[100] | 1 | # Joe Presbrey |
---|
| 2 | # presbrey@mit.edu |
---|
| 3 | # 2006/1/15 |
---|
[28] | 4 | |
---|
[100] | 5 | policy_module(scripts,1.0.0) |
---|
| 6 | |
---|
[82] | 7 | ### USER ### |
---|
| 8 | |
---|
| 9 | require { |
---|
[117] | 10 | attribute domain, userdomain, unpriv_userdomain; |
---|
[82] | 11 | type user_t; |
---|
| 12 | }; |
---|
| 13 | |
---|
[117] | 14 | type user_setuid_t, domain, userdomain, unpriv_userdomain; |
---|
| 15 | role user_r types user_setuid_t; |
---|
| 16 | domain_interactive_fd(user_setuid_t) |
---|
| 17 | files_read_etc_files(user_setuid_t) |
---|
| 18 | libs_use_ld_so(user_setuid_t) |
---|
| 19 | libs_use_shared_libs(user_setuid_t) |
---|
| 20 | miscfiles_read_localization(user_setuid_t) |
---|
| 21 | corecmd_exec_all_executables(user_setuid_t) |
---|
| 22 | term_use_all_user_ptys(user_setuid_t) |
---|
| 23 | |
---|
| 24 | allow user_setuid_t bin_t:file entrypoint; |
---|
| 25 | allow user_setuid_t sbin_t:file entrypoint; |
---|
| 26 | |
---|
| 27 | # allow user_setuid_t domain to call setuid and setgid |
---|
| 28 | allow user_setuid_t self:capability { setuid setgid }; |
---|
| 29 | |
---|
| 30 | # transition back to the user domain when executing "user" binaries |
---|
| 31 | domain_auto_trans(user_setuid_t, nfs_t, user_t) |
---|
| 32 | |
---|
| 33 | # allow user_setuid_t domain to signal its caller |
---|
| 34 | allow user_setuid_t user_t:process sigchld; |
---|
| 35 | |
---|
[82] | 36 | afs_access(user_t); |
---|
[117] | 37 | afs_access(user_setuid_t); |
---|
[84] | 38 | zephyr_access(user_t); |
---|
[82] | 39 | |
---|
[100] | 40 | # permit aklog: |
---|
| 41 | kernel_write_proc_files(user_t) |
---|
| 42 | #allow user_t proc_t:file write; |
---|
| 43 | |
---|
[79] | 44 | ### AFS ### |
---|
| 45 | |
---|
| 46 | require { |
---|
[100] | 47 | type kernel_t; |
---|
[82] | 48 | }; |
---|
| 49 | |
---|
[79] | 50 | afs_access(kernel_t); |
---|
[84] | 51 | zephyr_access(kernel_t); |
---|
[79] | 52 | |
---|
[100] | 53 | ### INIT ### |
---|
| 54 | |
---|
| 55 | require { |
---|
| 56 | type initrc_t, tmp_t; |
---|
| 57 | }; |
---|
| 58 | |
---|
[79] | 59 | # init.d script sets up cell files: |
---|
[100] | 60 | afs_access(initrc_t); |
---|
| 61 | allow initrc_t afsd_etc_t:file { rw_file_perms setattr }; |
---|
[79] | 62 | |
---|
[100] | 63 | # init.d makes the sessions directory: |
---|
| 64 | allow initrc_t tmp_t:dir { create setattr }; |
---|
| 65 | |
---|
| 66 | # AFS fs |
---|
| 67 | kernel_write_proc_files(initrc_t) |
---|
| 68 | |
---|
[79] | 69 | ### CRON ### |
---|
| 70 | |
---|
| 71 | require { |
---|
[100] | 72 | type crond_t, user_cron_spool_t, user_crontab_t; |
---|
[84] | 73 | type system_crond_t; |
---|
| 74 | type var_log_t; |
---|
[79] | 75 | }; |
---|
| 76 | |
---|
[82] | 77 | afs_access(crond_t); |
---|
[100] | 78 | afs_access(user_crontab_t); |
---|
[79] | 79 | ### crond can switch to user_t rather than user_crond_t |
---|
| 80 | ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) |
---|
| 81 | domain_cron_exemption_target(user_t) |
---|
[100] | 82 | domain_entry_file(user_t, user_cron_spool_t) |
---|
| 83 | domain_trans(crond_t, user_cron_spool_t, user_t) |
---|
| 84 | allow user_t crond_t:process sigchld; |
---|
| 85 | allow crond_t self:process setrlimit; |
---|
[79] | 86 | allow crond_t user_t:fd use; |
---|
| 87 | allow user_t crond_t:fd use; |
---|
| 88 | allow user_t crond_t:fifo_file rw_file_perms; |
---|
[100] | 89 | allow crond_t user_t:fifo_file rw_file_perms; |
---|
[84] | 90 | allow system_crond_t var_log_t:file rw_file_perms; |
---|
[79] | 91 | |
---|
[82] | 92 | ### SSH ### |
---|
[79] | 93 | |
---|
| 94 | require { |
---|
[112] | 95 | type sshd_t, sshd_tmp_t; |
---|
[79] | 96 | }; |
---|
| 97 | |
---|
[82] | 98 | afs_access(sshd_t); |
---|
[79] | 99 | ### sshd GSSAPI authentication |
---|
| 100 | kerberos_read_keytab(sshd_t) |
---|
[112] | 101 | # forwarded kerberos tickets via ssh -K |
---|
| 102 | allow user_t sshd_tmp_t:file r_file_perms; |
---|
| 103 | |
---|
[100] | 104 | dontaudit user_t kernel_t:key all_key_perms; |
---|
[79] | 105 | |
---|
[100] | 106 | # (for admof) |
---|
| 107 | # perl |
---|
| 108 | corecmd_exec_bin(sshd_t) |
---|
| 109 | # aklog |
---|
| 110 | corecmd_exec_sbin(sshd_t) |
---|
| 111 | # exec |
---|
| 112 | corecmd_exec_shell(sshd_t) |
---|
| 113 | # fs |
---|
| 114 | kernel_write_proc_files(sshd_t) |
---|
| 115 | |
---|
[79] | 116 | ### MAIL ### |
---|
[82] | 117 | |
---|
| 118 | require { |
---|
| 119 | type postfix_local_t, procmail_t, sendmail_t; |
---|
| 120 | }; |
---|
| 121 | |
---|
| 122 | afs_access(postfix_local_t); |
---|
| 123 | afs_access(procmail_t); |
---|
[79] | 124 | mta_sendmail_exec(user_t) |
---|
[84] | 125 | mta_sendmail_exec(system_crond_t) |
---|
[79] | 126 | can_exec(user_t, sendmail_exec_t) |
---|
[84] | 127 | can_exec(system_crond_t, sendmail_exec_t) |
---|
[81] | 128 | allow sendmail_t postfix_local_t:fd use; |
---|
| 129 | allow sendmail_t postfix_local_t:fifo_file { getattr write }; |
---|
| 130 | corecmd_exec_bin(procmail_t) |
---|
| 131 | corecmd_exec_sbin(procmail_t) |
---|
[79] | 132 | |
---|
| 133 | ### HTTPD ### |
---|
[82] | 134 | |
---|
| 135 | require { |
---|
[100] | 136 | type httpd_t, httpd_suexec_exec_t, httpd_suexec_t; |
---|
| 137 | role user_r; |
---|
[82] | 138 | }; |
---|
| 139 | |
---|
| 140 | afs_access(httpd_t); |
---|
[100] | 141 | dontaudit httpd_t self:key all_key_perms; |
---|
| 142 | dontaudit httpd_t sshd_t:key all_key_perms; |
---|
| 143 | dontaudit httpd_t kernel_t:key all_key_perms; |
---|
[82] | 144 | allow httpd_t self:process setrlimit; |
---|
[100] | 145 | |
---|
| 146 | # SUEXEC PHASE 1 |
---|
| 147 | can_exec(httpd_t, httpd_suexec_exec_t) |
---|
| 148 | domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) |
---|
| 149 | apache_read_config(httpd_suexec_t) |
---|
| 150 | apache_read_log(httpd_suexec_t) |
---|
| 151 | apache_append_log(httpd_suexec_t) |
---|
| 152 | |
---|
| 153 | # SUEXEC PHASE 2 |
---|
| 154 | allow httpd_suexec_t self:process { setexec }; |
---|
| 155 | allow httpd_suexec_t user_t:process { transition siginh rlimitinh noatsecure }; |
---|
| 156 | |
---|
| 157 | # SUEXEC PHASE 3 |
---|
| 158 | allow { httpd_suexec_t user_t } httpd_t:fd { use }; |
---|
| 159 | allow { httpd_suexec_t user_t } httpd_t:fifo_file { read write }; |
---|
| 160 | allow { httpd_suexec_t user_t } httpd_t:process { sigchld }; |
---|
| 161 | allow { user_t } httpd_suexec_t:fd { use }; |
---|
| 162 | #allow httpd_suexec_t user_t:process transition; |
---|
| 163 | domain_unconfined(httpd_suexec_t) |
---|
| 164 | |
---|
| 165 | ### *** ### |
---|
| 166 | |
---|
| 167 | require { |
---|
| 168 | type var_run_t; |
---|
| 169 | }; |
---|
| 170 | |
---|
| 171 | # named.pid |
---|
| 172 | allow initrc_t var_run_t:lnk_file create; |
---|
| 173 | |
---|
| 174 | # semodule -i |
---|
| 175 | require { type semanage_t, sysadm_home_t; }; |
---|
| 176 | allow semanage_t sysadm_home_t:dir rw_dir_perms; |
---|
| 177 | allow semanage_t sysadm_home_t:file rw_file_perms; |
---|
| 178 | |
---|
| 179 | require { type restorecond_t, crond_t; }; |
---|
| 180 | dontaudit restorecond_t kernel_t:key all_key_perms; |
---|
| 181 | dontaudit crond_t sshd_t:key all_key_perms; |
---|