[28] | 1 | policy_module(misc,1.0.0) |
---|
| 2 | |
---|
[82] | 3 | ### USER ### |
---|
| 4 | |
---|
| 5 | require { |
---|
| 6 | type user_t; |
---|
| 7 | }; |
---|
| 8 | |
---|
| 9 | afs_access(user_t); |
---|
[84] | 10 | zephyr_access(user_t); |
---|
[82] | 11 | |
---|
[79] | 12 | ### AFS ### |
---|
| 13 | |
---|
| 14 | require { |
---|
[82] | 15 | type kernel_t, initrc_t, proc_t; |
---|
| 16 | }; |
---|
| 17 | |
---|
[79] | 18 | afs_access(kernel_t); |
---|
[84] | 19 | zephyr_access(kernel_t); |
---|
[79] | 20 | |
---|
| 21 | # init.d script sets up cell files: |
---|
| 22 | allow initrc_t afsd_etc_t:file { setattr write }; |
---|
| 23 | # permit aklog: |
---|
| 24 | allow user_t proc_t:file write; |
---|
| 25 | |
---|
| 26 | ### CRON ### |
---|
| 27 | |
---|
| 28 | require { |
---|
| 29 | type crond_t, user_cron_spool_t; |
---|
[84] | 30 | type system_crond_t; |
---|
| 31 | type var_log_t; |
---|
[79] | 32 | }; |
---|
| 33 | |
---|
[82] | 34 | afs_access(crond_t); |
---|
[79] | 35 | ### crond can switch to user_t rather than user_crond_t |
---|
| 36 | ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) |
---|
| 37 | domain_cron_exemption_target(user_t) |
---|
| 38 | allow user_t user_cron_spool_t:file entrypoint; |
---|
| 39 | allow crond_t user_t:process transition; |
---|
| 40 | dontaudit crond_t user_t:process { noatsecure siginh rlimitinh }; |
---|
| 41 | allow crond_t user_t:fd use; |
---|
| 42 | allow user_t crond_t:fd use; |
---|
| 43 | allow user_t crond_t:fifo_file rw_file_perms; |
---|
| 44 | allow user_t crond_t:process sigchld; |
---|
[84] | 45 | allow system_crond_t var_log_t:file rw_file_perms; |
---|
[79] | 46 | |
---|
[82] | 47 | ### SSH ### |
---|
[79] | 48 | |
---|
| 49 | require { |
---|
[82] | 50 | type sshd_t; |
---|
[79] | 51 | }; |
---|
| 52 | |
---|
[82] | 53 | afs_access(sshd_t); |
---|
[79] | 54 | ### sshd GSSAPI authentication |
---|
| 55 | kerberos_read_keytab(sshd_t) |
---|
| 56 | allow user_t kernel_t:key search; |
---|
| 57 | |
---|
| 58 | ### MAIL ### |
---|
[82] | 59 | |
---|
| 60 | require { |
---|
| 61 | type postfix_local_t, procmail_t, sendmail_t; |
---|
| 62 | }; |
---|
| 63 | |
---|
| 64 | afs_access(postfix_local_t); |
---|
| 65 | afs_access(procmail_t); |
---|
[79] | 66 | mta_sendmail_exec(user_t) |
---|
[84] | 67 | mta_sendmail_exec(system_crond_t) |
---|
[79] | 68 | can_exec(user_t, sendmail_exec_t) |
---|
[84] | 69 | can_exec(system_crond_t, sendmail_exec_t) |
---|
[81] | 70 | allow sendmail_t postfix_local_t:fd use; |
---|
| 71 | allow sendmail_t postfix_local_t:fifo_file { getattr write }; |
---|
| 72 | corecmd_exec_bin(procmail_t) |
---|
| 73 | corecmd_exec_sbin(procmail_t) |
---|
[79] | 74 | |
---|
| 75 | ### HTTPD ### |
---|
[82] | 76 | |
---|
| 77 | require { |
---|
| 78 | type httpd_t, httpd_suexec_exec_t; |
---|
| 79 | }; |
---|
| 80 | |
---|
| 81 | afs_access(httpd_t); |
---|
[79] | 82 | allow httpd_t self:key all_key_perms; |
---|
[82] | 83 | allow httpd_t self:process setrlimit; |
---|
| 84 | allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans }; |
---|