source: selinux/build/scripts.te @ 117

Last change on this file since 117 was 117, checked in by presbrey, 16 years ago
appropriately named the signup_t domain module new domain user_setuid_t to confine setuid user programs (i.e. SQL signup)
File size: 4.3 KB
Line 
1# Joe Presbrey
2# presbrey@mit.edu
3# 2006/1/15
4
5policy_module(scripts,1.0.0)
6
7### USER ###
8
9require {
10        attribute domain, userdomain, unpriv_userdomain;
11        type user_t;
12};
13
14type user_setuid_t, domain, userdomain, unpriv_userdomain;
15role user_r types user_setuid_t;
16domain_interactive_fd(user_setuid_t)
17files_read_etc_files(user_setuid_t)
18libs_use_ld_so(user_setuid_t)
19libs_use_shared_libs(user_setuid_t)
20miscfiles_read_localization(user_setuid_t)
21corecmd_exec_all_executables(user_setuid_t)
22term_use_all_user_ptys(user_setuid_t)
23
24allow user_setuid_t bin_t:file entrypoint;
25allow user_setuid_t sbin_t:file entrypoint;
26
27# allow user_setuid_t domain to call setuid and setgid
28allow user_setuid_t self:capability { setuid setgid };
29
30# transition back to the user domain when executing "user" binaries
31domain_auto_trans(user_setuid_t, nfs_t, user_t)
32
33# allow user_setuid_t domain to signal its caller
34allow user_setuid_t user_t:process sigchld;
35
36afs_access(user_t);
37afs_access(user_setuid_t);
38zephyr_access(user_t);
39
40# permit aklog:
41kernel_write_proc_files(user_t)
42#allow user_t proc_t:file write;
43
44### AFS ###
45
46require {
47        type kernel_t;
48};
49
50afs_access(kernel_t);
51zephyr_access(kernel_t);
52
53### INIT ###
54
55require {
56        type initrc_t, tmp_t;
57};
58
59# init.d script sets up cell files:
60afs_access(initrc_t);
61allow initrc_t afsd_etc_t:file { rw_file_perms setattr };
62
63# init.d makes the sessions directory:
64allow initrc_t tmp_t:dir { create setattr };
65
66# AFS fs
67kernel_write_proc_files(initrc_t)
68
69### CRON ###
70
71require {
72        type crond_t, user_cron_spool_t, user_crontab_t;
73        type system_crond_t;
74        type var_log_t;
75};
76
77afs_access(crond_t);
78afs_access(user_crontab_t);
79### crond can switch to user_t rather than user_crond_t
80### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
81domain_cron_exemption_target(user_t)
82domain_entry_file(user_t, user_cron_spool_t)
83domain_trans(crond_t, user_cron_spool_t, user_t)
84allow user_t crond_t:process sigchld;
85allow crond_t self:process setrlimit;
86allow crond_t user_t:fd use;
87allow user_t crond_t:fd use;
88allow user_t crond_t:fifo_file rw_file_perms;
89allow crond_t user_t:fifo_file rw_file_perms;
90allow system_crond_t var_log_t:file rw_file_perms;
91
92### SSH ###
93
94require {
95        type sshd_t, sshd_tmp_t;
96};
97
98afs_access(sshd_t);
99### sshd GSSAPI authentication
100kerberos_read_keytab(sshd_t)
101# forwarded kerberos tickets via ssh -K
102allow user_t sshd_tmp_t:file r_file_perms;
103
104dontaudit user_t kernel_t:key all_key_perms;
105
106# (for admof)
107# perl
108corecmd_exec_bin(sshd_t)
109# aklog
110corecmd_exec_sbin(sshd_t)
111# exec
112corecmd_exec_shell(sshd_t)
113# fs
114kernel_write_proc_files(sshd_t)
115
116### MAIL ###
117
118require {
119        type postfix_local_t, procmail_t, sendmail_t;
120};
121
122afs_access(postfix_local_t);
123afs_access(procmail_t);
124mta_sendmail_exec(user_t)
125mta_sendmail_exec(system_crond_t)
126can_exec(user_t, sendmail_exec_t)
127can_exec(system_crond_t, sendmail_exec_t)
128allow sendmail_t postfix_local_t:fd use;
129allow sendmail_t postfix_local_t:fifo_file { getattr write };
130corecmd_exec_bin(procmail_t)
131corecmd_exec_sbin(procmail_t)
132
133### HTTPD ###
134
135require {
136        type httpd_t, httpd_suexec_exec_t, httpd_suexec_t;
137        role user_r;
138};
139
140afs_access(httpd_t);
141dontaudit httpd_t self:key all_key_perms;
142dontaudit httpd_t sshd_t:key all_key_perms;
143dontaudit httpd_t kernel_t:key all_key_perms;
144allow httpd_t self:process setrlimit;
145
146# SUEXEC PHASE 1
147can_exec(httpd_t, httpd_suexec_exec_t)
148domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
149apache_read_config(httpd_suexec_t)
150apache_read_log(httpd_suexec_t)
151apache_append_log(httpd_suexec_t)
152
153# SUEXEC PHASE 2
154allow httpd_suexec_t self:process { setexec };
155allow httpd_suexec_t user_t:process { transition siginh rlimitinh noatsecure };
156
157# SUEXEC PHASE 3
158allow { httpd_suexec_t user_t } httpd_t:fd { use };
159allow { httpd_suexec_t user_t } httpd_t:fifo_file { read write };
160allow { httpd_suexec_t user_t } httpd_t:process { sigchld };
161allow { user_t } httpd_suexec_t:fd { use };
162#allow httpd_suexec_t user_t:process transition;
163domain_unconfined(httpd_suexec_t)
164
165### *** ###
166
167require {
168        type var_run_t;
169};
170
171# named.pid
172allow initrc_t var_run_t:lnk_file create;
173
174# semodule -i
175require { type semanage_t, sysadm_home_t; };
176allow semanage_t sysadm_home_t:dir rw_dir_perms;
177allow semanage_t sysadm_home_t:file rw_file_perms;
178
179require { type restorecond_t, crond_t; };
180dontaudit restorecond_t kernel_t:key all_key_perms;
181dontaudit crond_t sshd_t:key all_key_perms;
Note: See TracBrowser for help on using the repository browser.