source: selinux/build/misc.te @ 81

Last change on this file since 81 was 81, checked in by presbrey, 15 years ago
more specific SELinux AFS access interface procmail can spawn system binaries
File size: 1.4 KB
Line 
1policy_module(misc,1.0.0)
2
3### AFS ###
4
5require {
6        type crond_t, kernel_t, sshd_t, user_t, httpd_t;
7        type postfix_local_t, procmail_t;
8        type proc_t;
9}
10afs_access(afsd_t);
11afs_access(crond_t);
12afs_access(httpd_t);
13afs_access(kernel_t);
14afs_access(postfix_local_t);
15afs_access(procmail_t);
16afs_access(sshd_t);
17afs_access(user_t);
18
19require {
20        type initrc_t;
21}
22# init.d script sets up cell files:
23allow initrc_t afsd_etc_t:file { setattr write };
24# permit aklog:
25allow user_t proc_t:file write;
26
27### CRON ###
28
29require {
30        type crond_t, user_cron_spool_t;
31        type user_t;
32};
33
34### crond can switch to user_t rather than user_crond_t
35### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
36domain_cron_exemption_target(user_t)
37allow user_t user_cron_spool_t:file entrypoint;
38allow crond_t user_t:process transition;
39dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
40allow crond_t user_t:fd use;
41allow user_t crond_t:fd use;
42allow user_t crond_t:fifo_file rw_file_perms;
43allow user_t crond_t:process sigchld;
44
45### KRB ###
46
47require {
48        type sendmail_t, sshd_t;
49};
50
51### sshd GSSAPI authentication
52kerberos_read_keytab(sshd_t)
53allow user_t kernel_t:key search;
54
55### MAIL ###
56mta_sendmail_exec(user_t)
57can_exec(user_t, sendmail_exec_t)
58allow sendmail_t postfix_local_t:fd use;
59allow sendmail_t postfix_local_t:fifo_file { getattr write };
60corecmd_exec_bin(procmail_t)
61corecmd_exec_sbin(procmail_t)
62
63### HTTPD ###
64allow httpd_t self:key all_key_perms;
Note: See TracBrowser for help on using the repository browser.