Changeset 82 for selinux/build


Ignore:
Timestamp:
Jan 19, 2007, 8:11:26 AM (17 years ago)
Author:
presbrey
Message:
httpd can resource limit suexec
Location:
selinux/build
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • selinux/build/afsd.te

    r79 r82  
    6161corenet_udp_sendrecv_all_nodes(afsd_t)
    6262
     63afs_access(afsd_t);
    6364
    6465require {
  • selinux/build/misc.te

    r81 r82  
    11policy_module(misc,1.0.0)
     2
     3### USER ###
     4
     5require {
     6        type user_t;
     7};
     8
     9afs_access(user_t);
    210
    311### AFS ###
    412
    513require {
    6         type crond_t, kernel_t, sshd_t, user_t, httpd_t;
    7         type postfix_local_t, procmail_t;
    8         type proc_t;
    9 }
    10 afs_access(afsd_t);
    11 afs_access(crond_t);
    12 afs_access(httpd_t);
     14        type kernel_t, initrc_t, proc_t;
     15};
     16
    1317afs_access(kernel_t);
    14 afs_access(postfix_local_t);
    15 afs_access(procmail_t);
    16 afs_access(sshd_t);
    17 afs_access(user_t);
    1818
    19 require {
    20         type initrc_t;
    21 }
    2219# init.d script sets up cell files:
    2320allow initrc_t afsd_etc_t:file { setattr write };
     
    2926require {
    3027        type crond_t, user_cron_spool_t;
    31         type user_t;
    3228};
    3329
     30afs_access(crond_t);
    3431### crond can switch to user_t rather than user_crond_t
    3532### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
     
    4340allow user_t crond_t:process sigchld;
    4441
    45 ### KRB ###
     42### SSH ###
    4643
    4744require {
    48         type sendmail_t, sshd_t;
     45        type sshd_t;
    4946};
    5047
     48afs_access(sshd_t);
    5149### sshd GSSAPI authentication
    5250kerberos_read_keytab(sshd_t)
     
    5452
    5553### MAIL ###
     54
     55require {
     56        type postfix_local_t, procmail_t, sendmail_t;
     57};
     58
     59afs_access(postfix_local_t);
     60afs_access(procmail_t);
    5661mta_sendmail_exec(user_t)
    5762can_exec(user_t, sendmail_exec_t)
     
    6267
    6368### HTTPD ###
     69
     70require {
     71        type httpd_t, httpd_suexec_exec_t;
     72};
     73
     74afs_access(httpd_t);
    6475allow httpd_t self:key all_key_perms;
     76allow httpd_t self:process setrlimit;
     77allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans };
Note: See TracChangeset for help on using the changeset viewer.