Context Navigation

Changeset 79

Timestamp:

Jan 19, 2007, 6:58:44 AM (17 years ago)

Author:

presbrey

Message:

vixie-cron executes as the user under SELinux
SELinux policy for afsd and afsagent

Files:

-                      r28
+                      r79
+include /usr/share/selinux/devel/include/Makefile
+include /usr/share/selinux/devel/Makefile
+#include /usr/share/selinux/devel/include/Makefile
+/usr/share/selinux/devel/include/Makefile:
+        yum -y install selinux-policy-devel
 build/%.fc: %.fc
+        rm -rf tmp
+install:
+        /usr/sbin/setenforce 0;
+        /usr/sbin/semodule -i afsd.pp;
+        /usr/sbin/semodule -i misc.pp;
+        /usr/sbin/getenforce
+#       export SESTAT=`/usr/sbin/getenforce`;
+#       /usr/sbin/setenforce $$SESTAT;

-                      r28
+                      r79
 # MCS categories: <none>
+/afs                    -d      gen_context(system_u:object_r:default_t,s0)
+/etc/openafs(/.*)?              gen_context(system_u:object_r:afsd_etc_t,s0)
+/usr/vice/etc(/.*)?             gen_context(system_u:object_r:afsd_etc_t,s0)
 /usr/vice/etc/afsd      --      gen_context(system_u:object_r:afsd_exec_t,s0)
-/usr/vice/etc(/.*)?             gen_context(system_u:object_r:afsd_etc_t,s0)
 /usr/vice/cache(/.*)?           gen_context(system_u:object_r:afsd_cache_t,s0)
-/afs                    -d      gen_context(system_u:object_r:default_t,s0)

r28	r79
32	32	allow $1 afsd_etc_t:dir r_dir_perms;
33	33	allow $1 afsd_etc_t:file r_file_perms;
	34	allow $1 afsd_etc_t:lnk_file r_file_perms;
34	35	allow $1 autofs_t:dir r_dir_perms;
35	36	allow $1 autofs_t:lnk_file r_file_perms;

-                      r28
+                      r79
 type afsd_etc_t;
 type afsd_cache_t;
+#files_type(afsd_etc_t)
 files_type(afsd_etc_t)
 files_type(afsd_cache_t)
 …
 init_use_script_ptys(afsd_t)
 domain_use_interactive_fds(afsd_t)
+term_use_console(afsd_t)
 files_mounton_default(afsd_t)
 …
 allow afsd_t self:capability { sys_admin sys_nice sys_tty_config};
+#allow afsd_t lo_node_t:node all_node_perms;
+#allow afsd_t net_conf_t:file read;
+sysnet_dns_name_resolve(afsd_t)
+corenet_tcp_sendrecv_all_nodes(afsd_t)
+corenet_udp_sendrecv_all_nodes(afsd_t)
 require {
         type afs_bos_port_t,afs_fs_port_t,afs_fs_port_t,afs_ka_port_t,afs_pt_port_t,afs_vl_port_t;
         type netif_t, node_t;
+        type kernel_t;
+}
 allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:tcp_socket all_tcp_socket_perms;
 …
 allow afsd_t node_t:node { udp_recv udp_send };
+require {
+        type crond_t, kernel_t, sshd_t, user_t;
+}
+afs_access(afsd_t);
+afs_access(crond_t);
+afs_access(kernel_t);
+afs_access(sshd_t);
+afs_access(user_t);
+require {
+        type initrc_t;
+}
+# init.d script sets up cell files:
+allow initrc_t afsd_etc_t:file { setattr write };
+# permit aklog:
+allow user_t proc_t:file write;
+allow afsd_t kernel_t:key all_key_perms;

r28	r79
1		/var/empty/sshd(.*) gen_context(system_u:object_r:sshd_t,s0)
2		/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
	1	#/var/empty/sshd(.*) gen_context(system_u:object_r:sshd_t,s0)
	2	#/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)

-                      r28
+                      r79
 policy_module(misc,1.0.0)
+### AFS ###
+require {
+        type crond_t, kernel_t, sshd_t, user_t, httpd_t;
+        type proc_t;
+}
+afs_access(afsd_t);
+afs_access(crond_t);
+afs_access(httpd_t);
+afs_access(kernel_t);
+afs_access(sshd_t);
+afs_access(user_t);
+require {
+        type initrc_t;
+}
+# init.d script sets up cell files:
+allow initrc_t afsd_etc_t:file { setattr write };
+# permit aklog:
+allow user_t proc_t:file write;
+### CRON ###
+require {
+        type crond_t, user_cron_spool_t;
+        type user_t;
+};
+### crond can switch to user_t rather than user_crond_t
+### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
+domain_cron_exemption_target(user_t)
+allow user_t user_cron_spool_t:file entrypoint;
+allow crond_t user_t:process transition;
+dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
+allow crond_t user_t:fd use;
+allow user_t crond_t:fd use;
+allow user_t crond_t:fifo_file rw_file_perms;
+allow user_t crond_t:process sigchld;
+### KRB ###
+require {
+        type sshd_t;
+};
+### sshd GSSAPI authentication
+kerberos_read_keytab(sshd_t)
+allow user_t kernel_t:key search;
+### MAIL ###
+mta_sendmail_exec(user_t)
+can_exec(user_t, sendmail_exec_t)
+### HTTPD ###
+allow httpd_t self:key all_key_perms;

-                      r28
+                      r79
 #!/bin/bash
+setsebool -P allow_kerberos=1 \
+setsebool -P \
+        allow_gssd_read_tmp=1 \
         allow_httpd_anon_write=1 \
         allow_httpd_staff_script_anon_write=1 \
 …
         allow_httpd_user_script_anon_write=1 \
         allow_java_execstack=1 \
+        allow_kerberos=1 \
+        allow_mounton_anydir=1 \
+        allow_nfsd_anon_write=1 \
+        allow_ssh_keysign=1 \
         allow_user_mysql_connect=1 \
         cron_can_relabel=1 \
 …
         nfs_export_all_rw=1 \
         ssh_sysadm_login=1 \
-        staff_read_sysadm_file=1 \
         use_nfs_home_dirs=1 \
         use_samba_home_dirs=1 \
         user_ping=1 \
+        user_rw_noexattrfile=1
+        user_rw_noexattrfile=1 \
+        user_tcp_server=1
+#       allow_daemons_use_tty=1 \
+#       allow_mount_anyfile=1 \
+#       staff_read_sysadm_file=1 \

-                      r68
+                      r79
         rpmbuild $(rpm_args) -ba ${tmp_specs}/$@*.spec
+openafs-kernel:
+        PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \
+        rpmbuild $(rpm_args) -bb --define "build_userspace 0" --define "build_modules 1" ${tmp_specs}/openafs*.spec
 suexec: install-srpms
         @rm -rf ${tmp_src}/httpd-2*/; \

r75	r79
14	14	/sbin/service $s status \|\| runcon system_u:system_r:initrc_t:s0 /sbin/service $s start
15	15	done
	16
	17	restorecon -R /etc

Note: See TracChangeset for help on using the changeset viewer.