
	2
[79]	3	### AFS ###
	4
	5	require {
	6	type crond_t, kernel_t, sshd_t, user_t, httpd_t;
	7	type proc_t;
	8	}
	9	afs_access(afsd_t);
	10	afs_access(crond_t);
	11	afs_access(httpd_t);
	12	afs_access(kernel_t);
	13	afs_access(sshd_t);
	14	afs_access(user_t);
	15
	16	require {
	17	type initrc_t;
	18	}
	19	# init.d script sets up cell files:
	20	allow initrc_t afsd_etc_t:file { setattr write };
	21	# permit aklog:
	22	allow user_t proc_t:file write;
	23
	24	### CRON ###
	25
	26	require {
	27	type crond_t, user_cron_spool_t;
	28	type user_t;
	29	};
	30
	31	### crond can switch to user_t rather than user_crond_t
	32	### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
	33	domain_cron_exemption_target(user_t)
	34	allow user_t user_cron_spool_t:file entrypoint;
	35	allow crond_t user_t:process transition;
	36	dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
	37	allow crond_t user_t:fd use;
	38	allow user_t crond_t:fd use;
	39	allow user_t crond_t:fifo_file rw_file_perms;
	40	allow user_t crond_t:process sigchld;
	41
	42	### KRB ###
	43
	44	require {
	45	type sshd_t;
	46	};
	47
	48	### sshd GSSAPI authentication
	49	kerberos_read_keytab(sshd_t)
	50	allow user_t kernel_t:key search;
	51
	52	### MAIL ###
	53	mta_sendmail_exec(user_t)
	54	can_exec(user_t, sendmail_exec_t)
	55
	56
	57	### HTTPD ###
	58	allow httpd_t self:key all_key_perms;

Note: See TracBrowser for help on using the repository browser.