1 | policy_module(misc,1.0.0) |
---|
2 | |
---|
3 | ### USER ### |
---|
4 | |
---|
5 | require { |
---|
6 | type user_t; |
---|
7 | }; |
---|
8 | |
---|
9 | afs_access(user_t); |
---|
10 | zephyr_access(user_t); |
---|
11 | |
---|
12 | ### AFS ### |
---|
13 | |
---|
14 | require { |
---|
15 | type kernel_t, initrc_t, proc_t; |
---|
16 | }; |
---|
17 | |
---|
18 | afs_access(kernel_t); |
---|
19 | zephyr_access(kernel_t); |
---|
20 | |
---|
21 | # init.d script sets up cell files: |
---|
22 | allow initrc_t afsd_etc_t:file { setattr write }; |
---|
23 | # permit aklog: |
---|
24 | allow user_t proc_t:file write; |
---|
25 | |
---|
26 | ### CRON ### |
---|
27 | |
---|
28 | require { |
---|
29 | type crond_t, user_cron_spool_t; |
---|
30 | type system_crond_t; |
---|
31 | type var_log_t; |
---|
32 | }; |
---|
33 | |
---|
34 | afs_access(crond_t); |
---|
35 | ### crond can switch to user_t rather than user_crond_t |
---|
36 | ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) |
---|
37 | domain_cron_exemption_target(user_t) |
---|
38 | allow user_t user_cron_spool_t:file entrypoint; |
---|
39 | allow crond_t user_t:process transition; |
---|
40 | dontaudit crond_t user_t:process { noatsecure siginh rlimitinh }; |
---|
41 | allow crond_t user_t:fd use; |
---|
42 | allow user_t crond_t:fd use; |
---|
43 | allow user_t crond_t:fifo_file rw_file_perms; |
---|
44 | allow user_t crond_t:process sigchld; |
---|
45 | allow system_crond_t var_log_t:file rw_file_perms; |
---|
46 | |
---|
47 | ### SSH ### |
---|
48 | |
---|
49 | require { |
---|
50 | type sshd_t; |
---|
51 | }; |
---|
52 | |
---|
53 | afs_access(sshd_t); |
---|
54 | ### sshd GSSAPI authentication |
---|
55 | kerberos_read_keytab(sshd_t) |
---|
56 | allow user_t kernel_t:key search; |
---|
57 | |
---|
58 | ### MAIL ### |
---|
59 | |
---|
60 | require { |
---|
61 | type postfix_local_t, procmail_t, sendmail_t; |
---|
62 | }; |
---|
63 | |
---|
64 | afs_access(postfix_local_t); |
---|
65 | afs_access(procmail_t); |
---|
66 | mta_sendmail_exec(user_t) |
---|
67 | mta_sendmail_exec(system_crond_t) |
---|
68 | can_exec(user_t, sendmail_exec_t) |
---|
69 | can_exec(system_crond_t, sendmail_exec_t) |
---|
70 | allow sendmail_t postfix_local_t:fd use; |
---|
71 | allow sendmail_t postfix_local_t:fifo_file { getattr write }; |
---|
72 | corecmd_exec_bin(procmail_t) |
---|
73 | corecmd_exec_sbin(procmail_t) |
---|
74 | |
---|
75 | ### HTTPD ### |
---|
76 | |
---|
77 | require { |
---|
78 | type httpd_t, httpd_suexec_exec_t; |
---|
79 | }; |
---|
80 | |
---|
81 | afs_access(httpd_t); |
---|
82 | allow httpd_t self:key all_key_perms; |
---|
83 | allow httpd_t self:process setrlimit; |
---|
84 | allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans }; |
---|