Changeset 79 for selinux/build/misc.te

Timestamp:

Jan 19, 2007, 6:58:44 AM (17 years ago)

Author:

presbrey

Message:

vixie-cron executes as the user under SELinux
SELinux policy for afsd and afsagent

File:

• selinux/build/misc.te (modified) (1 diff)

selinux/build/misc.te

@@ -1 +1 @@
 policy_module(misc,1.0.0)
 
+### AFS ###
+
+require {
+        type crond_t, kernel_t, sshd_t, user_t, httpd_t;
+        type proc_t;
+}
+afs_access(afsd_t);
+afs_access(crond_t);
+afs_access(httpd_t);
+afs_access(kernel_t);
+afs_access(sshd_t);
+afs_access(user_t);
+
+require {
+        type initrc_t;
+}
+# init.d script sets up cell files:
+allow initrc_t afsd_etc_t:file { setattr write };
+# permit aklog:
+allow user_t proc_t:file write;
+
+### CRON ###
+
+require {
+        type crond_t, user_cron_spool_t;
+        type user_t;
+};
+
+### crond can switch to user_t rather than user_crond_t
+### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
+domain_cron_exemption_target(user_t)
+allow user_t user_cron_spool_t:file entrypoint;
+allow crond_t user_t:process transition;
+dontaudit crond_t user_t:process { noatsecure siginh rlimitinh };
+allow crond_t user_t:fd use;
+allow user_t crond_t:fd use;
+allow user_t crond_t:fifo_file rw_file_perms;
+allow user_t crond_t:process sigchld;
+
+### KRB ###
+
+require {
+        type sshd_t;
+};
+
+### sshd GSSAPI authentication
+kerberos_read_keytab(sshd_t)
+allow user_t kernel_t:key search;
+
+### MAIL ###
+mta_sendmail_exec(user_t)
+can_exec(user_t, sendmail_exec_t)
+
+
+### HTTPD ###
+allow httpd_t self:key all_key_perms;