Changeset 82 for selinux/build
- Timestamp:
- Jan 19, 2007, 8:11:26 AM (18 years ago)
- Location:
- selinux/build
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
selinux/build/afsd.te
r79 r82 61 61 corenet_udp_sendrecv_all_nodes(afsd_t) 62 62 63 afs_access(afsd_t); 63 64 64 65 require { -
selinux/build/misc.te
r81 r82 1 1 policy_module(misc,1.0.0) 2 3 ### USER ### 4 5 require { 6 type user_t; 7 }; 8 9 afs_access(user_t); 2 10 3 11 ### AFS ### 4 12 5 13 require { 6 type crond_t, kernel_t, sshd_t, user_t, httpd_t; 7 type postfix_local_t, procmail_t; 8 type proc_t; 9 } 10 afs_access(afsd_t); 11 afs_access(crond_t); 12 afs_access(httpd_t); 14 type kernel_t, initrc_t, proc_t; 15 }; 16 13 17 afs_access(kernel_t); 14 afs_access(postfix_local_t);15 afs_access(procmail_t);16 afs_access(sshd_t);17 afs_access(user_t);18 18 19 require {20 type initrc_t;21 }22 19 # init.d script sets up cell files: 23 20 allow initrc_t afsd_etc_t:file { setattr write }; … … 29 26 require { 30 27 type crond_t, user_cron_spool_t; 31 type user_t;32 28 }; 33 29 30 afs_access(crond_t); 34 31 ### crond can switch to user_t rather than user_crond_t 35 32 ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) … … 43 40 allow user_t crond_t:process sigchld; 44 41 45 ### KRB###42 ### SSH ### 46 43 47 44 require { 48 type s endmail_t, sshd_t;45 type sshd_t; 49 46 }; 50 47 48 afs_access(sshd_t); 51 49 ### sshd GSSAPI authentication 52 50 kerberos_read_keytab(sshd_t) … … 54 52 55 53 ### MAIL ### 54 55 require { 56 type postfix_local_t, procmail_t, sendmail_t; 57 }; 58 59 afs_access(postfix_local_t); 60 afs_access(procmail_t); 56 61 mta_sendmail_exec(user_t) 57 62 can_exec(user_t, sendmail_exec_t) … … 62 67 63 68 ### HTTPD ### 69 70 require { 71 type httpd_t, httpd_suexec_exec_t; 72 }; 73 74 afs_access(httpd_t); 64 75 allow httpd_t self:key all_key_perms; 76 allow httpd_t self:process setrlimit; 77 allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans };
Note: See TracChangeset
for help on using the changeset viewer.