Changeset 79 for selinux/build


Ignore:
Timestamp:
Jan 19, 2007, 6:58:44 AM (16 years ago)
Author:
presbrey
Message:
vixie-cron executes as the user under SELinux
SELinux policy for afsd and afsagent
Location:
selinux/build
Files:
3 added
5 edited

Legend:

Unmodified
Added
Removed
  • selinux/build/afsd.fc

    r28 r79  
    44# MCS categories: <none>
    55
     6/afs                    -d      gen_context(system_u:object_r:default_t,s0)
     7/etc/openafs(/.*)?              gen_context(system_u:object_r:afsd_etc_t,s0)
     8/usr/vice/etc(/.*)?             gen_context(system_u:object_r:afsd_etc_t,s0)
    69/usr/vice/etc/afsd      --      gen_context(system_u:object_r:afsd_exec_t,s0)
    7 /usr/vice/etc(/.*)?             gen_context(system_u:object_r:afsd_etc_t,s0)
    810/usr/vice/cache(/.*)?           gen_context(system_u:object_r:afsd_cache_t,s0)
    9 /afs                    -d      gen_context(system_u:object_r:default_t,s0)
  • selinux/build/afsd.if

    r28 r79  
    3232        allow $1 afsd_etc_t:dir r_dir_perms;
    3333        allow $1 afsd_etc_t:file r_file_perms;
     34        allow $1 afsd_etc_t:lnk_file r_file_perms;
    3435        allow $1 autofs_t:dir r_dir_perms;
    3536        allow $1 autofs_t:lnk_file r_file_perms;
  • selinux/build/afsd.te

    r28 r79  
    1414type afsd_etc_t;
    1515type afsd_cache_t;
     16#files_type(afsd_etc_t)
    1617files_type(afsd_etc_t)
    1718files_type(afsd_cache_t)
     
    3536init_use_script_ptys(afsd_t)
    3637domain_use_interactive_fds(afsd_t)
     38term_use_console(afsd_t)
    3739
    3840files_mounton_default(afsd_t)
     
    5355allow afsd_t self:capability { sys_admin sys_nice sys_tty_config};
    5456
     57#allow afsd_t lo_node_t:node all_node_perms;
     58#allow afsd_t net_conf_t:file read;
     59sysnet_dns_name_resolve(afsd_t)
     60corenet_tcp_sendrecv_all_nodes(afsd_t)
     61corenet_udp_sendrecv_all_nodes(afsd_t)
     62
     63
    5564require {
    5665        type afs_bos_port_t,afs_fs_port_t,afs_fs_port_t,afs_ka_port_t,afs_pt_port_t,afs_vl_port_t;
    5766        type netif_t, node_t;
     67        type kernel_t;
    5868}
    5969allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:tcp_socket all_tcp_socket_perms;
     
    6272allow afsd_t node_t:node { udp_recv udp_send };
    6373
    64 require {
    65         type crond_t, kernel_t, sshd_t, user_t;
    66 }
    67 afs_access(afsd_t);
    68 afs_access(crond_t);
    69 afs_access(kernel_t);
    70 afs_access(sshd_t);
    71 afs_access(user_t);
    72 
    73 require {
    74         type initrc_t;
    75 }
    76 # init.d script sets up cell files:
    77 allow initrc_t afsd_etc_t:file { setattr write };
    78 # permit aklog:
    79 allow user_t proc_t:file write;
     74allow afsd_t kernel_t:key all_key_perms;
  • selinux/build/misc.fc

    r28 r79  
    1 /var/empty/sshd(.*)                             gen_context(system_u:object_r:sshd_t,s0)
    2 /var/empty/sshd/etc/localtime           --      gen_context(system_u:object_r:locale_t,s0)
     1#/var/empty/sshd(.*)                            gen_context(system_u:object_r:sshd_t,s0)
     2#/var/empty/sshd/etc/localtime          --      gen_context(system_u:object_r:locale_t,s0)
  • selinux/build/misc.te

    r28 r79  
    11policy_module(misc,1.0.0)
    22
     3### AFS ###
     4
     5require {
     6        type crond_t, kernel_t, sshd_t, user_t, httpd_t;
     7        type proc_t;
     8}
     9afs_access(afsd_t);
     10afs_access(crond_t);
     11afs_access(httpd_t);
     12afs_access(kernel_t);
     13afs_access(sshd_t);
     14afs_access(user_t);
     15
     16require {
     17        type initrc_t;
     18}
     19# init.d script sets up cell files:
     20allow initrc_t afsd_etc_t:file { setattr write };
     21# permit aklog:
     22allow user_t proc_t:file write;
     23
     24### CRON ###
     25
     26require {
     27        type crond_t, user_cron_spool_t;
     28        type user_t;
     29};
     30
     31### crond can switch to user_t rather than user_crond_t
     32### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
     33domain_cron_exemption_target(user_t)
     34allow user_t user_cron_spool_t:file entrypoint;
     35allow crond_t user_t:process transition;
     36dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
     37allow crond_t user_t:fd use;
     38allow user_t crond_t:fd use;
     39allow user_t crond_t:fifo_file rw_file_perms;
     40allow user_t crond_t:process sigchld;
     41
     42### KRB ###
     43
     44require {
     45        type sshd_t;
     46};
     47
     48### sshd GSSAPI authentication
     49kerberos_read_keytab(sshd_t)
     50allow user_t kernel_t:key search;
     51
     52### MAIL ###
     53mta_sendmail_exec(user_t)
     54can_exec(user_t, sendmail_exec_t)
     55
     56
     57### HTTPD ###
     58allow httpd_t self:key all_key_perms;
Note: See TracChangeset for help on using the changeset viewer.