Index: /selinux/build/scripts.te =================================================================== --- /selinux/build/scripts.te (revision 117) +++ /selinux/build/scripts.te (revision 118) @@ -9,6 +9,14 @@ require { attribute domain, userdomain, unpriv_userdomain; - type user_t; -}; + attribute can_change_process_identity, can_change_process_role; + type user_t, user_tmp_t; + type staff_t, sysadm_t; +}; + +corenet_tcp_bind_all_nodes(user_t) +corenet_tcp_bind_all_ports(user_t) +#corenet_udp_bind_generic_port(user_t) + +## user_setuid_t ## type user_setuid_t, domain, userdomain, unpriv_userdomain; @@ -21,4 +29,5 @@ corecmd_exec_all_executables(user_setuid_t) term_use_all_user_ptys(user_setuid_t) +kernel_read_system_state(user_setuid_t) allow user_setuid_t bin_t:file entrypoint; @@ -34,7 +43,32 @@ allow user_setuid_t user_t:process sigchld; +## user_script_t ## +userdom_base_user_template(user_script) +userdom_basic_networking_template(user_script) +domain_interactive_fd(user_script_t) +corecmd_exec_all_executables(user_script_t) +files_exec_usr_files(user_script_t) +corenet_tcp_bind_all_nodes(user_script_t) +corenet_tcp_bind_all_ports(user_script_t) +corenet_udp_bind_all_nodes(user_script_t) +corenet_udp_bind_all_ports(user_script_t) +#corenet_udp_bind_generic_port(user_script_t) +kerberos_use(user_script_t) +files_read_kernel_symbol_table(user_script_t) +kernel_dontaudit_read_ring_buffer(user_script_t) +dev_read_urand(user_script_t) +apache_append_log(user_script_t) +allow user_script_t user_tmp_t:file all_file_perms; +allow user_script_t user_tmp_t:dir all_dir_perms; +allow user_script_t user_tmp_t:fifo_file all_fifo_file_perms; +kernel_read_system_state(user_script_t) + afs_access(user_t); +afs_access(user_script_t); afs_access(user_setuid_t); +afs_access(staff_t); +afs_access(sysadm_t); zephyr_access(user_t); +zephyr_access(user_script_t); # permit aklog: @@ -103,13 +137,8 @@ dontaudit user_t kernel_t:key all_key_perms; +dontaudit user_script_t kernel_t:key all_key_perms; # (for admof) -# perl -corecmd_exec_bin(sshd_t) -# aklog -corecmd_exec_sbin(sshd_t) -# exec -corecmd_exec_shell(sshd_t) -# fs +corecmd_exec_all_executables(sshd_t) kernel_write_proc_files(sshd_t) @@ -123,6 +152,8 @@ afs_access(procmail_t); mta_sendmail_exec(user_t) +mta_sendmail_exec(user_script_t) mta_sendmail_exec(system_crond_t) can_exec(user_t, sendmail_exec_t) +can_exec(user_script_t, sendmail_exec_t) can_exec(system_crond_t, sendmail_exec_t) allow sendmail_t postfix_local_t:fd use; @@ -153,13 +184,19 @@ # SUEXEC PHASE 2 allow httpd_suexec_t self:process { setexec }; -allow httpd_suexec_t user_t:process { transition siginh rlimitinh noatsecure }; +allow httpd_suexec_t { user_t user_script_t }:process { transition siginh rlimitinh noatsecure }; # SUEXEC PHASE 3 -allow { httpd_suexec_t user_t } httpd_t:fd { use }; -allow { httpd_suexec_t user_t } httpd_t:fifo_file { read write }; -allow { httpd_suexec_t user_t } httpd_t:process { sigchld }; -allow { user_t } httpd_suexec_t:fd { use }; -#allow httpd_suexec_t user_t:process transition; -domain_unconfined(httpd_suexec_t) +allow { httpd_suexec_t user_t user_script_t } httpd_t:fd { use }; +allow { httpd_suexec_t user_t user_script_t } httpd_t:fifo_file { read write }; +allow { httpd_suexec_t user_t user_script_t } httpd_t:process { sigchld }; +allow { user_t user_script_t } httpd_suexec_t:fd { use }; +allow httpd_suexec_t { user_t user_script_t }:process transition; +typeattribute httpd_suexec_t can_change_process_identity, can_change_process_role; +#domain_unconfined(httpd_suexec_t) +apache_append_log(user_t) + +# mod_fcgid in user_t +allow { httpd_suexec_t user_t user_script_t } httpd_t:unix_stream_socket all_unix_stream_socket_perms; +allow httpd_t { user_t user_script_t }:process { sigkill signal }; ### *** ### @@ -179,3 +216,3 @@ require { type restorecond_t, crond_t; }; dontaudit restorecond_t kernel_t:key all_key_perms; -dontaudit crond_t sshd_t:key all_key_perms; +dontaudit { domain userdomain crond_t } sshd_t:key all_key_perms;