Ignore:
Timestamp:
Jan 26, 2007, 2:33:54 PM (16 years ago)
Author:
presbrey
Message:
appropriately named the signup_t domain module
new domain user_setuid_t to confine setuid user programs (i.e. SQL signup)
File:
1 edited

Legend:

Unmodified
Added
Removed
  • selinux/build/scripts.te

    r112 r117  
    88
    99require {
     10        attribute domain, userdomain, unpriv_userdomain;
    1011        type user_t;
    1112};
    1213
     14type user_setuid_t, domain, userdomain, unpriv_userdomain;
     15role user_r types user_setuid_t;
     16domain_interactive_fd(user_setuid_t)
     17files_read_etc_files(user_setuid_t)
     18libs_use_ld_so(user_setuid_t)
     19libs_use_shared_libs(user_setuid_t)
     20miscfiles_read_localization(user_setuid_t)
     21corecmd_exec_all_executables(user_setuid_t)
     22term_use_all_user_ptys(user_setuid_t)
     23
     24allow user_setuid_t bin_t:file entrypoint;
     25allow user_setuid_t sbin_t:file entrypoint;
     26
     27# allow user_setuid_t domain to call setuid and setgid
     28allow user_setuid_t self:capability { setuid setgid };
     29
     30# transition back to the user domain when executing "user" binaries
     31domain_auto_trans(user_setuid_t, nfs_t, user_t)
     32
     33# allow user_setuid_t domain to signal its caller
     34allow user_setuid_t user_t:process sigchld;
     35
    1336afs_access(user_t);
     37afs_access(user_setuid_t);
    1438zephyr_access(user_t);
    1539
Note: See TracChangeset for help on using the changeset viewer.