source: selinux/build/signup.te @ 866

Last change on this file since 866 was 117, checked in by presbrey, 18 years ago
appropriately named the signup_t domain module new domain user_setuid_t to confine setuid user programs (i.e. SQL signup)
File size: 2.1 KB
Line 
1# Joe Presbrey
2# presbrey@mit.edu
3# 2006/1/15
4
5policy_module(signup,1.0.0)
6
7require {
8        attribute domain, userdomain, unpriv_userdomain;
9};
10
11require { type sudo_exec_t; };
12type signup_t, domain, userdomain, unpriv_userdomain;
13type signup_su_t, domain, userdomain;
14role system_r types { signup_t signup_su_t };
15role user_r types { signup_t signup_su_t };
16afs_access(signup_t)
17afs_access(signup_su_t)
18afs_access(useradd_t)
19files_read_etc_files(signup_t)
20libs_use_ld_so(signup_t)
21libs_use_shared_libs(signup_t)
22miscfiles_read_localization(signup_t)
23files_read_etc_files(signup_su_t)
24libs_use_ld_so(signup_su_t)
25libs_use_shared_libs(signup_su_t)
26miscfiles_read_localization(signup_su_t)
27domain_auto_trans(signup_t, sudo_exec_t, signup_su_t)
28auth_rw_shadow(signup_su_t)
29sysnet_dns_name_resolve(signup_t)
30sysnet_dns_name_resolve(signup_su_t)
31usermanage_run_useradd(signup_su_t,system_r,signup_t)
32usermanage_run_groupadd(signup_su_t,system_r,signup_t)
33allow groupadd_t signup_t:fifo_file { getattr ioctl read write };
34allow groupadd_t signup_t:process sigchld;
35
36allow useradd_t { httpd_t signup_t }:fd use;
37allow useradd_t { httpd_t signup_t }:fifo_file { getattr ioctl read write};
38allow useradd_t signup_t:process sigchld;
39allow signup_su_t signup_t:fd use;
40allow signup_su_t signup_t:fifo_file { ioctl write };
41allow signup_su_t signup_t:process sigchld;
42allow signup_su_t sudo_exec_t:file entrypoint;
43allow signup_su_t self:capability { audit_write setgid setuid };
44dev_read_urand(signup_t)
45kernel_read_system_state(signup_t)
46logging_send_syslog_msg(signup_su_t)
47
48corecmd_exec_all_executables(signup_t)
49allow signup_t sbin_t:dir search;
50allow signup_t sbin_t:file { execute execute_no_trans read };
51allow signup_t shell_exec_t:file { execute execute_no_trans getattr read };
52allow signup_t self:fifo_file { getattr ioctl read write };
53
54# SUEXEC #
55require { type httpd_suexec_t, httpd_t; };
56allow httpd_suexec_t { signup_t }:process { transition siginh rlimitinh noatsecure };
57allow { signup_t } httpd_t:fd { use };
58allow { signup_t } httpd_t:fifo_file { getattr ioctl read write };
59allow { signup_t } httpd_t:process { sigchld };
60allow { signup_t } httpd_suexec_t:fd { use };
Note: See TracBrowser for help on using the repository browser.