Context Navigation

misc.te @ 81

Last change on this file since 81 was 81, checked in by presbrey, 17 years ago
more specific SELinux AFS access interface procmail can spawn system binaries
File size: 1.4 KB

Line
1	policy_module(misc,1.0.0)
2
3	### AFS ###
4
5	require {
6	type crond_t, kernel_t, sshd_t, user_t, httpd_t;
7	type postfix_local_t, procmail_t;
8	type proc_t;
9	}
10	afs_access(afsd_t);
11	afs_access(crond_t);
12	afs_access(httpd_t);
13	afs_access(kernel_t);
14	afs_access(postfix_local_t);
15	afs_access(procmail_t);
16	afs_access(sshd_t);
17	afs_access(user_t);
18
19	require {
20	type initrc_t;
21	}
22	# init.d script sets up cell files:
23	allow initrc_t afsd_etc_t:file { setattr write };
24	# permit aklog:
25	allow user_t proc_t:file write;
26
27	### CRON ###
28
29	require {
30	type crond_t, user_cron_spool_t;
31	type user_t;
32	};
33
34	### crond can switch to user_t rather than user_crond_t
35	### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
36	domain_cron_exemption_target(user_t)
37	allow user_t user_cron_spool_t:file entrypoint;
38	allow crond_t user_t:process transition;
39	dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
40	allow crond_t user_t:fd use;
41	allow user_t crond_t:fd use;
42	allow user_t crond_t:fifo_file rw_file_perms;
43	allow user_t crond_t:process sigchld;
44
45	### KRB ###
46
47	require {
48	type sendmail_t, sshd_t;
49	};
50
51	### sshd GSSAPI authentication
52	kerberos_read_keytab(sshd_t)
53	allow user_t kernel_t:key search;
54
55	### MAIL ###
56	mta_sendmail_exec(user_t)
57	can_exec(user_t, sendmail_exec_t)
58	allow sendmail_t postfix_local_t:fd use;
59	allow sendmail_t postfix_local_t:fifo_file { getattr write };
60	corecmd_exec_bin(procmail_t)
61	corecmd_exec_sbin(procmail_t)
62
63	### HTTPD ###
64	allow httpd_t self:key all_key_perms;

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format