1 | # Joe Presbrey |
---|
2 | # presbrey@mit.edu |
---|
3 | # 2006/1/15 |
---|
4 | |
---|
5 | policy_module(signup,1.0.0) |
---|
6 | |
---|
7 | require { |
---|
8 | attribute domain, userdomain, unpriv_userdomain; |
---|
9 | }; |
---|
10 | |
---|
11 | require { type sudo_exec_t; }; |
---|
12 | type signup_t, domain, userdomain, unpriv_userdomain; |
---|
13 | type signup_su_t, domain, userdomain; |
---|
14 | role system_r types { signup_t signup_su_t }; |
---|
15 | role user_r types { signup_t signup_su_t }; |
---|
16 | afs_access(signup_t) |
---|
17 | afs_access(signup_su_t) |
---|
18 | afs_access(useradd_t) |
---|
19 | files_read_etc_files(signup_t) |
---|
20 | libs_use_ld_so(signup_t) |
---|
21 | libs_use_shared_libs(signup_t) |
---|
22 | miscfiles_read_localization(signup_t) |
---|
23 | files_read_etc_files(signup_su_t) |
---|
24 | libs_use_ld_so(signup_su_t) |
---|
25 | libs_use_shared_libs(signup_su_t) |
---|
26 | miscfiles_read_localization(signup_su_t) |
---|
27 | domain_auto_trans(signup_t, sudo_exec_t, signup_su_t) |
---|
28 | auth_rw_shadow(signup_su_t) |
---|
29 | sysnet_dns_name_resolve(signup_t) |
---|
30 | sysnet_dns_name_resolve(signup_su_t) |
---|
31 | usermanage_run_useradd(signup_su_t,system_r,signup_t) |
---|
32 | usermanage_run_groupadd(signup_su_t,system_r,signup_t) |
---|
33 | allow groupadd_t signup_t:fifo_file { getattr ioctl read write }; |
---|
34 | allow groupadd_t signup_t:process sigchld; |
---|
35 | |
---|
36 | allow useradd_t { httpd_t signup_t }:fd use; |
---|
37 | allow useradd_t { httpd_t signup_t }:fifo_file { getattr ioctl read write}; |
---|
38 | allow useradd_t signup_t:process sigchld; |
---|
39 | allow signup_su_t signup_t:fd use; |
---|
40 | allow signup_su_t signup_t:fifo_file { ioctl write }; |
---|
41 | allow signup_su_t signup_t:process sigchld; |
---|
42 | allow signup_su_t sudo_exec_t:file entrypoint; |
---|
43 | allow signup_su_t self:capability { audit_write setgid setuid }; |
---|
44 | dev_read_urand(signup_t) |
---|
45 | kernel_read_system_state(signup_t) |
---|
46 | logging_send_syslog_msg(signup_su_t) |
---|
47 | |
---|
48 | corecmd_exec_all_executables(signup_t) |
---|
49 | allow signup_t sbin_t:dir search; |
---|
50 | allow signup_t sbin_t:file { execute execute_no_trans read }; |
---|
51 | allow signup_t shell_exec_t:file { execute execute_no_trans getattr read }; |
---|
52 | allow signup_t self:fifo_file { getattr ioctl read write }; |
---|
53 | |
---|
54 | # SUEXEC # |
---|
55 | require { type httpd_suexec_t, httpd_t; }; |
---|
56 | allow httpd_suexec_t { signup_t }:process { transition siginh rlimitinh noatsecure }; |
---|
57 | allow { signup_t } httpd_t:fd { use }; |
---|
58 | allow { signup_t } httpd_t:fifo_file { getattr ioctl read write }; |
---|
59 | allow { signup_t } httpd_t:process { sigchld }; |
---|
60 | allow { signup_t } httpd_suexec_t:fd { use }; |
---|