Changeset 117


Ignore:
Timestamp:
Jan 26, 2007, 2:33:54 PM (17 years ago)
Author:
presbrey
Message:
appropriately named the signup_t domain module
new domain user_setuid_t to confine setuid user programs (i.e. SQL signup)
Location:
selinux
Files:
3 edited
3 moved

Legend:

Unmodified
Added
Removed
  • selinux/Makefile

    r100 r117  
    99
    1010install:
    11         /usr/sbin/semodule -i admof.pp;
    12         /usr/sbin/semodule -i nagios-nrpe.pp;
    13         /usr/sbin/semodule -i openafs.pp;
    14         /usr/sbin/semodule -i scripts.pp;
    15         /usr/sbin/semodule -i signup.pp;
    16         /usr/sbin/semodule -i zephyr.pp;
     11        /usr/sbin/semodule -n -i openafs.pp;
     12        /usr/sbin/semodule -n -i scripts.pp;
     13        /usr/sbin/semodule -n -i signup.pp;
     14        /usr/sbin/semodule -n -i admof.pp;
     15        /usr/sbin/semodule -n -i nagios-nrpe.pp;
     16        /usr/sbin/semodule -n -i zephyr.pp;
     17        /usr/sbin/semodule -R
    1718        /usr/sbin/getenforce
  • selinux/build/openafs.if

    r99 r117  
    3838        fs_manage_nfs_named_sockets($1)
    3939        allow $1 nfs_t:file entrypoint;
     40        allow $1 nfs_t:{file dir} rx_file_perms;
    4041')
  • selinux/build/scripts.te

    r112 r117  
    88
    99require {
     10        attribute domain, userdomain, unpriv_userdomain;
    1011        type user_t;
    1112};
    1213
     14type user_setuid_t, domain, userdomain, unpriv_userdomain;
     15role user_r types user_setuid_t;
     16domain_interactive_fd(user_setuid_t)
     17files_read_etc_files(user_setuid_t)
     18libs_use_ld_so(user_setuid_t)
     19libs_use_shared_libs(user_setuid_t)
     20miscfiles_read_localization(user_setuid_t)
     21corecmd_exec_all_executables(user_setuid_t)
     22term_use_all_user_ptys(user_setuid_t)
     23
     24allow user_setuid_t bin_t:file entrypoint;
     25allow user_setuid_t sbin_t:file entrypoint;
     26
     27# allow user_setuid_t domain to call setuid and setgid
     28allow user_setuid_t self:capability { setuid setgid };
     29
     30# transition back to the user domain when executing "user" binaries
     31domain_auto_trans(user_setuid_t, nfs_t, user_t)
     32
     33# allow user_setuid_t domain to signal its caller
     34allow user_setuid_t user_t:process sigchld;
     35
    1336afs_access(user_t);
     37afs_access(user_setuid_t);
    1438zephyr_access(user_t);
    1539
Note: See TracChangeset for help on using the changeset viewer.