| 1 | # Joe Presbrey |
|---|
| 2 | # presbrey@mit.edu |
|---|
| 3 | # 2006/1/15 |
|---|
| 4 | |
|---|
| 5 | policy_module(scripts,1.0.0) |
|---|
| 6 | |
|---|
| 7 | ### USER ### |
|---|
| 8 | |
|---|
| 9 | require { |
|---|
| 10 | attribute domain, userdomain, unpriv_userdomain; |
|---|
| 11 | attribute can_change_process_identity, can_change_process_role; |
|---|
| 12 | type user_t, user_tmp_t; |
|---|
| 13 | type staff_t, sysadm_t; |
|---|
| 14 | }; |
|---|
| 15 | |
|---|
| 16 | corenet_tcp_bind_all_nodes(user_t) |
|---|
| 17 | corenet_tcp_bind_all_ports(user_t) |
|---|
| 18 | #corenet_udp_bind_generic_port(user_t) |
|---|
| 19 | |
|---|
| 20 | ## user_setuid_t ## |
|---|
| 21 | |
|---|
| 22 | type user_setuid_t, domain, userdomain, unpriv_userdomain; |
|---|
| 23 | role user_r types user_setuid_t; |
|---|
| 24 | domain_interactive_fd(user_setuid_t) |
|---|
| 25 | files_read_etc_files(user_setuid_t) |
|---|
| 26 | libs_use_ld_so(user_setuid_t) |
|---|
| 27 | libs_use_shared_libs(user_setuid_t) |
|---|
| 28 | miscfiles_read_localization(user_setuid_t) |
|---|
| 29 | corecmd_exec_all_executables(user_setuid_t) |
|---|
| 30 | term_use_all_user_ptys(user_setuid_t) |
|---|
| 31 | kernel_read_system_state(user_setuid_t) |
|---|
| 32 | |
|---|
| 33 | allow user_setuid_t bin_t:file entrypoint; |
|---|
| 34 | allow user_setuid_t sbin_t:file entrypoint; |
|---|
| 35 | |
|---|
| 36 | # allow user_setuid_t domain to call setuid and setgid |
|---|
| 37 | allow user_setuid_t self:capability { setuid setgid }; |
|---|
| 38 | |
|---|
| 39 | # transition back to the user domain when executing "user" binaries |
|---|
| 40 | domain_auto_trans(user_setuid_t, nfs_t, user_t) |
|---|
| 41 | |
|---|
| 42 | # allow user_setuid_t domain to signal its caller |
|---|
| 43 | allow user_setuid_t user_t:process sigchld; |
|---|
| 44 | |
|---|
| 45 | ## user_script_t ## |
|---|
| 46 | userdom_base_user_template(user_script) |
|---|
| 47 | userdom_basic_networking_template(user_script) |
|---|
| 48 | domain_interactive_fd(user_script_t) |
|---|
| 49 | corecmd_exec_all_executables(user_script_t) |
|---|
| 50 | files_exec_usr_files(user_script_t) |
|---|
| 51 | corenet_tcp_bind_all_nodes(user_script_t) |
|---|
| 52 | corenet_tcp_bind_all_ports(user_script_t) |
|---|
| 53 | corenet_udp_bind_all_nodes(user_script_t) |
|---|
| 54 | corenet_udp_bind_all_ports(user_script_t) |
|---|
| 55 | #corenet_udp_bind_generic_port(user_script_t) |
|---|
| 56 | kerberos_use(user_script_t) |
|---|
| 57 | files_read_kernel_symbol_table(user_script_t) |
|---|
| 58 | kernel_dontaudit_read_ring_buffer(user_script_t) |
|---|
| 59 | dev_read_urand(user_script_t) |
|---|
| 60 | apache_append_log(user_script_t) |
|---|
| 61 | allow user_script_t user_tmp_t:file all_file_perms; |
|---|
| 62 | allow user_script_t user_tmp_t:dir all_dir_perms; |
|---|
| 63 | allow user_script_t user_tmp_t:fifo_file all_fifo_file_perms; |
|---|
| 64 | kernel_read_system_state(user_script_t) |
|---|
| 65 | |
|---|
| 66 | afs_access(user_t); |
|---|
| 67 | afs_access(user_script_t); |
|---|
| 68 | afs_access(user_setuid_t); |
|---|
| 69 | afs_access(staff_t); |
|---|
| 70 | afs_access(sysadm_t); |
|---|
| 71 | zephyr_access(user_t); |
|---|
| 72 | zephyr_access(user_script_t); |
|---|
| 73 | |
|---|
| 74 | # permit aklog: |
|---|
| 75 | kernel_write_proc_files(user_t) |
|---|
| 76 | #allow user_t proc_t:file write; |
|---|
| 77 | |
|---|
| 78 | ### AFS ### |
|---|
| 79 | |
|---|
| 80 | require { |
|---|
| 81 | type kernel_t; |
|---|
| 82 | }; |
|---|
| 83 | |
|---|
| 84 | afs_access(kernel_t); |
|---|
| 85 | zephyr_access(kernel_t); |
|---|
| 86 | |
|---|
| 87 | ### INIT ### |
|---|
| 88 | |
|---|
| 89 | require { |
|---|
| 90 | type initrc_t, tmp_t; |
|---|
| 91 | }; |
|---|
| 92 | |
|---|
| 93 | # init.d script sets up cell files: |
|---|
| 94 | afs_access(initrc_t); |
|---|
| 95 | allow initrc_t afsd_etc_t:file { rw_file_perms setattr }; |
|---|
| 96 | |
|---|
| 97 | # init.d makes the sessions directory: |
|---|
| 98 | allow initrc_t tmp_t:dir { create setattr }; |
|---|
| 99 | |
|---|
| 100 | # AFS fs |
|---|
| 101 | kernel_write_proc_files(initrc_t) |
|---|
| 102 | |
|---|
| 103 | ### CRON ### |
|---|
| 104 | |
|---|
| 105 | require { |
|---|
| 106 | type crond_t, user_cron_spool_t, user_crontab_t; |
|---|
| 107 | type system_crond_t; |
|---|
| 108 | type var_log_t; |
|---|
| 109 | }; |
|---|
| 110 | |
|---|
| 111 | afs_access(crond_t); |
|---|
| 112 | afs_access(user_crontab_t); |
|---|
| 113 | ### crond can switch to user_t rather than user_crond_t |
|---|
| 114 | ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) |
|---|
| 115 | domain_cron_exemption_target(user_t) |
|---|
| 116 | domain_entry_file(user_t, user_cron_spool_t) |
|---|
| 117 | domain_trans(crond_t, user_cron_spool_t, user_t) |
|---|
| 118 | allow user_t crond_t:process sigchld; |
|---|
| 119 | allow crond_t self:process setrlimit; |
|---|
| 120 | allow crond_t user_t:fd use; |
|---|
| 121 | allow user_t crond_t:fd use; |
|---|
| 122 | allow user_t crond_t:fifo_file rw_file_perms; |
|---|
| 123 | allow crond_t user_t:fifo_file rw_file_perms; |
|---|
| 124 | allow system_crond_t var_log_t:file rw_file_perms; |
|---|
| 125 | |
|---|
| 126 | ### SSH ### |
|---|
| 127 | |
|---|
| 128 | require { |
|---|
| 129 | type sshd_t, sshd_tmp_t; |
|---|
| 130 | }; |
|---|
| 131 | |
|---|
| 132 | afs_access(sshd_t); |
|---|
| 133 | ### sshd GSSAPI authentication |
|---|
| 134 | kerberos_read_keytab(sshd_t) |
|---|
| 135 | # forwarded kerberos tickets via ssh -K |
|---|
| 136 | allow user_t sshd_tmp_t:file r_file_perms; |
|---|
| 137 | |
|---|
| 138 | dontaudit user_t kernel_t:key all_key_perms; |
|---|
| 139 | dontaudit user_script_t kernel_t:key all_key_perms; |
|---|
| 140 | |
|---|
| 141 | # (for admof) |
|---|
| 142 | corecmd_exec_all_executables(sshd_t) |
|---|
| 143 | kernel_write_proc_files(sshd_t) |
|---|
| 144 | |
|---|
| 145 | ### MAIL ### |
|---|
| 146 | |
|---|
| 147 | require { |
|---|
| 148 | type postfix_local_t, procmail_t, sendmail_t; |
|---|
| 149 | }; |
|---|
| 150 | |
|---|
| 151 | afs_access(postfix_local_t); |
|---|
| 152 | afs_access(procmail_t); |
|---|
| 153 | mta_sendmail_exec(user_t) |
|---|
| 154 | mta_sendmail_exec(user_script_t) |
|---|
| 155 | mta_sendmail_exec(system_crond_t) |
|---|
| 156 | can_exec(user_t, sendmail_exec_t) |
|---|
| 157 | can_exec(user_script_t, sendmail_exec_t) |
|---|
| 158 | can_exec(system_crond_t, sendmail_exec_t) |
|---|
| 159 | allow sendmail_t postfix_local_t:fd use; |
|---|
| 160 | allow sendmail_t postfix_local_t:fifo_file { getattr write }; |
|---|
| 161 | corecmd_exec_bin(procmail_t) |
|---|
| 162 | corecmd_exec_sbin(procmail_t) |
|---|
| 163 | |
|---|
| 164 | ### HTTPD ### |
|---|
| 165 | |
|---|
| 166 | require { |
|---|
| 167 | type httpd_t, httpd_suexec_exec_t, httpd_suexec_t; |
|---|
| 168 | role user_r; |
|---|
| 169 | }; |
|---|
| 170 | |
|---|
| 171 | afs_access(httpd_t); |
|---|
| 172 | dontaudit httpd_t self:key all_key_perms; |
|---|
| 173 | dontaudit httpd_t sshd_t:key all_key_perms; |
|---|
| 174 | dontaudit httpd_t kernel_t:key all_key_perms; |
|---|
| 175 | allow httpd_t self:process setrlimit; |
|---|
| 176 | |
|---|
| 177 | # SUEXEC PHASE 1 |
|---|
| 178 | can_exec(httpd_t, httpd_suexec_exec_t) |
|---|
| 179 | domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) |
|---|
| 180 | apache_read_config(httpd_suexec_t) |
|---|
| 181 | apache_read_log(httpd_suexec_t) |
|---|
| 182 | apache_append_log(httpd_suexec_t) |
|---|
| 183 | |
|---|
| 184 | # SUEXEC PHASE 2 |
|---|
| 185 | allow httpd_suexec_t self:process { setexec }; |
|---|
| 186 | allow httpd_suexec_t { user_t user_script_t }:process { transition siginh rlimitinh noatsecure }; |
|---|
| 187 | |
|---|
| 188 | # SUEXEC PHASE 3 |
|---|
| 189 | allow { httpd_suexec_t user_t user_script_t } httpd_t:fd { use }; |
|---|
| 190 | allow { httpd_suexec_t user_t user_script_t } httpd_t:fifo_file { read write }; |
|---|
| 191 | allow { httpd_suexec_t user_t user_script_t } httpd_t:process { sigchld }; |
|---|
| 192 | allow { user_t user_script_t } httpd_suexec_t:fd { use }; |
|---|
| 193 | allow httpd_suexec_t { user_t user_script_t }:process transition; |
|---|
| 194 | typeattribute httpd_suexec_t can_change_process_identity, can_change_process_role; |
|---|
| 195 | #domain_unconfined(httpd_suexec_t) |
|---|
| 196 | apache_append_log(user_t) |
|---|
| 197 | |
|---|
| 198 | # mod_fcgid in user_t |
|---|
| 199 | allow { httpd_suexec_t user_t user_script_t } httpd_t:unix_stream_socket all_unix_stream_socket_perms; |
|---|
| 200 | allow httpd_t { user_t user_script_t }:process { sigkill signal }; |
|---|
| 201 | |
|---|
| 202 | ### *** ### |
|---|
| 203 | |
|---|
| 204 | require { |
|---|
| 205 | type var_run_t; |
|---|
| 206 | }; |
|---|
| 207 | |
|---|
| 208 | # named.pid |
|---|
| 209 | allow initrc_t var_run_t:lnk_file create; |
|---|
| 210 | |
|---|
| 211 | # semodule -i |
|---|
| 212 | require { type semanage_t, sysadm_home_t; }; |
|---|
| 213 | allow semanage_t sysadm_home_t:dir rw_dir_perms; |
|---|
| 214 | allow semanage_t sysadm_home_t:file rw_file_perms; |
|---|
| 215 | |
|---|
| 216 | require { type restorecond_t, crond_t; }; |
|---|
| 217 | dontaudit restorecond_t kernel_t:key all_key_perms; |
|---|
| 218 | dontaudit { domain userdomain crond_t } sshd_t:key all_key_perms; |
|---|
