Changeset 81 for selinux/build


Ignore:
Timestamp:
Jan 19, 2007, 7:44:57 AM (18 years ago)
Author:
presbrey
Message:
more specific SELinux AFS access interface
procmail can spawn system binaries
Location:
selinux/build
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • selinux/build/afsd.if

    r79 r81  
    3333        allow $1 afsd_etc_t:file r_file_perms;
    3434        allow $1 afsd_etc_t:lnk_file r_file_perms;
    35         allow $1 autofs_t:dir r_dir_perms;
    36         allow $1 autofs_t:lnk_file r_file_perms;
    37         allow $1 nfs_t:dir manage_dir_perms;
    38         allow $1 nfs_t:file_class_set manage_file_perms;
     35        allow $1 autofs_t:dir all_dir_perms;
     36        allow $1 autofs_t:lnk_file all_lnk_file_perms;
     37        allow $1 nfs_t:dir all_dir_perms;
     38        allow $1 nfs_t:file all_file_perms;
     39        allow $1 nfs_t:lnk_file all_lnk_file_perms;
     40        allow $1 nfs_t:sock_file all_sock_file_perms;
     41        allow $1 nfs_t:fifo_file all_fifo_file_perms;
     42        allow $1 nfs_t:chr_file all_chr_file_perms;
     43        allow $1 nfs_t:blk_file all_blk_file_perms;
    3944')
  • selinux/build/misc.te

    r79 r81  
    55require {
    66        type crond_t, kernel_t, sshd_t, user_t, httpd_t;
     7        type postfix_local_t, procmail_t;
    78        type proc_t;
    89}
     
    1112afs_access(httpd_t);
    1213afs_access(kernel_t);
     14afs_access(postfix_local_t);
     15afs_access(procmail_t);
    1316afs_access(sshd_t);
    1417afs_access(user_t);
     
    4346
    4447require {
    45         type sshd_t;
     48        type sendmail_t, sshd_t;
    4649};
    4750
     
    5356mta_sendmail_exec(user_t)
    5457can_exec(user_t, sendmail_exec_t)
    55 
     58allow sendmail_t postfix_local_t:fd use;
     59allow sendmail_t postfix_local_t:fifo_file { getattr write };
     60corecmd_exec_bin(procmail_t)
     61corecmd_exec_sbin(procmail_t)
    5662
    5763### HTTPD ###
Note: See TracChangeset for help on using the changeset viewer.