source: selinux/build/misc.te @ 93

Last change on this file since 93 was 84, checked in by presbrey, 16 years ago
preliminary zephyr support
File size: 1.8 KB
Line 
1policy_module(misc,1.0.0)
2
3### USER ###
4
5require {
6        type user_t;
7};
8
9afs_access(user_t);
10zephyr_access(user_t);
11
12### AFS ###
13
14require {
15        type kernel_t, initrc_t, proc_t;
16};
17
18afs_access(kernel_t);
19zephyr_access(kernel_t);
20
21# init.d script sets up cell files:
22allow initrc_t afsd_etc_t:file { setattr write };
23# permit aklog:
24allow user_t proc_t:file write;
25
26### CRON ###
27
28require {
29        type crond_t, user_cron_spool_t;
30        type system_crond_t;
31        type var_log_t;
32};
33
34afs_access(crond_t);
35### crond can switch to user_t rather than user_crond_t
36### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
37domain_cron_exemption_target(user_t)
38allow user_t user_cron_spool_t:file entrypoint;
39allow crond_t user_t:process transition;
40dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
41allow crond_t user_t:fd use;
42allow user_t crond_t:fd use;
43allow user_t crond_t:fifo_file rw_file_perms;
44allow user_t crond_t:process sigchld;
45allow system_crond_t var_log_t:file rw_file_perms;
46
47### SSH ###
48
49require {
50        type sshd_t;
51};
52
53afs_access(sshd_t);
54### sshd GSSAPI authentication
55kerberos_read_keytab(sshd_t)
56allow user_t kernel_t:key search;
57
58### MAIL ###
59
60require {
61        type postfix_local_t, procmail_t, sendmail_t;
62};
63
64afs_access(postfix_local_t);
65afs_access(procmail_t);
66mta_sendmail_exec(user_t)
67mta_sendmail_exec(system_crond_t)
68can_exec(user_t, sendmail_exec_t)
69can_exec(system_crond_t, sendmail_exec_t)
70allow sendmail_t postfix_local_t:fd use;
71allow sendmail_t postfix_local_t:fifo_file { getattr write };
72corecmd_exec_bin(procmail_t)
73corecmd_exec_sbin(procmail_t)
74
75### HTTPD ###
76
77require {
78        type httpd_t, httpd_suexec_exec_t;
79};
80
81afs_access(httpd_t);
82allow httpd_t self:key all_key_perms;
83allow httpd_t self:process setrlimit;
84allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans };
Note: See TracBrowser for help on using the repository browser.