Changeset 99


Ignore:
Timestamp:
Jan 20, 2007, 10:09:26 PM (15 years ago)
Author:
presbrey
Message:
openafs selinux module fix
signup module
Location:
selinux/build
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • selinux/build/afsagent.te

    r79 r99  
    1 policy_module(afsagent,1.0.0)
     1# Joe Presbrey
     2# presbrey@mit.edu
     3# 2006/1/15
     4
     5policy_module(signup,1.0.0)
    26
    37require {
    4         type user_t;
     8        attribute domain, userdomain, unpriv_userdomain;
    59};
    610
    7 type afsagent_t;
    8 role afsagent_r types afsagent_t;
     11require { type sudo_exec_t; };
     12type signup_t, domain, userdomain, unpriv_userdomain;
     13type signup_su_t, domain, userdomain;
     14role system_r types { signup_t signup_su_t };
     15role user_r types { signup_t signup_su_t };
     16afs_access(signup_t)
     17afs_access(signup_su_t)
     18afs_access(useradd_t)
     19files_read_etc_files(signup_t)
     20libs_use_ld_so(signup_t)
     21libs_use_shared_libs(signup_t)
     22miscfiles_read_localization(signup_t)
     23files_read_etc_files(signup_su_t)
     24libs_use_ld_so(signup_su_t)
     25libs_use_shared_libs(signup_su_t)
     26miscfiles_read_localization(signup_su_t)
     27domain_auto_trans(signup_t, sudo_exec_t, signup_su_t)
     28auth_rw_shadow(signup_su_t)
     29sysnet_dns_name_resolve(signup_t)
     30sysnet_dns_name_resolve(signup_su_t)
     31usermanage_run_useradd(signup_su_t,system_r,signup_t)
     32usermanage_run_groupadd(signup_su_t,system_r,signup_t)
     33allow groupadd_t signup_t:fifo_file { getattr ioctl read write };
     34allow groupadd_t signup_t:process sigchld;
     35
     36allow useradd_t { httpd_t signup_t }:fd use;
     37allow useradd_t { httpd_t signup_t }:fifo_file { getattr ioctl read write};
     38allow useradd_t signup_t:process sigchld;
     39allow signup_su_t signup_t:fd use;
     40allow signup_su_t signup_t:fifo_file { ioctl write };
     41allow signup_su_t signup_t:process sigchld;
     42allow signup_su_t sudo_exec_t:file entrypoint;
     43allow signup_su_t self:capability { audit_write setgid setuid };
     44dev_read_urand(signup_t)
     45kernel_read_system_state(signup_t)
     46logging_send_syslog_msg(signup_su_t)
     47
     48corecmd_exec_all_executables(signup_t)
     49allow signup_t sbin_t:dir search;
     50allow signup_t sbin_t:file { execute execute_no_trans read };
     51allow signup_t shell_exec_t:file { execute execute_no_trans getattr read };
     52allow signup_t self:fifo_file { getattr ioctl read write };
     53
     54# SUEXEC #
     55require { type httpd_suexec_t, httpd_t; };
     56allow httpd_suexec_t { signup_t }:process { transition siginh rlimitinh noatsecure };
     57allow { signup_t } httpd_t:fd { use };
     58allow { signup_t } httpd_t:fifo_file { getattr ioctl read write };
     59allow { signup_t } httpd_t:process { sigchld };
     60allow { signup_t } httpd_suexec_t:fd { use };
  • selinux/build/openafs.if

    r92 r99  
    3737        fs_manage_nfs_named_pipes($1)
    3838        fs_manage_nfs_named_sockets($1)
     39        allow $1 nfs_t:file entrypoint;
    3940')
Note: See TracChangeset for help on using the changeset viewer.