Last change
on this file since 79 was
79,
checked in by presbrey, 18 years ago
|
vixie-cron executes as the user under SELinux
SELinux policy for afsd and afsagent
|
File size:
1.2 KB
|
Rev | Line | |
---|
[28] | 1 | policy_module(misc,1.0.0) |
---|
| 2 | |
---|
[79] | 3 | ### AFS ### |
---|
| 4 | |
---|
| 5 | require { |
---|
| 6 | type crond_t, kernel_t, sshd_t, user_t, httpd_t; |
---|
| 7 | type proc_t; |
---|
| 8 | } |
---|
| 9 | afs_access(afsd_t); |
---|
| 10 | afs_access(crond_t); |
---|
| 11 | afs_access(httpd_t); |
---|
| 12 | afs_access(kernel_t); |
---|
| 13 | afs_access(sshd_t); |
---|
| 14 | afs_access(user_t); |
---|
| 15 | |
---|
| 16 | require { |
---|
| 17 | type initrc_t; |
---|
| 18 | } |
---|
| 19 | # init.d script sets up cell files: |
---|
| 20 | allow initrc_t afsd_etc_t:file { setattr write }; |
---|
| 21 | # permit aklog: |
---|
| 22 | allow user_t proc_t:file write; |
---|
| 23 | |
---|
| 24 | ### CRON ### |
---|
| 25 | |
---|
| 26 | require { |
---|
| 27 | type crond_t, user_cron_spool_t; |
---|
| 28 | type user_t; |
---|
| 29 | }; |
---|
| 30 | |
---|
| 31 | ### crond can switch to user_t rather than user_crond_t |
---|
| 32 | ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) |
---|
| 33 | domain_cron_exemption_target(user_t) |
---|
| 34 | allow user_t user_cron_spool_t:file entrypoint; |
---|
| 35 | allow crond_t user_t:process transition; |
---|
| 36 | dontaudit crond_t user_t:process { noatsecure siginh rlimitinh }; |
---|
| 37 | allow crond_t user_t:fd use; |
---|
| 38 | allow user_t crond_t:fd use; |
---|
| 39 | allow user_t crond_t:fifo_file rw_file_perms; |
---|
| 40 | allow user_t crond_t:process sigchld; |
---|
| 41 | |
---|
| 42 | ### KRB ### |
---|
| 43 | |
---|
| 44 | require { |
---|
| 45 | type sshd_t; |
---|
| 46 | }; |
---|
| 47 | |
---|
| 48 | ### sshd GSSAPI authentication |
---|
| 49 | kerberos_read_keytab(sshd_t) |
---|
| 50 | allow user_t kernel_t:key search; |
---|
| 51 | |
---|
| 52 | ### MAIL ### |
---|
| 53 | mta_sendmail_exec(user_t) |
---|
| 54 | can_exec(user_t, sendmail_exec_t) |
---|
| 55 | |
---|
| 56 | |
---|
| 57 | ### HTTPD ### |
---|
| 58 | allow httpd_t self:key all_key_perms; |
---|
Note: See
TracBrowser
for help on using the repository browser.