| [28] | 1 | policy_module(misc,1.0.0) |
|---|
| 2 | |
|---|
| [82] | 3 | ### USER ### |
|---|
| 4 | |
|---|
| 5 | require { |
|---|
| 6 | type user_t; |
|---|
| 7 | }; |
|---|
| 8 | |
|---|
| 9 | afs_access(user_t); |
|---|
| [84] | 10 | zephyr_access(user_t); |
|---|
| [82] | 11 | |
|---|
| [79] | 12 | ### AFS ### |
|---|
| 13 | |
|---|
| 14 | require { |
|---|
| [82] | 15 | type kernel_t, initrc_t, proc_t; |
|---|
| 16 | }; |
|---|
| 17 | |
|---|
| [79] | 18 | afs_access(kernel_t); |
|---|
| [84] | 19 | zephyr_access(kernel_t); |
|---|
| [79] | 20 | |
|---|
| 21 | # init.d script sets up cell files: |
|---|
| 22 | allow initrc_t afsd_etc_t:file { setattr write }; |
|---|
| 23 | # permit aklog: |
|---|
| 24 | allow user_t proc_t:file write; |
|---|
| 25 | |
|---|
| 26 | ### CRON ### |
|---|
| 27 | |
|---|
| 28 | require { |
|---|
| 29 | type crond_t, user_cron_spool_t; |
|---|
| [84] | 30 | type system_crond_t; |
|---|
| 31 | type var_log_t; |
|---|
| [79] | 32 | }; |
|---|
| 33 | |
|---|
| [82] | 34 | afs_access(crond_t); |
|---|
| [79] | 35 | ### crond can switch to user_t rather than user_crond_t |
|---|
| 36 | ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) |
|---|
| 37 | domain_cron_exemption_target(user_t) |
|---|
| 38 | allow user_t user_cron_spool_t:file entrypoint; |
|---|
| 39 | allow crond_t user_t:process transition; |
|---|
| 40 | dontaudit crond_t user_t:process { noatsecure siginh rlimitinh }; |
|---|
| 41 | allow crond_t user_t:fd use; |
|---|
| 42 | allow user_t crond_t:fd use; |
|---|
| 43 | allow user_t crond_t:fifo_file rw_file_perms; |
|---|
| 44 | allow user_t crond_t:process sigchld; |
|---|
| [84] | 45 | allow system_crond_t var_log_t:file rw_file_perms; |
|---|
| [79] | 46 | |
|---|
| [82] | 47 | ### SSH ### |
|---|
| [79] | 48 | |
|---|
| 49 | require { |
|---|
| [82] | 50 | type sshd_t; |
|---|
| [79] | 51 | }; |
|---|
| 52 | |
|---|
| [82] | 53 | afs_access(sshd_t); |
|---|
| [79] | 54 | ### sshd GSSAPI authentication |
|---|
| 55 | kerberos_read_keytab(sshd_t) |
|---|
| 56 | allow user_t kernel_t:key search; |
|---|
| 57 | |
|---|
| 58 | ### MAIL ### |
|---|
| [82] | 59 | |
|---|
| 60 | require { |
|---|
| 61 | type postfix_local_t, procmail_t, sendmail_t; |
|---|
| 62 | }; |
|---|
| 63 | |
|---|
| 64 | afs_access(postfix_local_t); |
|---|
| 65 | afs_access(procmail_t); |
|---|
| [79] | 66 | mta_sendmail_exec(user_t) |
|---|
| [84] | 67 | mta_sendmail_exec(system_crond_t) |
|---|
| [79] | 68 | can_exec(user_t, sendmail_exec_t) |
|---|
| [84] | 69 | can_exec(system_crond_t, sendmail_exec_t) |
|---|
| [81] | 70 | allow sendmail_t postfix_local_t:fd use; |
|---|
| 71 | allow sendmail_t postfix_local_t:fifo_file { getattr write }; |
|---|
| 72 | corecmd_exec_bin(procmail_t) |
|---|
| 73 | corecmd_exec_sbin(procmail_t) |
|---|
| [79] | 74 | |
|---|
| 75 | ### HTTPD ### |
|---|
| [82] | 76 | |
|---|
| 77 | require { |
|---|
| 78 | type httpd_t, httpd_suexec_exec_t; |
|---|
| 79 | }; |
|---|
| 80 | |
|---|
| 81 | afs_access(httpd_t); |
|---|
| [79] | 82 | allow httpd_t self:key all_key_perms; |
|---|
| [82] | 83 | allow httpd_t self:process setrlimit; |
|---|
| 84 | allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans }; |
|---|
