| [28] | 1 | policy_module(misc,1.0.0) |
|---|
| 2 | |
|---|
| [82] | 3 | ### USER ### |
|---|
| 4 | |
|---|
| 5 | require { |
|---|
| 6 | type user_t; |
|---|
| 7 | }; |
|---|
| 8 | |
|---|
| 9 | afs_access(user_t); |
|---|
| 10 | |
|---|
| [79] | 11 | ### AFS ### |
|---|
| 12 | |
|---|
| 13 | require { |
|---|
| [82] | 14 | type kernel_t, initrc_t, proc_t; |
|---|
| 15 | }; |
|---|
| 16 | |
|---|
| [79] | 17 | afs_access(kernel_t); |
|---|
| 18 | |
|---|
| 19 | # init.d script sets up cell files: |
|---|
| 20 | allow initrc_t afsd_etc_t:file { setattr write }; |
|---|
| 21 | # permit aklog: |
|---|
| 22 | allow user_t proc_t:file write; |
|---|
| 23 | |
|---|
| 24 | ### CRON ### |
|---|
| 25 | |
|---|
| 26 | require { |
|---|
| 27 | type crond_t, user_cron_spool_t; |
|---|
| 28 | }; |
|---|
| 29 | |
|---|
| [82] | 30 | afs_access(crond_t); |
|---|
| [79] | 31 | ### crond can switch to user_t rather than user_crond_t |
|---|
| 32 | ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) |
|---|
| 33 | domain_cron_exemption_target(user_t) |
|---|
| 34 | allow user_t user_cron_spool_t:file entrypoint; |
|---|
| 35 | allow crond_t user_t:process transition; |
|---|
| 36 | dontaudit crond_t user_t:process { noatsecure siginh rlimitinh }; |
|---|
| 37 | allow crond_t user_t:fd use; |
|---|
| 38 | allow user_t crond_t:fd use; |
|---|
| 39 | allow user_t crond_t:fifo_file rw_file_perms; |
|---|
| 40 | allow user_t crond_t:process sigchld; |
|---|
| 41 | |
|---|
| [82] | 42 | ### SSH ### |
|---|
| [79] | 43 | |
|---|
| 44 | require { |
|---|
| [82] | 45 | type sshd_t; |
|---|
| [79] | 46 | }; |
|---|
| 47 | |
|---|
| [82] | 48 | afs_access(sshd_t); |
|---|
| [79] | 49 | ### sshd GSSAPI authentication |
|---|
| 50 | kerberos_read_keytab(sshd_t) |
|---|
| 51 | allow user_t kernel_t:key search; |
|---|
| 52 | |
|---|
| 53 | ### MAIL ### |
|---|
| [82] | 54 | |
|---|
| 55 | require { |
|---|
| 56 | type postfix_local_t, procmail_t, sendmail_t; |
|---|
| 57 | }; |
|---|
| 58 | |
|---|
| 59 | afs_access(postfix_local_t); |
|---|
| 60 | afs_access(procmail_t); |
|---|
| [79] | 61 | mta_sendmail_exec(user_t) |
|---|
| 62 | can_exec(user_t, sendmail_exec_t) |
|---|
| [81] | 63 | allow sendmail_t postfix_local_t:fd use; |
|---|
| 64 | allow sendmail_t postfix_local_t:fifo_file { getattr write }; |
|---|
| 65 | corecmd_exec_bin(procmail_t) |
|---|
| 66 | corecmd_exec_sbin(procmail_t) |
|---|
| [79] | 67 | |
|---|
| 68 | ### HTTPD ### |
|---|
| [82] | 69 | |
|---|
| 70 | require { |
|---|
| 71 | type httpd_t, httpd_suexec_exec_t; |
|---|
| 72 | }; |
|---|
| 73 | |
|---|
| 74 | afs_access(httpd_t); |
|---|
| [79] | 75 | allow httpd_t self:key all_key_perms; |
|---|
| [82] | 76 | allow httpd_t self:process setrlimit; |
|---|
| 77 | allow httpd_t httpd_suexec_exec_t:file { execute execute_no_trans }; |
|---|
