source: selinux/build/misc.te @ 82

Last change on this file since 82 was 82, checked in by presbrey, 16 years ago
httpd can resource limit suexec
File size: 1.5 KB
Line 
1policy_module(misc,1.0.0)
2
3### USER ###
4
5require {
6        type user_t;
7};
8
9afs_access(user_t);
10
11### AFS ###
12
13require {
14        type kernel_t, initrc_t, proc_t;
15};
16
17afs_access(kernel_t);
18
19# init.d script sets up cell files:
20allow initrc_t afsd_etc_t:file { setattr write };
21# permit aklog:
22allow user_t proc_t:file write;
23
24### CRON ###
25
26require {
27        type crond_t, user_cron_spool_t;
28};
29
30afs_access(crond_t);
31### crond can switch to user_t rather than user_crond_t
32### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
33domain_cron_exemption_target(user_t)
34allow user_t user_cron_spool_t:file entrypoint;
35allow crond_t user_t:process transition;
36dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
37allow crond_t user_t:fd use;
38allow user_t crond_t:fd use;
39allow user_t crond_t:fifo_file rw_file_perms;
40allow user_t crond_t:process sigchld;
41
42### SSH ###
43
44require {
45        type sshd_t;
46};
47
48afs_access(sshd_t);
49### sshd GSSAPI authentication
50kerberos_read_keytab(sshd_t)
51allow user_t kernel_t:key search;
52
53### MAIL ###
54
55require {
56        type postfix_local_t, procmail_t, sendmail_t;
57};
58
59afs_access(postfix_local_t);
60afs_access(procmail_t);
61mta_sendmail_exec(user_t)
62can_exec(user_t, sendmail_exec_t)
63allow sendmail_t postfix_local_t:fd use;
64allow sendmail_t postfix_local_t:fifo_file { getattr write };
65corecmd_exec_bin(procmail_t)
66corecmd_exec_sbin(procmail_t)
67
68### HTTPD ###
69
70require {
71        type httpd_t, httpd_suexec_exec_t;
72};
73
74afs_access(httpd_t);
75allow httpd_t self:key all_key_perms;
76allow httpd_t self:process setrlimit;
77allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans };
Note: See TracBrowser for help on using the repository browser.