Changeset 100 for selinux/build/misc.te
- Timestamp:
- Jan 20, 2007, 10:15:31 PM (18 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
selinux/build/misc.te
r84 r100 1 policy_module(misc,1.0.0) 1 # Joe Presbrey 2 # presbrey@mit.edu 3 # 2006/1/15 4 5 policy_module(scripts,1.0.0) 2 6 3 7 ### USER ### … … 10 14 zephyr_access(user_t); 11 15 16 # permit aklog: 17 kernel_write_proc_files(user_t) 18 #allow user_t proc_t:file write; 19 12 20 ### AFS ### 13 21 14 22 require { 15 type kernel_t , initrc_t, proc_t;23 type kernel_t; 16 24 }; 17 25 … … 19 27 zephyr_access(kernel_t); 20 28 29 ### INIT ### 30 31 require { 32 type initrc_t, tmp_t; 33 }; 34 21 35 # init.d script sets up cell files: 22 allow initrc_t afsd_etc_t:file { setattr write }; 23 # permit aklog: 24 allow user_t proc_t:file write; 36 afs_access(initrc_t); 37 allow initrc_t afsd_etc_t:file { rw_file_perms setattr }; 38 39 # init.d makes the sessions directory: 40 allow initrc_t tmp_t:dir { create setattr }; 41 42 # AFS fs 43 kernel_write_proc_files(initrc_t) 25 44 26 45 ### CRON ### 27 46 28 47 require { 29 type crond_t, user_cron_spool_t ;48 type crond_t, user_cron_spool_t, user_crontab_t; 30 49 type system_crond_t; 31 50 type var_log_t; … … 33 52 34 53 afs_access(crond_t); 54 afs_access(user_crontab_t); 35 55 ### crond can switch to user_t rather than user_crond_t 36 56 ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) 37 57 domain_cron_exemption_target(user_t) 38 allow user_t user_cron_spool_t:file entrypoint; 39 allow crond_t user_t:process transition; 40 dontaudit crond_t user_t:process { noatsecure siginh rlimitinh }; 58 domain_entry_file(user_t, user_cron_spool_t) 59 domain_trans(crond_t, user_cron_spool_t, user_t) 60 allow user_t crond_t:process sigchld; 61 allow crond_t self:process setrlimit; 41 62 allow crond_t user_t:fd use; 42 63 allow user_t crond_t:fd use; 43 64 allow user_t crond_t:fifo_file rw_file_perms; 44 allow user_t crond_t:process sigchld;65 allow crond_t user_t:fifo_file rw_file_perms; 45 66 allow system_crond_t var_log_t:file rw_file_perms; 46 67 … … 54 75 ### sshd GSSAPI authentication 55 76 kerberos_read_keytab(sshd_t) 56 allow user_t kernel_t:key search; 77 dontaudit user_t kernel_t:key all_key_perms; 78 79 # (for admof) 80 # perl 81 corecmd_exec_bin(sshd_t) 82 # aklog 83 corecmd_exec_sbin(sshd_t) 84 # exec 85 corecmd_exec_shell(sshd_t) 86 # fs 87 kernel_write_proc_files(sshd_t) 57 88 58 89 ### MAIL ### … … 76 107 77 108 require { 78 type httpd_t, httpd_suexec_exec_t; 109 type httpd_t, httpd_suexec_exec_t, httpd_suexec_t; 110 role user_r; 79 111 }; 80 112 81 113 afs_access(httpd_t); 82 allow httpd_t self:key all_key_perms; 114 dontaudit httpd_t self:key all_key_perms; 115 dontaudit httpd_t sshd_t:key all_key_perms; 116 dontaudit httpd_t kernel_t:key all_key_perms; 83 117 allow httpd_t self:process setrlimit; 84 allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans }; 118 119 # SUEXEC PHASE 1 120 can_exec(httpd_t, httpd_suexec_exec_t) 121 domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) 122 apache_read_config(httpd_suexec_t) 123 apache_read_log(httpd_suexec_t) 124 apache_append_log(httpd_suexec_t) 125 126 # SUEXEC PHASE 2 127 allow httpd_suexec_t self:process { setexec }; 128 allow httpd_suexec_t user_t:process { transition siginh rlimitinh noatsecure }; 129 130 # SUEXEC PHASE 3 131 allow { httpd_suexec_t user_t } httpd_t:fd { use }; 132 allow { httpd_suexec_t user_t } httpd_t:fifo_file { read write }; 133 allow { httpd_suexec_t user_t } httpd_t:process { sigchld }; 134 allow { user_t } httpd_suexec_t:fd { use }; 135 #allow httpd_suexec_t user_t:process transition; 136 domain_unconfined(httpd_suexec_t) 137 138 ### *** ### 139 140 require { 141 type var_run_t; 142 }; 143 144 # named.pid 145 allow initrc_t var_run_t:lnk_file create; 146 147 # semodule -i 148 require { type semanage_t, sysadm_home_t; }; 149 allow semanage_t sysadm_home_t:dir rw_dir_perms; 150 allow semanage_t sysadm_home_t:file rw_file_perms; 151 152 require { type restorecond_t, crond_t; }; 153 dontaudit restorecond_t kernel_t:key all_key_perms; 154 dontaudit crond_t sshd_t:key all_key_perms;
Note: See TracChangeset
for help on using the changeset viewer.