1 | # Joe Presbrey |
---|
2 | # presbrey@mit.edu |
---|
3 | # 2006/1/15 |
---|
4 | |
---|
5 | policy_module(scripts,1.0.0) |
---|
6 | |
---|
7 | ### USER ### |
---|
8 | |
---|
9 | require { |
---|
10 | type user_t; |
---|
11 | }; |
---|
12 | |
---|
13 | afs_access(user_t); |
---|
14 | zephyr_access(user_t); |
---|
15 | |
---|
16 | # permit aklog: |
---|
17 | kernel_write_proc_files(user_t) |
---|
18 | #allow user_t proc_t:file write; |
---|
19 | |
---|
20 | ### AFS ### |
---|
21 | |
---|
22 | require { |
---|
23 | type kernel_t; |
---|
24 | }; |
---|
25 | |
---|
26 | afs_access(kernel_t); |
---|
27 | zephyr_access(kernel_t); |
---|
28 | |
---|
29 | ### INIT ### |
---|
30 | |
---|
31 | require { |
---|
32 | type initrc_t, tmp_t; |
---|
33 | }; |
---|
34 | |
---|
35 | # init.d script sets up cell files: |
---|
36 | afs_access(initrc_t); |
---|
37 | allow initrc_t afsd_etc_t:file { rw_file_perms setattr }; |
---|
38 | |
---|
39 | # init.d makes the sessions directory: |
---|
40 | allow initrc_t tmp_t:dir { create setattr }; |
---|
41 | |
---|
42 | # AFS fs |
---|
43 | kernel_write_proc_files(initrc_t) |
---|
44 | |
---|
45 | ### CRON ### |
---|
46 | |
---|
47 | require { |
---|
48 | type crond_t, user_cron_spool_t, user_crontab_t; |
---|
49 | type system_crond_t; |
---|
50 | type var_log_t; |
---|
51 | }; |
---|
52 | |
---|
53 | afs_access(crond_t); |
---|
54 | afs_access(user_crontab_t); |
---|
55 | ### crond can switch to user_t rather than user_crond_t |
---|
56 | ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) |
---|
57 | domain_cron_exemption_target(user_t) |
---|
58 | domain_entry_file(user_t, user_cron_spool_t) |
---|
59 | domain_trans(crond_t, user_cron_spool_t, user_t) |
---|
60 | allow user_t crond_t:process sigchld; |
---|
61 | allow crond_t self:process setrlimit; |
---|
62 | allow crond_t user_t:fd use; |
---|
63 | allow user_t crond_t:fd use; |
---|
64 | allow user_t crond_t:fifo_file rw_file_perms; |
---|
65 | allow crond_t user_t:fifo_file rw_file_perms; |
---|
66 | allow system_crond_t var_log_t:file rw_file_perms; |
---|
67 | |
---|
68 | ### SSH ### |
---|
69 | |
---|
70 | require { |
---|
71 | type sshd_t; |
---|
72 | }; |
---|
73 | |
---|
74 | afs_access(sshd_t); |
---|
75 | ### sshd GSSAPI authentication |
---|
76 | kerberos_read_keytab(sshd_t) |
---|
77 | dontaudit user_t kernel_t:key all_key_perms; |
---|
78 | |
---|
79 | # (for admof) |
---|
80 | # perl |
---|
81 | corecmd_exec_bin(sshd_t) |
---|
82 | # aklog |
---|
83 | corecmd_exec_sbin(sshd_t) |
---|
84 | # exec |
---|
85 | corecmd_exec_shell(sshd_t) |
---|
86 | # fs |
---|
87 | kernel_write_proc_files(sshd_t) |
---|
88 | |
---|
89 | ### MAIL ### |
---|
90 | |
---|
91 | require { |
---|
92 | type postfix_local_t, procmail_t, sendmail_t; |
---|
93 | }; |
---|
94 | |
---|
95 | afs_access(postfix_local_t); |
---|
96 | afs_access(procmail_t); |
---|
97 | mta_sendmail_exec(user_t) |
---|
98 | mta_sendmail_exec(system_crond_t) |
---|
99 | can_exec(user_t, sendmail_exec_t) |
---|
100 | can_exec(system_crond_t, sendmail_exec_t) |
---|
101 | allow sendmail_t postfix_local_t:fd use; |
---|
102 | allow sendmail_t postfix_local_t:fifo_file { getattr write }; |
---|
103 | corecmd_exec_bin(procmail_t) |
---|
104 | corecmd_exec_sbin(procmail_t) |
---|
105 | |
---|
106 | ### HTTPD ### |
---|
107 | |
---|
108 | require { |
---|
109 | type httpd_t, httpd_suexec_exec_t, httpd_suexec_t; |
---|
110 | role user_r; |
---|
111 | }; |
---|
112 | |
---|
113 | afs_access(httpd_t); |
---|
114 | dontaudit httpd_t self:key all_key_perms; |
---|
115 | dontaudit httpd_t sshd_t:key all_key_perms; |
---|
116 | dontaudit httpd_t kernel_t:key all_key_perms; |
---|
117 | allow httpd_t self:process setrlimit; |
---|
118 | |
---|
119 | # SUEXEC PHASE 1 |
---|
120 | can_exec(httpd_t, httpd_suexec_exec_t) |
---|
121 | domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) |
---|
122 | apache_read_config(httpd_suexec_t) |
---|
123 | apache_read_log(httpd_suexec_t) |
---|
124 | apache_append_log(httpd_suexec_t) |
---|
125 | |
---|
126 | # SUEXEC PHASE 2 |
---|
127 | allow httpd_suexec_t self:process { setexec }; |
---|
128 | allow httpd_suexec_t user_t:process { transition siginh rlimitinh noatsecure }; |
---|
129 | |
---|
130 | # SUEXEC PHASE 3 |
---|
131 | allow { httpd_suexec_t user_t } httpd_t:fd { use }; |
---|
132 | allow { httpd_suexec_t user_t } httpd_t:fifo_file { read write }; |
---|
133 | allow { httpd_suexec_t user_t } httpd_t:process { sigchld }; |
---|
134 | allow { user_t } httpd_suexec_t:fd { use }; |
---|
135 | #allow httpd_suexec_t user_t:process transition; |
---|
136 | domain_unconfined(httpd_suexec_t) |
---|
137 | |
---|
138 | ### *** ### |
---|
139 | |
---|
140 | require { |
---|
141 | type var_run_t; |
---|
142 | }; |
---|
143 | |
---|
144 | # named.pid |
---|
145 | allow initrc_t var_run_t:lnk_file create; |
---|
146 | |
---|
147 | # semodule -i |
---|
148 | require { type semanage_t, sysadm_home_t; }; |
---|
149 | allow semanage_t sysadm_home_t:dir rw_dir_perms; |
---|
150 | allow semanage_t sysadm_home_t:file rw_file_perms; |
---|
151 | |
---|
152 | require { type restorecond_t, crond_t; }; |
---|
153 | dontaudit restorecond_t kernel_t:key all_key_perms; |
---|
154 | dontaudit crond_t sshd_t:key all_key_perms; |
---|