source: selinux/build/scripts.te @ 112

Last change on this file since 112 was 112, checked in by presbrey, 16 years ago
forwarded kerberos tickets
File size: 3.5 KB
Line 
1# Joe Presbrey
2# presbrey@mit.edu
3# 2006/1/15
4
5policy_module(scripts,1.0.0)
6
7### USER ###
8
9require {
10        type user_t;
11};
12
13afs_access(user_t);
14zephyr_access(user_t);
15
16# permit aklog:
17kernel_write_proc_files(user_t)
18#allow user_t proc_t:file write;
19
20### AFS ###
21
22require {
23        type kernel_t;
24};
25
26afs_access(kernel_t);
27zephyr_access(kernel_t);
28
29### INIT ###
30
31require {
32        type initrc_t, tmp_t;
33};
34
35# init.d script sets up cell files:
36afs_access(initrc_t);
37allow initrc_t afsd_etc_t:file { rw_file_perms setattr };
38
39# init.d makes the sessions directory:
40allow initrc_t tmp_t:dir { create setattr };
41
42# AFS fs
43kernel_write_proc_files(initrc_t)
44
45### CRON ###
46
47require {
48        type crond_t, user_cron_spool_t, user_crontab_t;
49        type system_crond_t;
50        type var_log_t;
51};
52
53afs_access(crond_t);
54afs_access(user_crontab_t);
55### crond can switch to user_t rather than user_crond_t
56### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
57domain_cron_exemption_target(user_t)
58domain_entry_file(user_t, user_cron_spool_t)
59domain_trans(crond_t, user_cron_spool_t, user_t)
60allow user_t crond_t:process sigchld;
61allow crond_t self:process setrlimit;
62allow crond_t user_t:fd use;
63allow user_t crond_t:fd use;
64allow user_t crond_t:fifo_file rw_file_perms;
65allow crond_t user_t:fifo_file rw_file_perms;
66allow system_crond_t var_log_t:file rw_file_perms;
67
68### SSH ###
69
70require {
71        type sshd_t, sshd_tmp_t;
72};
73
74afs_access(sshd_t);
75### sshd GSSAPI authentication
76kerberos_read_keytab(sshd_t)
77# forwarded kerberos tickets via ssh -K
78allow user_t sshd_tmp_t:file r_file_perms;
79
80dontaudit user_t kernel_t:key all_key_perms;
81
82# (for admof)
83# perl
84corecmd_exec_bin(sshd_t)
85# aklog
86corecmd_exec_sbin(sshd_t)
87# exec
88corecmd_exec_shell(sshd_t)
89# fs
90kernel_write_proc_files(sshd_t)
91
92### MAIL ###
93
94require {
95        type postfix_local_t, procmail_t, sendmail_t;
96};
97
98afs_access(postfix_local_t);
99afs_access(procmail_t);
100mta_sendmail_exec(user_t)
101mta_sendmail_exec(system_crond_t)
102can_exec(user_t, sendmail_exec_t)
103can_exec(system_crond_t, sendmail_exec_t)
104allow sendmail_t postfix_local_t:fd use;
105allow sendmail_t postfix_local_t:fifo_file { getattr write };
106corecmd_exec_bin(procmail_t)
107corecmd_exec_sbin(procmail_t)
108
109### HTTPD ###
110
111require {
112        type httpd_t, httpd_suexec_exec_t, httpd_suexec_t;
113        role user_r;
114};
115
116afs_access(httpd_t);
117dontaudit httpd_t self:key all_key_perms;
118dontaudit httpd_t sshd_t:key all_key_perms;
119dontaudit httpd_t kernel_t:key all_key_perms;
120allow httpd_t self:process setrlimit;
121
122# SUEXEC PHASE 1
123can_exec(httpd_t, httpd_suexec_exec_t)
124domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
125apache_read_config(httpd_suexec_t)
126apache_read_log(httpd_suexec_t)
127apache_append_log(httpd_suexec_t)
128
129# SUEXEC PHASE 2
130allow httpd_suexec_t self:process { setexec };
131allow httpd_suexec_t user_t:process { transition siginh rlimitinh noatsecure };
132
133# SUEXEC PHASE 3
134allow { httpd_suexec_t user_t } httpd_t:fd { use };
135allow { httpd_suexec_t user_t } httpd_t:fifo_file { read write };
136allow { httpd_suexec_t user_t } httpd_t:process { sigchld };
137allow { user_t } httpd_suexec_t:fd { use };
138#allow httpd_suexec_t user_t:process transition;
139domain_unconfined(httpd_suexec_t)
140
141### *** ###
142
143require {
144        type var_run_t;
145};
146
147# named.pid
148allow initrc_t var_run_t:lnk_file create;
149
150# semodule -i
151require { type semanage_t, sysadm_home_t; };
152allow semanage_t sysadm_home_t:dir rw_dir_perms;
153allow semanage_t sysadm_home_t:file rw_file_perms;
154
155require { type restorecond_t, crond_t; };
156dontaudit restorecond_t kernel_t:key all_key_perms;
157dontaudit crond_t sshd_t:key all_key_perms;
Note: See TracBrowser for help on using the repository browser.