Context Navigation

scripts.te @ 988

Last change on this file since 988 was 118, checked in by presbrey, 17 years ago
mod_fcgid strict policy support test user_script_t domain
File size: 5.9 KB

Rev	Line
[100]	1	# Joe Presbrey
	2	# presbrey@mit.edu
	3	# 2006/1/15
[28]	4
[100]	5	policy_module(scripts,1.0.0)
	6
[82]	7	### USER ###
	8
	9	require {
[117]	10	attribute domain, userdomain, unpriv_userdomain;
[118]	11	attribute can_change_process_identity, can_change_process_role;
	12	type user_t, user_tmp_t;
	13	type staff_t, sysadm_t;
[82]	14	};
	15
[118]	16	corenet_tcp_bind_all_nodes(user_t)
	17	corenet_tcp_bind_all_ports(user_t)
	18	#corenet_udp_bind_generic_port(user_t)
	19
	20	## user_setuid_t ##
	21
[117]	22	type user_setuid_t, domain, userdomain, unpriv_userdomain;
	23	role user_r types user_setuid_t;
	24	domain_interactive_fd(user_setuid_t)
	25	files_read_etc_files(user_setuid_t)
	26	libs_use_ld_so(user_setuid_t)
	27	libs_use_shared_libs(user_setuid_t)
	28	miscfiles_read_localization(user_setuid_t)
	29	corecmd_exec_all_executables(user_setuid_t)
	30	term_use_all_user_ptys(user_setuid_t)
[118]	31	kernel_read_system_state(user_setuid_t)
[117]	32
	33	allow user_setuid_t bin_t:file entrypoint;
	34	allow user_setuid_t sbin_t:file entrypoint;
	35
	36	# allow user_setuid_t domain to call setuid and setgid
	37	allow user_setuid_t self:capability { setuid setgid };
	38
	39	# transition back to the user domain when executing "user" binaries
	40	domain_auto_trans(user_setuid_t, nfs_t, user_t)
	41
	42	# allow user_setuid_t domain to signal its caller
	43	allow user_setuid_t user_t:process sigchld;
	44
[118]	45	## user_script_t ##
	46	userdom_base_user_template(user_script)
	47	userdom_basic_networking_template(user_script)
	48	domain_interactive_fd(user_script_t)
	49	corecmd_exec_all_executables(user_script_t)
	50	files_exec_usr_files(user_script_t)
	51	corenet_tcp_bind_all_nodes(user_script_t)
	52	corenet_tcp_bind_all_ports(user_script_t)
	53	corenet_udp_bind_all_nodes(user_script_t)
	54	corenet_udp_bind_all_ports(user_script_t)
	55	#corenet_udp_bind_generic_port(user_script_t)
	56	kerberos_use(user_script_t)
	57	files_read_kernel_symbol_table(user_script_t)
	58	kernel_dontaudit_read_ring_buffer(user_script_t)
	59	dev_read_urand(user_script_t)
	60	apache_append_log(user_script_t)
	61	allow user_script_t user_tmp_t:file all_file_perms;
	62	allow user_script_t user_tmp_t:dir all_dir_perms;
	63	allow user_script_t user_tmp_t:fifo_file all_fifo_file_perms;
	64	kernel_read_system_state(user_script_t)
	65
[82]	66	afs_access(user_t);
[118]	67	afs_access(user_script_t);
[117]	68	afs_access(user_setuid_t);
[118]	69	afs_access(staff_t);
	70	afs_access(sysadm_t);
[84]	71	zephyr_access(user_t);
[118]	72	zephyr_access(user_script_t);
[82]	73
[100]	74	# permit aklog:
	75	kernel_write_proc_files(user_t)
	76	#allow user_t proc_t:file write;
	77
[79]	78	### AFS ###
	79
	80	require {
[100]	81	type kernel_t;
[82]	82	};
	83
[79]	84	afs_access(kernel_t);
[84]	85	zephyr_access(kernel_t);
[79]	86
[100]	87	### INIT ###
	88
	89	require {
	90	type initrc_t, tmp_t;
	91	};
	92
[79]	93	# init.d script sets up cell files:
[100]	94	afs_access(initrc_t);
	95	allow initrc_t afsd_etc_t:file { rw_file_perms setattr };
[79]	96
[100]	97	# init.d makes the sessions directory:
	98	allow initrc_t tmp_t:dir { create setattr };
	99
	100	# AFS fs
	101	kernel_write_proc_files(initrc_t)
	102
[79]	103	### CRON ###
	104
	105	require {
[100]	106	type crond_t, user_cron_spool_t, user_crontab_t;
[84]	107	type system_crond_t;
	108	type var_log_t;
[79]	109	};
	110
[82]	111	afs_access(crond_t);
[100]	112	afs_access(user_crontab_t);
[79]	113	### crond can switch to user_t rather than user_crond_t
	114	### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
	115	domain_cron_exemption_target(user_t)
[100]	116	domain_entry_file(user_t, user_cron_spool_t)
	117	domain_trans(crond_t, user_cron_spool_t, user_t)
	118	allow user_t crond_t:process sigchld;
	119	allow crond_t self:process setrlimit;
[79]	120	allow crond_t user_t:fd use;
	121	allow user_t crond_t:fd use;
	122	allow user_t crond_t:fifo_file rw_file_perms;
[100]	123	allow crond_t user_t:fifo_file rw_file_perms;
[84]	124	allow system_crond_t var_log_t:file rw_file_perms;
[79]	125
[82]	126	### SSH ###
[79]	127
	128	require {
[112]	129	type sshd_t, sshd_tmp_t;
[79]	130	};
	131
[82]	132	afs_access(sshd_t);
[79]	133	### sshd GSSAPI authentication
	134	kerberos_read_keytab(sshd_t)
[112]	135	# forwarded kerberos tickets via ssh -K
	136	allow user_t sshd_tmp_t:file r_file_perms;
	137
[100]	138	dontaudit user_t kernel_t:key all_key_perms;
[118]	139	dontaudit user_script_t kernel_t:key all_key_perms;
[79]	140
[100]	141	# (for admof)
[118]	142	corecmd_exec_all_executables(sshd_t)
[100]	143	kernel_write_proc_files(sshd_t)
	144
[79]	145	### MAIL ###
[82]	146
	147	require {
	148	type postfix_local_t, procmail_t, sendmail_t;
	149	};
	150
	151	afs_access(postfix_local_t);
	152	afs_access(procmail_t);
[79]	153	mta_sendmail_exec(user_t)
[118]	154	mta_sendmail_exec(user_script_t)
[84]	155	mta_sendmail_exec(system_crond_t)
[79]	156	can_exec(user_t, sendmail_exec_t)
[118]	157	can_exec(user_script_t, sendmail_exec_t)
[84]	158	can_exec(system_crond_t, sendmail_exec_t)
[81]	159	allow sendmail_t postfix_local_t:fd use;
	160	allow sendmail_t postfix_local_t:fifo_file { getattr write };
	161	corecmd_exec_bin(procmail_t)
	162	corecmd_exec_sbin(procmail_t)
[79]	163
	164	### HTTPD ###
[82]	165
	166	require {
[100]	167	type httpd_t, httpd_suexec_exec_t, httpd_suexec_t;
	168	role user_r;
[82]	169	};
	170
	171	afs_access(httpd_t);
[100]	172	dontaudit httpd_t self:key all_key_perms;
	173	dontaudit httpd_t sshd_t:key all_key_perms;
	174	dontaudit httpd_t kernel_t:key all_key_perms;
[82]	175	allow httpd_t self:process setrlimit;
[100]	176
	177	# SUEXEC PHASE 1
	178	can_exec(httpd_t, httpd_suexec_exec_t)
	179	domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
	180	apache_read_config(httpd_suexec_t)
	181	apache_read_log(httpd_suexec_t)
	182	apache_append_log(httpd_suexec_t)
	183
	184	# SUEXEC PHASE 2
	185	allow httpd_suexec_t self:process { setexec };
[118]	186	allow httpd_suexec_t { user_t user_script_t }:process { transition siginh rlimitinh noatsecure };
[100]	187
	188	# SUEXEC PHASE 3
[118]	189	allow { httpd_suexec_t user_t user_script_t } httpd_t:fd { use };
	190	allow { httpd_suexec_t user_t user_script_t } httpd_t:fifo_file { read write };
	191	allow { httpd_suexec_t user_t user_script_t } httpd_t:process { sigchld };
	192	allow { user_t user_script_t } httpd_suexec_t:fd { use };
	193	allow httpd_suexec_t { user_t user_script_t }:process transition;
	194	typeattribute httpd_suexec_t can_change_process_identity, can_change_process_role;
	195	#domain_unconfined(httpd_suexec_t)
	196	apache_append_log(user_t)
[100]	197
[118]	198	# mod_fcgid in user_t
	199	allow { httpd_suexec_t user_t user_script_t } httpd_t:unix_stream_socket all_unix_stream_socket_perms;
	200	allow httpd_t { user_t user_script_t }:process { sigkill signal };
	201
[100]	202	### *** ###
	203
	204	require {
	205	type var_run_t;
	206	};
	207
	208	# named.pid
	209	allow initrc_t var_run_t:lnk_file create;
	210
	211	# semodule -i
	212	require { type semanage_t, sysadm_home_t; };
	213	allow semanage_t sysadm_home_t:dir rw_dir_perms;
	214	allow semanage_t sysadm_home_t:file rw_file_perms;
	215
	216	require { type restorecond_t, crond_t; };
	217	dontaudit restorecond_t kernel_t:key all_key_perms;
[118]	218	dontaudit { domain userdomain crond_t } sshd_t:key all_key_perms;

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format