Changeset 117 for selinux/build/scripts.te

Timestamp:

Jan 26, 2007, 2:33:54 PM (17 years ago)

Author:

presbrey

Message:

appropriately named the signup_t domain module
new domain user_setuid_t to confine setuid user programs (i.e. SQL signup)

File:

• selinux/build/scripts.te (modified) (1 diff)

selinux/build/scripts.te

@@ -8 +8 @@
 
 require {
+        attribute domain, userdomain, unpriv_userdomain;
         type user_t;
 };
 
+type user_setuid_t, domain, userdomain, unpriv_userdomain;
+role user_r types user_setuid_t;
+domain_interactive_fd(user_setuid_t)
+files_read_etc_files(user_setuid_t)
+libs_use_ld_so(user_setuid_t)
+libs_use_shared_libs(user_setuid_t)
+miscfiles_read_localization(user_setuid_t)
+corecmd_exec_all_executables(user_setuid_t)
+term_use_all_user_ptys(user_setuid_t)
+
+allow user_setuid_t bin_t:file entrypoint;
+allow user_setuid_t sbin_t:file entrypoint;
+
+# allow user_setuid_t domain to call setuid and setgid
+allow user_setuid_t self:capability { setuid setgid };
+
+# transition back to the user domain when executing "user" binaries
+domain_auto_trans(user_setuid_t, nfs_t, user_t)
+
+# allow user_setuid_t domain to signal its caller
+allow user_setuid_t user_t:process sigchld;
+
 afs_access(user_t);
+afs_access(user_setuid_t);
 zephyr_access(user_t);