[100] | 1 | # Joe Presbrey |
---|
| 2 | # presbrey@mit.edu |
---|
| 3 | # 2006/1/15 |
---|
[28] | 4 | |
---|
[100] | 5 | policy_module(scripts,1.0.0) |
---|
| 6 | |
---|
[82] | 7 | ### USER ### |
---|
| 8 | |
---|
| 9 | require { |
---|
| 10 | type user_t; |
---|
| 11 | }; |
---|
| 12 | |
---|
| 13 | afs_access(user_t); |
---|
[84] | 14 | zephyr_access(user_t); |
---|
[82] | 15 | |
---|
[100] | 16 | # permit aklog: |
---|
| 17 | kernel_write_proc_files(user_t) |
---|
| 18 | #allow user_t proc_t:file write; |
---|
| 19 | |
---|
[79] | 20 | ### AFS ### |
---|
| 21 | |
---|
| 22 | require { |
---|
[100] | 23 | type kernel_t; |
---|
[82] | 24 | }; |
---|
| 25 | |
---|
[79] | 26 | afs_access(kernel_t); |
---|
[84] | 27 | zephyr_access(kernel_t); |
---|
[79] | 28 | |
---|
[100] | 29 | ### INIT ### |
---|
| 30 | |
---|
| 31 | require { |
---|
| 32 | type initrc_t, tmp_t; |
---|
| 33 | }; |
---|
| 34 | |
---|
[79] | 35 | # init.d script sets up cell files: |
---|
[100] | 36 | afs_access(initrc_t); |
---|
| 37 | allow initrc_t afsd_etc_t:file { rw_file_perms setattr }; |
---|
[79] | 38 | |
---|
[100] | 39 | # init.d makes the sessions directory: |
---|
| 40 | allow initrc_t tmp_t:dir { create setattr }; |
---|
| 41 | |
---|
| 42 | # AFS fs |
---|
| 43 | kernel_write_proc_files(initrc_t) |
---|
| 44 | |
---|
[79] | 45 | ### CRON ### |
---|
| 46 | |
---|
| 47 | require { |
---|
[100] | 48 | type crond_t, user_cron_spool_t, user_crontab_t; |
---|
[84] | 49 | type system_crond_t; |
---|
| 50 | type var_log_t; |
---|
[79] | 51 | }; |
---|
| 52 | |
---|
[82] | 53 | afs_access(crond_t); |
---|
[100] | 54 | afs_access(user_crontab_t); |
---|
[79] | 55 | ### crond can switch to user_t rather than user_crond_t |
---|
| 56 | ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) |
---|
| 57 | domain_cron_exemption_target(user_t) |
---|
[100] | 58 | domain_entry_file(user_t, user_cron_spool_t) |
---|
| 59 | domain_trans(crond_t, user_cron_spool_t, user_t) |
---|
| 60 | allow user_t crond_t:process sigchld; |
---|
| 61 | allow crond_t self:process setrlimit; |
---|
[79] | 62 | allow crond_t user_t:fd use; |
---|
| 63 | allow user_t crond_t:fd use; |
---|
| 64 | allow user_t crond_t:fifo_file rw_file_perms; |
---|
[100] | 65 | allow crond_t user_t:fifo_file rw_file_perms; |
---|
[84] | 66 | allow system_crond_t var_log_t:file rw_file_perms; |
---|
[79] | 67 | |
---|
[82] | 68 | ### SSH ### |
---|
[79] | 69 | |
---|
| 70 | require { |
---|
[82] | 71 | type sshd_t; |
---|
[79] | 72 | }; |
---|
| 73 | |
---|
[82] | 74 | afs_access(sshd_t); |
---|
[79] | 75 | ### sshd GSSAPI authentication |
---|
| 76 | kerberos_read_keytab(sshd_t) |
---|
[100] | 77 | dontaudit user_t kernel_t:key all_key_perms; |
---|
[79] | 78 | |
---|
[100] | 79 | # (for admof) |
---|
| 80 | # perl |
---|
| 81 | corecmd_exec_bin(sshd_t) |
---|
| 82 | # aklog |
---|
| 83 | corecmd_exec_sbin(sshd_t) |
---|
| 84 | # exec |
---|
| 85 | corecmd_exec_shell(sshd_t) |
---|
| 86 | # fs |
---|
| 87 | kernel_write_proc_files(sshd_t) |
---|
| 88 | |
---|
[79] | 89 | ### MAIL ### |
---|
[82] | 90 | |
---|
| 91 | require { |
---|
| 92 | type postfix_local_t, procmail_t, sendmail_t; |
---|
| 93 | }; |
---|
| 94 | |
---|
| 95 | afs_access(postfix_local_t); |
---|
| 96 | afs_access(procmail_t); |
---|
[79] | 97 | mta_sendmail_exec(user_t) |
---|
[84] | 98 | mta_sendmail_exec(system_crond_t) |
---|
[79] | 99 | can_exec(user_t, sendmail_exec_t) |
---|
[84] | 100 | can_exec(system_crond_t, sendmail_exec_t) |
---|
[81] | 101 | allow sendmail_t postfix_local_t:fd use; |
---|
| 102 | allow sendmail_t postfix_local_t:fifo_file { getattr write }; |
---|
| 103 | corecmd_exec_bin(procmail_t) |
---|
| 104 | corecmd_exec_sbin(procmail_t) |
---|
[79] | 105 | |
---|
| 106 | ### HTTPD ### |
---|
[82] | 107 | |
---|
| 108 | require { |
---|
[100] | 109 | type httpd_t, httpd_suexec_exec_t, httpd_suexec_t; |
---|
| 110 | role user_r; |
---|
[82] | 111 | }; |
---|
| 112 | |
---|
| 113 | afs_access(httpd_t); |
---|
[100] | 114 | dontaudit httpd_t self:key all_key_perms; |
---|
| 115 | dontaudit httpd_t sshd_t:key all_key_perms; |
---|
| 116 | dontaudit httpd_t kernel_t:key all_key_perms; |
---|
[82] | 117 | allow httpd_t self:process setrlimit; |
---|
[100] | 118 | |
---|
| 119 | # SUEXEC PHASE 1 |
---|
| 120 | can_exec(httpd_t, httpd_suexec_exec_t) |
---|
| 121 | domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) |
---|
| 122 | apache_read_config(httpd_suexec_t) |
---|
| 123 | apache_read_log(httpd_suexec_t) |
---|
| 124 | apache_append_log(httpd_suexec_t) |
---|
| 125 | |
---|
| 126 | # SUEXEC PHASE 2 |
---|
| 127 | allow httpd_suexec_t self:process { setexec }; |
---|
| 128 | allow httpd_suexec_t user_t:process { transition siginh rlimitinh noatsecure }; |
---|
| 129 | |
---|
| 130 | # SUEXEC PHASE 3 |
---|
| 131 | allow { httpd_suexec_t user_t } httpd_t:fd { use }; |
---|
| 132 | allow { httpd_suexec_t user_t } httpd_t:fifo_file { read write }; |
---|
| 133 | allow { httpd_suexec_t user_t } httpd_t:process { sigchld }; |
---|
| 134 | allow { user_t } httpd_suexec_t:fd { use }; |
---|
| 135 | #allow httpd_suexec_t user_t:process transition; |
---|
| 136 | domain_unconfined(httpd_suexec_t) |
---|
| 137 | |
---|
| 138 | ### *** ### |
---|
| 139 | |
---|
| 140 | require { |
---|
| 141 | type var_run_t; |
---|
| 142 | }; |
---|
| 143 | |
---|
| 144 | # named.pid |
---|
| 145 | allow initrc_t var_run_t:lnk_file create; |
---|
| 146 | |
---|
| 147 | # semodule -i |
---|
| 148 | require { type semanage_t, sysadm_home_t; }; |
---|
| 149 | allow semanage_t sysadm_home_t:dir rw_dir_perms; |
---|
| 150 | allow semanage_t sysadm_home_t:file rw_file_perms; |
---|
| 151 | |
---|
| 152 | require { type restorecond_t, crond_t; }; |
---|
| 153 | dontaudit restorecond_t kernel_t:key all_key_perms; |
---|
| 154 | dontaudit crond_t sshd_t:key all_key_perms; |
---|