Context Navigation

scripts.te @ 117

Last change on this file since 117 was 117, checked in by presbrey, 19 years ago
appropriately named the signup_t domain module new domain user_setuid_t to confine setuid user programs (i.e. SQL signup)
File size: 4.3 KB

Line
1	# Joe Presbrey
2	# presbrey@mit.edu
3	# 2006/1/15
4
5	policy_module(scripts,1.0.0)
6
7	### USER ###
8
9	require {
10	attribute domain, userdomain, unpriv_userdomain;
11	type user_t;
12	};
13
14	type user_setuid_t, domain, userdomain, unpriv_userdomain;
15	role user_r types user_setuid_t;
16	domain_interactive_fd(user_setuid_t)
17	files_read_etc_files(user_setuid_t)
18	libs_use_ld_so(user_setuid_t)
19	libs_use_shared_libs(user_setuid_t)
20	miscfiles_read_localization(user_setuid_t)
21	corecmd_exec_all_executables(user_setuid_t)
22	term_use_all_user_ptys(user_setuid_t)
23
24	allow user_setuid_t bin_t:file entrypoint;
25	allow user_setuid_t sbin_t:file entrypoint;
26
27	# allow user_setuid_t domain to call setuid and setgid
28	allow user_setuid_t self:capability { setuid setgid };
29
30	# transition back to the user domain when executing "user" binaries
31	domain_auto_trans(user_setuid_t, nfs_t, user_t)
32
33	# allow user_setuid_t domain to signal its caller
34	allow user_setuid_t user_t:process sigchld;
35
36	afs_access(user_t);
37	afs_access(user_setuid_t);
38	zephyr_access(user_t);
39
40	# permit aklog:
41	kernel_write_proc_files(user_t)
42	#allow user_t proc_t:file write;
43
44	### AFS ###
45
46	require {
47	type kernel_t;
48	};
49
50	afs_access(kernel_t);
51	zephyr_access(kernel_t);
52
53	### INIT ###
54
55	require {
56	type initrc_t, tmp_t;
57	};
58
59	# init.d script sets up cell files:
60	afs_access(initrc_t);
61	allow initrc_t afsd_etc_t:file { rw_file_perms setattr };
62
63	# init.d makes the sessions directory:
64	allow initrc_t tmp_t:dir { create setattr };
65
66	# AFS fs
67	kernel_write_proc_files(initrc_t)
68
69	### CRON ###
70
71	require {
72	type crond_t, user_cron_spool_t, user_crontab_t;
73	type system_crond_t;
74	type var_log_t;
75	};
76
77	afs_access(crond_t);
78	afs_access(user_crontab_t);
79	### crond can switch to user_t rather than user_crond_t
80	### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this)
81	domain_cron_exemption_target(user_t)
82	domain_entry_file(user_t, user_cron_spool_t)
83	domain_trans(crond_t, user_cron_spool_t, user_t)
84	allow user_t crond_t:process sigchld;
85	allow crond_t self:process setrlimit;
86	allow crond_t user_t:fd use;
87	allow user_t crond_t:fd use;
88	allow user_t crond_t:fifo_file rw_file_perms;
89	allow crond_t user_t:fifo_file rw_file_perms;
90	allow system_crond_t var_log_t:file rw_file_perms;
91
92	### SSH ###
93
94	require {
95	type sshd_t, sshd_tmp_t;
96	};
97
98	afs_access(sshd_t);
99	### sshd GSSAPI authentication
100	kerberos_read_keytab(sshd_t)
101	# forwarded kerberos tickets via ssh -K
102	allow user_t sshd_tmp_t:file r_file_perms;
103
104	dontaudit user_t kernel_t:key all_key_perms;
105
106	# (for admof)
107	# perl
108	corecmd_exec_bin(sshd_t)
109	# aklog
110	corecmd_exec_sbin(sshd_t)
111	# exec
112	corecmd_exec_shell(sshd_t)
113	# fs
114	kernel_write_proc_files(sshd_t)
115
116	### MAIL ###
117
118	require {
119	type postfix_local_t, procmail_t, sendmail_t;
120	};
121
122	afs_access(postfix_local_t);
123	afs_access(procmail_t);
124	mta_sendmail_exec(user_t)
125	mta_sendmail_exec(system_crond_t)
126	can_exec(user_t, sendmail_exec_t)
127	can_exec(system_crond_t, sendmail_exec_t)
128	allow sendmail_t postfix_local_t:fd use;
129	allow sendmail_t postfix_local_t:fifo_file { getattr write };
130	corecmd_exec_bin(procmail_t)
131	corecmd_exec_sbin(procmail_t)
132
133	### HTTPD ###
134
135	require {
136	type httpd_t, httpd_suexec_exec_t, httpd_suexec_t;
137	role user_r;
138	};
139
140	afs_access(httpd_t);
141	dontaudit httpd_t self:key all_key_perms;
142	dontaudit httpd_t sshd_t:key all_key_perms;
143	dontaudit httpd_t kernel_t:key all_key_perms;
144	allow httpd_t self:process setrlimit;
145
146	# SUEXEC PHASE 1
147	can_exec(httpd_t, httpd_suexec_exec_t)
148	domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
149	apache_read_config(httpd_suexec_t)
150	apache_read_log(httpd_suexec_t)
151	apache_append_log(httpd_suexec_t)
152
153	# SUEXEC PHASE 2
154	allow httpd_suexec_t self:process { setexec };
155	allow httpd_suexec_t user_t:process { transition siginh rlimitinh noatsecure };
156
157	# SUEXEC PHASE 3
158	allow { httpd_suexec_t user_t } httpd_t:fd { use };
159	allow { httpd_suexec_t user_t } httpd_t:fifo_file { read write };
160	allow { httpd_suexec_t user_t } httpd_t:process { sigchld };
161	allow { user_t } httpd_suexec_t:fd { use };
162	#allow httpd_suexec_t user_t:process transition;
163	domain_unconfined(httpd_suexec_t)
164
165	### *** ###
166
167	require {
168	type var_run_t;
169	};
170
171	# named.pid
172	allow initrc_t var_run_t:lnk_file create;
173
174	# semodule -i
175	require { type semanage_t, sysadm_home_t; };
176	allow semanage_t sysadm_home_t:dir rw_dir_perms;
177	allow semanage_t sysadm_home_t:file rw_file_perms;
178
179	require { type restorecond_t, crond_t; };
180	dontaudit restorecond_t kernel_t:key all_key_perms;
181	dontaudit crond_t sshd_t:key all_key_perms;

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format