- Timestamp:
- Jan 19, 2007, 6:58:44 AM (19 years ago)
- Location:
- selinux
- Files:
- 
          - 3 added
- 7 edited
 
 - 
          Makefile (modified) (1 diff)
- 
          build/afsagent.fc (added)
- 
          build/afsagent.if (added)
- 
          build/afsagent.te (added)
- 
          build/afsd.fc (modified) (1 diff)
- 
          build/afsd.if (modified) (1 diff)
- 
          build/afsd.te (modified) (4 diffs)
- 
          build/misc.fc (modified) (1 diff)
- 
          build/misc.te (modified) (1 diff)
- 
          set_booleans.sh (modified) (3 diffs)
 
Legend:
- Unmodified
- Added
- Removed
- 
        selinux/Makefiler28 r79 1 include /usr/share/selinux/devel/include/Makefile 1 include /usr/share/selinux/devel/Makefile 2 #include /usr/share/selinux/devel/include/Makefile 3 4 /usr/share/selinux/devel/include/Makefile: 5 yum -y install selinux-policy-devel 2 6 3 7 build/%.fc: %.fc 8 rm -rf tmp 9 10 install: 11 /usr/sbin/setenforce 0; 12 /usr/sbin/semodule -i afsd.pp; 13 /usr/sbin/semodule -i misc.pp; 14 /usr/sbin/getenforce 15 # export SESTAT=`/usr/sbin/getenforce`; 16 # /usr/sbin/setenforce $$SESTAT; 
- 
        selinux/build/afsd.fcr28 r79 4 4 # MCS categories: <none> 5 5 6 /afs -d gen_context(system_u:object_r:default_t,s0) 7 /etc/openafs(/.*)? gen_context(system_u:object_r:afsd_etc_t,s0) 8 /usr/vice/etc(/.*)? gen_context(system_u:object_r:afsd_etc_t,s0) 6 9 /usr/vice/etc/afsd -- gen_context(system_u:object_r:afsd_exec_t,s0) 7 /usr/vice/etc(/.*)? gen_context(system_u:object_r:afsd_etc_t,s0)8 10 /usr/vice/cache(/.*)? gen_context(system_u:object_r:afsd_cache_t,s0) 9 /afs -d gen_context(system_u:object_r:default_t,s0)
- 
        selinux/build/afsd.ifr28 r79 32 32 allow $1 afsd_etc_t:dir r_dir_perms; 33 33 allow $1 afsd_etc_t:file r_file_perms; 34 allow $1 afsd_etc_t:lnk_file r_file_perms; 34 35 allow $1 autofs_t:dir r_dir_perms; 35 36 allow $1 autofs_t:lnk_file r_file_perms; 
- 
        selinux/build/afsd.ter28 r79 14 14 type afsd_etc_t; 15 15 type afsd_cache_t; 16 #files_type(afsd_etc_t) 16 17 files_type(afsd_etc_t) 17 18 files_type(afsd_cache_t) … … 35 36 init_use_script_ptys(afsd_t) 36 37 domain_use_interactive_fds(afsd_t) 38 term_use_console(afsd_t) 37 39 38 40 files_mounton_default(afsd_t) … … 53 55 allow afsd_t self:capability { sys_admin sys_nice sys_tty_config}; 54 56 57 #allow afsd_t lo_node_t:node all_node_perms; 58 #allow afsd_t net_conf_t:file read; 59 sysnet_dns_name_resolve(afsd_t) 60 corenet_tcp_sendrecv_all_nodes(afsd_t) 61 corenet_udp_sendrecv_all_nodes(afsd_t) 62 63 55 64 require { 56 65 type afs_bos_port_t,afs_fs_port_t,afs_fs_port_t,afs_ka_port_t,afs_pt_port_t,afs_vl_port_t; 57 66 type netif_t, node_t; 67 type kernel_t; 58 68 } 59 69 allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:tcp_socket all_tcp_socket_perms; … … 62 72 allow afsd_t node_t:node { udp_recv udp_send }; 63 73 64 require { 65 type crond_t, kernel_t, sshd_t, user_t; 66 } 67 afs_access(afsd_t); 68 afs_access(crond_t); 69 afs_access(kernel_t); 70 afs_access(sshd_t); 71 afs_access(user_t); 72 73 require { 74 type initrc_t; 75 } 76 # init.d script sets up cell files: 77 allow initrc_t afsd_etc_t:file { setattr write }; 78 # permit aklog: 79 allow user_t proc_t:file write; 74 allow afsd_t kernel_t:key all_key_perms; 
- 
        selinux/build/misc.fcr28 r79 1 /var/empty/sshd(.*) gen_context(system_u:object_r:sshd_t,s0)2 /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)1 #/var/empty/sshd(.*) gen_context(system_u:object_r:sshd_t,s0) 2 #/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) 
- 
        selinux/build/misc.ter28 r79 1 1 policy_module(misc,1.0.0) 2 2 3 ### AFS ### 4 5 require { 6 type crond_t, kernel_t, sshd_t, user_t, httpd_t; 7 type proc_t; 8 } 9 afs_access(afsd_t); 10 afs_access(crond_t); 11 afs_access(httpd_t); 12 afs_access(kernel_t); 13 afs_access(sshd_t); 14 afs_access(user_t); 15 16 require { 17 type initrc_t; 18 } 19 # init.d script sets up cell files: 20 allow initrc_t afsd_etc_t:file { setattr write }; 21 # permit aklog: 22 allow user_t proc_t:file write; 23 24 ### CRON ### 25 26 require { 27 type crond_t, user_cron_spool_t; 28 type user_t; 29 }; 30 31 ### crond can switch to user_t rather than user_crond_t 32 ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) 33 domain_cron_exemption_target(user_t) 34 allow user_t user_cron_spool_t:file entrypoint; 35 allow crond_t user_t:process transition; 36 dontaudit crond_t user_t:process { noatsecure siginh rlimitinh }; 37 allow crond_t user_t:fd use; 38 allow user_t crond_t:fd use; 39 allow user_t crond_t:fifo_file rw_file_perms; 40 allow user_t crond_t:process sigchld; 41 42 ### KRB ### 43 44 require { 45 type sshd_t; 46 }; 47 48 ### sshd GSSAPI authentication 49 kerberos_read_keytab(sshd_t) 50 allow user_t kernel_t:key search; 51 52 ### MAIL ### 53 mta_sendmail_exec(user_t) 54 can_exec(user_t, sendmail_exec_t) 55 56 57 ### HTTPD ### 58 allow httpd_t self:key all_key_perms; 
- 
        selinux/set_booleans.shr28 r79 1 1 #!/bin/bash 2 2 3 setsebool -P allow_kerberos=1 \ 3 setsebool -P \ 4 allow_gssd_read_tmp=1 \ 4 5 allow_httpd_anon_write=1 \ 5 6 allow_httpd_staff_script_anon_write=1 \ … … 8 9 allow_httpd_user_script_anon_write=1 \ 9 10 allow_java_execstack=1 \ 11 allow_kerberos=1 \ 12 allow_mounton_anydir=1 \ 13 allow_nfsd_anon_write=1 \ 14 allow_ssh_keysign=1 \ 10 15 allow_user_mysql_connect=1 \ 11 16 cron_can_relabel=1 \ … … 21 26 nfs_export_all_rw=1 \ 22 27 ssh_sysadm_login=1 \ 23 staff_read_sysadm_file=1 \24 28 use_nfs_home_dirs=1 \ 25 29 use_samba_home_dirs=1 \ 26 30 user_ping=1 \ 27 user_rw_noexattrfile=1 31 user_rw_noexattrfile=1 \ 32 user_tcp_server=1 33 # allow_daemons_use_tty=1 \ 34 # allow_mount_anyfile=1 \ 35 # staff_read_sysadm_file=1 \ 
Note: See TracChangeset
          for help on using the changeset viewer.
      
