Changeset 100


Ignore:
Timestamp:
Jan 20, 2007, 10:15:31 PM (17 years ago)
Author:
presbrey
Message:
scripts SELinux strict module
Location:
selinux
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • selinux/Makefile

    r80 r100  
    99
    1010install:
    11         /usr/sbin/setenforce 0;
    12         /usr/sbin/semodule -i afsagent.pp;
    13         /usr/sbin/semodule -i afsd.pp;
    14         /usr/sbin/semodule -i misc.pp;
     11        /usr/sbin/semodule -i admof.pp;
     12        /usr/sbin/semodule -i nagios-nrpe.pp;
     13        /usr/sbin/semodule -i openafs.pp;
     14        /usr/sbin/semodule -i scripts.pp;
     15        /usr/sbin/semodule -i signup.pp;
     16        /usr/sbin/semodule -i zephyr.pp;
    1517        /usr/sbin/getenforce
    16 #       export SESTAT=`/usr/sbin/getenforce`;
    17 #       /usr/sbin/setenforce $$SESTAT;

  • selinux/build/misc.te

    r84 r100  
    1 policy_module(misc,1.0.0)
     1# Joe Presbrey
     2# presbrey@mit.edu
     3# 2006/1/15
     4
     5policy_module(scripts,1.0.0)
    26
    37### USER ###
     
    1014zephyr_access(user_t);
    1115
     16# permit aklog:
     17kernel_write_proc_files(user_t)
     18#allow user_t proc_t:file write;
     19
    1220### AFS ###
    1321
    1422require {
    15         type kernel_t, initrc_t, proc_t;
     23        type kernel_t;
    1624};
    1725
     
    1927zephyr_access(kernel_t);
    2028
     29### INIT ###
     30
     31require {
     32        type initrc_t, tmp_t;
     33};
     34
    2135# init.d script sets up cell files:
    22 allow initrc_t afsd_etc_t:file { setattr write };
    23 # permit aklog:
    24 allow user_t proc_t:file write;
     36afs_access(initrc_t);
     37allow initrc_t afsd_etc_t:file { rw_file_perms setattr };
     38
     39# init.d makes the sessions directory:
     40allow initrc_t tmp_t:dir { create setattr };
     41
     42# AFS fs
     43kernel_write_proc_files(initrc_t)
    2544
    2645### CRON ###
    2746
    2847require {
    29         type crond_t, user_cron_spool_t;
     48        type crond_t, user_cron_spool_t, user_crontab_t;
    3049        type system_crond_t;
    3150        type var_log_t;
     
    3352
    3453afs_access(crond_t);
     54afs_access(user_crontab_t);
    3555### crond can switch to user_t rather than user_crond_t
    3656### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
    3757domain_cron_exemption_target(user_t)
    38 allow user_t user_cron_spool_t:file entrypoint;
    39 allow crond_t user_t:process transition;
    40 dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
     58domain_entry_file(user_t, user_cron_spool_t)
     59domain_trans(crond_t, user_cron_spool_t, user_t)
     60allow user_t crond_t:process sigchld;
     61allow crond_t self:process setrlimit;
    4162allow crond_t user_t:fd use;
    4263allow user_t crond_t:fd use;
    4364allow user_t crond_t:fifo_file rw_file_perms;
    44 allow user_t crond_t:process sigchld;
     65allow crond_t user_t:fifo_file rw_file_perms;
    4566allow system_crond_t var_log_t:file rw_file_perms;
    4667
     
    5475### sshd GSSAPI authentication
    5576kerberos_read_keytab(sshd_t)
    56 allow user_t kernel_t:key search;
     77dontaudit user_t kernel_t:key all_key_perms;
     78
     79# (for admof)
     80# perl
     81corecmd_exec_bin(sshd_t)
     82# aklog
     83corecmd_exec_sbin(sshd_t)
     84# exec
     85corecmd_exec_shell(sshd_t)
     86# fs
     87kernel_write_proc_files(sshd_t)
    5788
    5889### MAIL ###
     
    76107
    77108require {
    78         type httpd_t, httpd_suexec_exec_t;
     109        type httpd_t, httpd_suexec_exec_t, httpd_suexec_t;
     110        role user_r;
    79111};
    80112
    81113afs_access(httpd_t);
    82 allow httpd_t self:key all_key_perms;
     114dontaudit httpd_t self:key all_key_perms;
     115dontaudit httpd_t sshd_t:key all_key_perms;
     116dontaudit httpd_t kernel_t:key all_key_perms;
    83117allow httpd_t self:process setrlimit;
    84 allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans };
     118
     119# SUEXEC PHASE 1
     120can_exec(httpd_t, httpd_suexec_exec_t)
     121domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
     122apache_read_config(httpd_suexec_t)
     123apache_read_log(httpd_suexec_t)
     124apache_append_log(httpd_suexec_t)
     125
     126# SUEXEC PHASE 2
     127allow httpd_suexec_t self:process { setexec };
     128allow httpd_suexec_t user_t:process { transition siginh rlimitinh noatsecure };
     129
     130# SUEXEC PHASE 3
     131allow { httpd_suexec_t user_t } httpd_t:fd { use };
     132allow { httpd_suexec_t user_t } httpd_t:fifo_file { read write };
     133allow { httpd_suexec_t user_t } httpd_t:process { sigchld };
     134allow { user_t } httpd_suexec_t:fd { use };
     135#allow httpd_suexec_t user_t:process transition;
     136domain_unconfined(httpd_suexec_t)
     137
     138### *** ###
     139
     140require {
     141        type var_run_t;
     142};
     143
     144# named.pid
     145allow initrc_t var_run_t:lnk_file create;
     146
     147# semodule -i
     148require { type semanage_t, sysadm_home_t; };
     149allow semanage_t sysadm_home_t:dir rw_dir_perms;
     150allow semanage_t sysadm_home_t:file rw_file_perms;
     151
     152require { type restorecond_t, crond_t; };
     153dontaudit restorecond_t kernel_t:key all_key_perms;
     154dontaudit crond_t sshd_t:key all_key_perms;
Note: See TracChangeset for help on using the changeset viewer.