source: selinux/build/misc.te @ 93

Last change on this file since 93 was 84, checked in by presbrey, 16 years ago
preliminary zephyr support
File size: 1.8 KB
RevLine 
[28]1policy_module(misc,1.0.0)
2
[82]3### USER ###
4
5require {
6        type user_t;
7};
8
9afs_access(user_t);
[84]10zephyr_access(user_t);
[82]11
[79]12### AFS ###
13
14require {
[82]15        type kernel_t, initrc_t, proc_t;
16};
17
[79]18afs_access(kernel_t);
[84]19zephyr_access(kernel_t);
[79]20
21# init.d script sets up cell files:
22allow initrc_t afsd_etc_t:file { setattr write };
23# permit aklog:
24allow user_t proc_t:file write;
25
26### CRON ###
27
28require {
29        type crond_t, user_cron_spool_t;
[84]30        type system_crond_t;
31        type var_log_t;
[79]32};
33
[82]34afs_access(crond_t);
[79]35### crond can switch to user_t rather than user_crond_t
36### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
37domain_cron_exemption_target(user_t)
38allow user_t user_cron_spool_t:file entrypoint;
39allow crond_t user_t:process transition;
40dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
41allow crond_t user_t:fd use;
42allow user_t crond_t:fd use;
43allow user_t crond_t:fifo_file rw_file_perms;
44allow user_t crond_t:process sigchld;
[84]45allow system_crond_t var_log_t:file rw_file_perms;
[79]46
[82]47### SSH ###
[79]48
49require {
[82]50        type sshd_t;
[79]51};
52
[82]53afs_access(sshd_t);
[79]54### sshd GSSAPI authentication
55kerberos_read_keytab(sshd_t)
56allow user_t kernel_t:key search;
57
58### MAIL ###
[82]59
60require {
61        type postfix_local_t, procmail_t, sendmail_t;
62};
63
64afs_access(postfix_local_t);
65afs_access(procmail_t);
[79]66mta_sendmail_exec(user_t)
[84]67mta_sendmail_exec(system_crond_t)
[79]68can_exec(user_t, sendmail_exec_t)
[84]69can_exec(system_crond_t, sendmail_exec_t)
[81]70allow sendmail_t postfix_local_t:fd use;
71allow sendmail_t postfix_local_t:fifo_file { getattr write };
72corecmd_exec_bin(procmail_t)
73corecmd_exec_sbin(procmail_t)
[79]74
75### HTTPD ###
[82]76
77require {
78        type httpd_t, httpd_suexec_exec_t;
79};
80
81afs_access(httpd_t);
[79]82allow httpd_t self:key all_key_perms;
[82]83allow httpd_t self:process setrlimit;
84allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans };
Note: See TracBrowser for help on using the repository browser.