# Joe Presbrey # presbrey@mit.edu # 2006/1/15 policy_module(scripts,1.0.0) ### USER ### require { attribute domain, userdomain, unpriv_userdomain; attribute can_change_process_identity, can_change_process_role; type user_t, user_tmp_t; type staff_t, sysadm_t; }; corenet_tcp_bind_all_nodes(user_t) corenet_tcp_bind_all_ports(user_t) #corenet_udp_bind_generic_port(user_t) ## user_setuid_t ## type user_setuid_t, domain, userdomain, unpriv_userdomain; role user_r types user_setuid_t; domain_interactive_fd(user_setuid_t) files_read_etc_files(user_setuid_t) libs_use_ld_so(user_setuid_t) libs_use_shared_libs(user_setuid_t) miscfiles_read_localization(user_setuid_t) corecmd_exec_all_executables(user_setuid_t) term_use_all_user_ptys(user_setuid_t) kernel_read_system_state(user_setuid_t) allow user_setuid_t bin_t:file entrypoint; allow user_setuid_t sbin_t:file entrypoint; # allow user_setuid_t domain to call setuid and setgid allow user_setuid_t self:capability { setuid setgid }; # transition back to the user domain when executing "user" binaries domain_auto_trans(user_setuid_t, nfs_t, user_t) # allow user_setuid_t domain to signal its caller allow user_setuid_t user_t:process sigchld; ## user_script_t ## userdom_base_user_template(user_script) userdom_basic_networking_template(user_script) domain_interactive_fd(user_script_t) corecmd_exec_all_executables(user_script_t) files_exec_usr_files(user_script_t) corenet_tcp_bind_all_nodes(user_script_t) corenet_tcp_bind_all_ports(user_script_t) corenet_udp_bind_all_nodes(user_script_t) corenet_udp_bind_all_ports(user_script_t) #corenet_udp_bind_generic_port(user_script_t) kerberos_use(user_script_t) files_read_kernel_symbol_table(user_script_t) kernel_dontaudit_read_ring_buffer(user_script_t) dev_read_urand(user_script_t) apache_append_log(user_script_t) allow user_script_t user_tmp_t:file all_file_perms; allow user_script_t user_tmp_t:dir all_dir_perms; allow user_script_t user_tmp_t:fifo_file all_fifo_file_perms; kernel_read_system_state(user_script_t) afs_access(user_t); afs_access(user_script_t); afs_access(user_setuid_t); afs_access(staff_t); afs_access(sysadm_t); zephyr_access(user_t); zephyr_access(user_script_t); # permit aklog: kernel_write_proc_files(user_t) #allow user_t proc_t:file write; ### AFS ### require { type kernel_t; }; afs_access(kernel_t); zephyr_access(kernel_t); ### INIT ### require { type initrc_t, tmp_t; }; # init.d script sets up cell files: afs_access(initrc_t); allow initrc_t afsd_etc_t:file { rw_file_perms setattr }; # init.d makes the sessions directory: allow initrc_t tmp_t:dir { create setattr }; # AFS fs kernel_write_proc_files(initrc_t) ### CRON ### require { type crond_t, user_cron_spool_t, user_crontab_t; type system_crond_t; type var_log_t; }; afs_access(crond_t); afs_access(user_crontab_t); ### crond can switch to user_t rather than user_crond_t ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) domain_cron_exemption_target(user_t) domain_entry_file(user_t, user_cron_spool_t) domain_trans(crond_t, user_cron_spool_t, user_t) allow user_t crond_t:process sigchld; allow crond_t self:process setrlimit; allow crond_t user_t:fd use; allow user_t crond_t:fd use; allow user_t crond_t:fifo_file rw_file_perms; allow crond_t user_t:fifo_file rw_file_perms; allow system_crond_t var_log_t:file rw_file_perms; ### SSH ### require { type sshd_t, sshd_tmp_t; }; afs_access(sshd_t); ### sshd GSSAPI authentication kerberos_read_keytab(sshd_t) # forwarded kerberos tickets via ssh -K allow user_t sshd_tmp_t:file r_file_perms; dontaudit user_t kernel_t:key all_key_perms; dontaudit user_script_t kernel_t:key all_key_perms; # (for admof) corecmd_exec_all_executables(sshd_t) kernel_write_proc_files(sshd_t) ### MAIL ### require { type postfix_local_t, procmail_t, sendmail_t; }; afs_access(postfix_local_t); afs_access(procmail_t); mta_sendmail_exec(user_t) mta_sendmail_exec(user_script_t) mta_sendmail_exec(system_crond_t) can_exec(user_t, sendmail_exec_t) can_exec(user_script_t, sendmail_exec_t) can_exec(system_crond_t, sendmail_exec_t) allow sendmail_t postfix_local_t:fd use; allow sendmail_t postfix_local_t:fifo_file { getattr write }; corecmd_exec_bin(procmail_t) corecmd_exec_sbin(procmail_t) ### HTTPD ### require { type httpd_t, httpd_suexec_exec_t, httpd_suexec_t; role user_r; }; afs_access(httpd_t); dontaudit httpd_t self:key all_key_perms; dontaudit httpd_t sshd_t:key all_key_perms; dontaudit httpd_t kernel_t:key all_key_perms; allow httpd_t self:process setrlimit; # SUEXEC PHASE 1 can_exec(httpd_t, httpd_suexec_exec_t) domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) apache_read_config(httpd_suexec_t) apache_read_log(httpd_suexec_t) apache_append_log(httpd_suexec_t) # SUEXEC PHASE 2 allow httpd_suexec_t self:process { setexec }; allow httpd_suexec_t { user_t user_script_t }:process { transition siginh rlimitinh noatsecure }; # SUEXEC PHASE 3 allow { httpd_suexec_t user_t user_script_t } httpd_t:fd { use }; allow { httpd_suexec_t user_t user_script_t } httpd_t:fifo_file { read write }; allow { httpd_suexec_t user_t user_script_t } httpd_t:process { sigchld }; allow { user_t user_script_t } httpd_suexec_t:fd { use }; allow httpd_suexec_t { user_t user_script_t }:process transition; typeattribute httpd_suexec_t can_change_process_identity, can_change_process_role; #domain_unconfined(httpd_suexec_t) apache_append_log(user_t) # mod_fcgid in user_t allow { httpd_suexec_t user_t user_script_t } httpd_t:unix_stream_socket all_unix_stream_socket_perms; allow httpd_t { user_t user_script_t }:process { sigkill signal }; ### *** ### require { type var_run_t; }; # named.pid allow initrc_t var_run_t:lnk_file create; # semodule -i require { type semanage_t, sysadm_home_t; }; allow semanage_t sysadm_home_t:dir rw_dir_perms; allow semanage_t sysadm_home_t:file rw_file_perms; require { type restorecond_t, crond_t; }; dontaudit restorecond_t kernel_t:key all_key_perms; dontaudit { domain userdomain crond_t } sshd_t:key all_key_perms;