Changeset 118


Ignore:
Timestamp:
Jan 26, 2007, 5:07:10 PM (15 years ago)
Author:
presbrey
Message:
mod_fcgid strict policy support
test user_script_t domain
File:
1 edited

Legend:

Unmodified
Added
Removed
  • selinux/build/scripts.te

    r117 r118  
    99require {
    1010        attribute domain, userdomain, unpriv_userdomain;
    11         type user_t;
    12 };
     11        attribute can_change_process_identity, can_change_process_role;
     12        type user_t, user_tmp_t;
     13        type staff_t, sysadm_t;
     14};
     15
     16corenet_tcp_bind_all_nodes(user_t)
     17corenet_tcp_bind_all_ports(user_t)
     18#corenet_udp_bind_generic_port(user_t)
     19
     20## user_setuid_t ##
    1321
    1422type user_setuid_t, domain, userdomain, unpriv_userdomain;
     
    2129corecmd_exec_all_executables(user_setuid_t)
    2230term_use_all_user_ptys(user_setuid_t)
     31kernel_read_system_state(user_setuid_t)
    2332
    2433allow user_setuid_t bin_t:file entrypoint;
     
    3443allow user_setuid_t user_t:process sigchld;
    3544
     45## user_script_t ##
     46userdom_base_user_template(user_script)
     47userdom_basic_networking_template(user_script)
     48domain_interactive_fd(user_script_t)
     49corecmd_exec_all_executables(user_script_t)
     50files_exec_usr_files(user_script_t)
     51corenet_tcp_bind_all_nodes(user_script_t)
     52corenet_tcp_bind_all_ports(user_script_t)
     53corenet_udp_bind_all_nodes(user_script_t)
     54corenet_udp_bind_all_ports(user_script_t)
     55#corenet_udp_bind_generic_port(user_script_t)
     56kerberos_use(user_script_t)
     57files_read_kernel_symbol_table(user_script_t)
     58kernel_dontaudit_read_ring_buffer(user_script_t)
     59dev_read_urand(user_script_t)
     60apache_append_log(user_script_t)
     61allow user_script_t user_tmp_t:file all_file_perms;
     62allow user_script_t user_tmp_t:dir all_dir_perms;
     63allow user_script_t user_tmp_t:fifo_file all_fifo_file_perms;
     64kernel_read_system_state(user_script_t)
     65
    3666afs_access(user_t);
     67afs_access(user_script_t);
    3768afs_access(user_setuid_t);
     69afs_access(staff_t);
     70afs_access(sysadm_t);
    3871zephyr_access(user_t);
     72zephyr_access(user_script_t);
    3973
    4074# permit aklog:
     
    103137
    104138dontaudit user_t kernel_t:key all_key_perms;
     139dontaudit user_script_t kernel_t:key all_key_perms;
    105140
    106141# (for admof)
    107 # perl
    108 corecmd_exec_bin(sshd_t)
    109 # aklog
    110 corecmd_exec_sbin(sshd_t)
    111 # exec
    112 corecmd_exec_shell(sshd_t)
    113 # fs
     142corecmd_exec_all_executables(sshd_t)
    114143kernel_write_proc_files(sshd_t)
    115144
     
    123152afs_access(procmail_t);
    124153mta_sendmail_exec(user_t)
     154mta_sendmail_exec(user_script_t)
    125155mta_sendmail_exec(system_crond_t)
    126156can_exec(user_t, sendmail_exec_t)
     157can_exec(user_script_t, sendmail_exec_t)
    127158can_exec(system_crond_t, sendmail_exec_t)
    128159allow sendmail_t postfix_local_t:fd use;
     
    153184# SUEXEC PHASE 2
    154185allow httpd_suexec_t self:process { setexec };
    155 allow httpd_suexec_t user_t:process { transition siginh rlimitinh noatsecure };
     186allow httpd_suexec_t { user_t user_script_t }:process { transition siginh rlimitinh noatsecure };
    156187
    157188# SUEXEC PHASE 3
    158 allow { httpd_suexec_t user_t } httpd_t:fd { use };
    159 allow { httpd_suexec_t user_t } httpd_t:fifo_file { read write };
    160 allow { httpd_suexec_t user_t } httpd_t:process { sigchld };
    161 allow { user_t } httpd_suexec_t:fd { use };
    162 #allow httpd_suexec_t user_t:process transition;
    163 domain_unconfined(httpd_suexec_t)
     189allow { httpd_suexec_t user_t user_script_t } httpd_t:fd { use };
     190allow { httpd_suexec_t user_t user_script_t } httpd_t:fifo_file { read write };
     191allow { httpd_suexec_t user_t user_script_t } httpd_t:process { sigchld };
     192allow { user_t user_script_t } httpd_suexec_t:fd { use };
     193allow httpd_suexec_t { user_t user_script_t }:process transition;
     194typeattribute httpd_suexec_t can_change_process_identity, can_change_process_role;
     195#domain_unconfined(httpd_suexec_t)
     196apache_append_log(user_t)
     197
     198# mod_fcgid in user_t
     199allow { httpd_suexec_t user_t user_script_t } httpd_t:unix_stream_socket all_unix_stream_socket_perms;
     200allow httpd_t { user_t user_script_t }:process { sigkill signal };
    164201
    165202### *** ###
     
    179216require { type restorecond_t, crond_t; };
    180217dontaudit restorecond_t kernel_t:key all_key_perms;
    181 dontaudit crond_t sshd_t:key all_key_perms;
     218dontaudit { domain userdomain crond_t } sshd_t:key all_key_perms;
Note: See TracChangeset for help on using the changeset viewer.