source: trunk/selinux/build/scripts.te @ 1233

Last change on this file since 1233 was 118, checked in by presbrey, 16 years ago
mod_fcgid strict policy support test user_script_t domain
File size: 5.9 KB
Line 
1# Joe Presbrey
2# presbrey@mit.edu
3# 2006/1/15
4
5policy_module(scripts,1.0.0)
6
7### USER ###
8
9require {
10        attribute domain, userdomain, unpriv_userdomain;
11        attribute can_change_process_identity, can_change_process_role;
12        type user_t, user_tmp_t;
13        type staff_t, sysadm_t;
14};
15
16corenet_tcp_bind_all_nodes(user_t)
17corenet_tcp_bind_all_ports(user_t)
18#corenet_udp_bind_generic_port(user_t)
19
20## user_setuid_t ##
21
22type user_setuid_t, domain, userdomain, unpriv_userdomain;
23role user_r types user_setuid_t;
24domain_interactive_fd(user_setuid_t)
25files_read_etc_files(user_setuid_t)
26libs_use_ld_so(user_setuid_t)
27libs_use_shared_libs(user_setuid_t)
28miscfiles_read_localization(user_setuid_t)
29corecmd_exec_all_executables(user_setuid_t)
30term_use_all_user_ptys(user_setuid_t)
31kernel_read_system_state(user_setuid_t)
32
33allow user_setuid_t bin_t:file entrypoint;
34allow user_setuid_t sbin_t:file entrypoint;
35
36# allow user_setuid_t domain to call setuid and setgid
37allow user_setuid_t self:capability { setuid setgid };
38
39# transition back to the user domain when executing "user" binaries
40domain_auto_trans(user_setuid_t, nfs_t, user_t)
41
42# allow user_setuid_t domain to signal its caller
43allow user_setuid_t user_t:process sigchld;
44
45## user_script_t ##
46userdom_base_user_template(user_script)
47userdom_basic_networking_template(user_script)
48domain_interactive_fd(user_script_t)
49corecmd_exec_all_executables(user_script_t)
50files_exec_usr_files(user_script_t)
51corenet_tcp_bind_all_nodes(user_script_t)
52corenet_tcp_bind_all_ports(user_script_t)
53corenet_udp_bind_all_nodes(user_script_t)
54corenet_udp_bind_all_ports(user_script_t)
55#corenet_udp_bind_generic_port(user_script_t)
56kerberos_use(user_script_t)
57files_read_kernel_symbol_table(user_script_t)
58kernel_dontaudit_read_ring_buffer(user_script_t)
59dev_read_urand(user_script_t)
60apache_append_log(user_script_t)
61allow user_script_t user_tmp_t:file all_file_perms;
62allow user_script_t user_tmp_t:dir all_dir_perms;
63allow user_script_t user_tmp_t:fifo_file all_fifo_file_perms;
64kernel_read_system_state(user_script_t)
65
66afs_access(user_t);
67afs_access(user_script_t);
68afs_access(user_setuid_t);
69afs_access(staff_t);
70afs_access(sysadm_t);
71zephyr_access(user_t);
72zephyr_access(user_script_t);
73
74# permit aklog:
75kernel_write_proc_files(user_t)
76#allow user_t proc_t:file write;
77
78### AFS ###
79
80require {
81        type kernel_t;
82};
83
84afs_access(kernel_t);
85zephyr_access(kernel_t);
86
87### INIT ###
88
89require {
90        type initrc_t, tmp_t;
91};
92
93# init.d script sets up cell files:
94afs_access(initrc_t);
95allow initrc_t afsd_etc_t:file { rw_file_perms setattr };
96
97# init.d makes the sessions directory:
98allow initrc_t tmp_t:dir { create setattr };
99
100# AFS fs
101kernel_write_proc_files(initrc_t)
102
103### CRON ###
104
105require {
106        type crond_t, user_cron_spool_t, user_crontab_t;
107        type system_crond_t;
108        type var_log_t;
109};
110
111afs_access(crond_t);
112afs_access(user_crontab_t);
113### crond can switch to user_t rather than user_crond_t
114### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
115domain_cron_exemption_target(user_t)
116domain_entry_file(user_t, user_cron_spool_t)
117domain_trans(crond_t, user_cron_spool_t, user_t)
118allow user_t crond_t:process sigchld;
119allow crond_t self:process setrlimit;
120allow crond_t user_t:fd use;
121allow user_t crond_t:fd use;
122allow user_t crond_t:fifo_file rw_file_perms;
123allow crond_t user_t:fifo_file rw_file_perms;
124allow system_crond_t var_log_t:file rw_file_perms;
125
126### SSH ###
127
128require {
129        type sshd_t, sshd_tmp_t;
130};
131
132afs_access(sshd_t);
133### sshd GSSAPI authentication
134kerberos_read_keytab(sshd_t)
135# forwarded kerberos tickets via ssh -K
136allow user_t sshd_tmp_t:file r_file_perms;
137
138dontaudit user_t kernel_t:key all_key_perms;
139dontaudit user_script_t kernel_t:key all_key_perms;
140
141# (for admof)
142corecmd_exec_all_executables(sshd_t)
143kernel_write_proc_files(sshd_t)
144
145### MAIL ###
146
147require {
148        type postfix_local_t, procmail_t, sendmail_t;
149};
150
151afs_access(postfix_local_t);
152afs_access(procmail_t);
153mta_sendmail_exec(user_t)
154mta_sendmail_exec(user_script_t)
155mta_sendmail_exec(system_crond_t)
156can_exec(user_t, sendmail_exec_t)
157can_exec(user_script_t, sendmail_exec_t)
158can_exec(system_crond_t, sendmail_exec_t)
159allow sendmail_t postfix_local_t:fd use;
160allow sendmail_t postfix_local_t:fifo_file { getattr write };
161corecmd_exec_bin(procmail_t)
162corecmd_exec_sbin(procmail_t)
163
164### HTTPD ###
165
166require {
167        type httpd_t, httpd_suexec_exec_t, httpd_suexec_t;
168        role user_r;
169};
170
171afs_access(httpd_t);
172dontaudit httpd_t self:key all_key_perms;
173dontaudit httpd_t sshd_t:key all_key_perms;
174dontaudit httpd_t kernel_t:key all_key_perms;
175allow httpd_t self:process setrlimit;
176
177# SUEXEC PHASE 1
178can_exec(httpd_t, httpd_suexec_exec_t)
179domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
180apache_read_config(httpd_suexec_t)
181apache_read_log(httpd_suexec_t)
182apache_append_log(httpd_suexec_t)
183
184# SUEXEC PHASE 2
185allow httpd_suexec_t self:process { setexec };
186allow httpd_suexec_t { user_t user_script_t }:process { transition siginh rlimitinh noatsecure };
187
188# SUEXEC PHASE 3
189allow { httpd_suexec_t user_t user_script_t } httpd_t:fd { use };
190allow { httpd_suexec_t user_t user_script_t } httpd_t:fifo_file { read write };
191allow { httpd_suexec_t user_t user_script_t } httpd_t:process { sigchld };
192allow { user_t user_script_t } httpd_suexec_t:fd { use };
193allow httpd_suexec_t { user_t user_script_t }:process transition;
194typeattribute httpd_suexec_t can_change_process_identity, can_change_process_role;
195#domain_unconfined(httpd_suexec_t)
196apache_append_log(user_t)
197
198# mod_fcgid in user_t
199allow { httpd_suexec_t user_t user_script_t } httpd_t:unix_stream_socket all_unix_stream_socket_perms;
200allow httpd_t { user_t user_script_t }:process { sigkill signal };
201
202### *** ###
203
204require {
205        type var_run_t;
206};
207
208# named.pid
209allow initrc_t var_run_t:lnk_file create;
210
211# semodule -i
212require { type semanage_t, sysadm_home_t; };
213allow semanage_t sysadm_home_t:dir rw_dir_perms;
214allow semanage_t sysadm_home_t:file rw_file_perms;
215
216require { type restorecond_t, crond_t; };
217dontaudit restorecond_t kernel_t:key all_key_perms;
218dontaudit { domain userdomain crond_t } sshd_t:key all_key_perms;
Note: See TracBrowser for help on using the repository browser.