Changeset 79 for selinux/build
- Timestamp:
- Jan 19, 2007, 6:58:44 AM (17 years ago)
- Location:
- selinux/build
- Files:
-
- 3 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
selinux/build/afsd.fc
r28 r79 4 4 # MCS categories: <none> 5 5 6 /afs -d gen_context(system_u:object_r:default_t,s0) 7 /etc/openafs(/.*)? gen_context(system_u:object_r:afsd_etc_t,s0) 8 /usr/vice/etc(/.*)? gen_context(system_u:object_r:afsd_etc_t,s0) 6 9 /usr/vice/etc/afsd -- gen_context(system_u:object_r:afsd_exec_t,s0) 7 /usr/vice/etc(/.*)? gen_context(system_u:object_r:afsd_etc_t,s0)8 10 /usr/vice/cache(/.*)? gen_context(system_u:object_r:afsd_cache_t,s0) 9 /afs -d gen_context(system_u:object_r:default_t,s0) -
selinux/build/afsd.if
r28 r79 32 32 allow $1 afsd_etc_t:dir r_dir_perms; 33 33 allow $1 afsd_etc_t:file r_file_perms; 34 allow $1 afsd_etc_t:lnk_file r_file_perms; 34 35 allow $1 autofs_t:dir r_dir_perms; 35 36 allow $1 autofs_t:lnk_file r_file_perms; -
selinux/build/afsd.te
r28 r79 14 14 type afsd_etc_t; 15 15 type afsd_cache_t; 16 #files_type(afsd_etc_t) 16 17 files_type(afsd_etc_t) 17 18 files_type(afsd_cache_t) … … 35 36 init_use_script_ptys(afsd_t) 36 37 domain_use_interactive_fds(afsd_t) 38 term_use_console(afsd_t) 37 39 38 40 files_mounton_default(afsd_t) … … 53 55 allow afsd_t self:capability { sys_admin sys_nice sys_tty_config}; 54 56 57 #allow afsd_t lo_node_t:node all_node_perms; 58 #allow afsd_t net_conf_t:file read; 59 sysnet_dns_name_resolve(afsd_t) 60 corenet_tcp_sendrecv_all_nodes(afsd_t) 61 corenet_udp_sendrecv_all_nodes(afsd_t) 62 63 55 64 require { 56 65 type afs_bos_port_t,afs_fs_port_t,afs_fs_port_t,afs_ka_port_t,afs_pt_port_t,afs_vl_port_t; 57 66 type netif_t, node_t; 67 type kernel_t; 58 68 } 59 69 allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:tcp_socket all_tcp_socket_perms; … … 62 72 allow afsd_t node_t:node { udp_recv udp_send }; 63 73 64 require { 65 type crond_t, kernel_t, sshd_t, user_t; 66 } 67 afs_access(afsd_t); 68 afs_access(crond_t); 69 afs_access(kernel_t); 70 afs_access(sshd_t); 71 afs_access(user_t); 72 73 require { 74 type initrc_t; 75 } 76 # init.d script sets up cell files: 77 allow initrc_t afsd_etc_t:file { setattr write }; 78 # permit aklog: 79 allow user_t proc_t:file write; 74 allow afsd_t kernel_t:key all_key_perms; -
selinux/build/misc.fc
r28 r79 1 /var/empty/sshd(.*) gen_context(system_u:object_r:sshd_t,s0)2 /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)1 #/var/empty/sshd(.*) gen_context(system_u:object_r:sshd_t,s0) 2 #/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -
selinux/build/misc.te
r28 r79 1 1 policy_module(misc,1.0.0) 2 2 3 ### AFS ### 4 5 require { 6 type crond_t, kernel_t, sshd_t, user_t, httpd_t; 7 type proc_t; 8 } 9 afs_access(afsd_t); 10 afs_access(crond_t); 11 afs_access(httpd_t); 12 afs_access(kernel_t); 13 afs_access(sshd_t); 14 afs_access(user_t); 15 16 require { 17 type initrc_t; 18 } 19 # init.d script sets up cell files: 20 allow initrc_t afsd_etc_t:file { setattr write }; 21 # permit aklog: 22 allow user_t proc_t:file write; 23 24 ### CRON ### 25 26 require { 27 type crond_t, user_cron_spool_t; 28 type user_t; 29 }; 30 31 ### crond can switch to user_t rather than user_crond_t 32 ### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) 33 domain_cron_exemption_target(user_t) 34 allow user_t user_cron_spool_t:file entrypoint; 35 allow crond_t user_t:process transition; 36 dontaudit crond_t user_t:process { noatsecure siginh rlimitinh }; 37 allow crond_t user_t:fd use; 38 allow user_t crond_t:fd use; 39 allow user_t crond_t:fifo_file rw_file_perms; 40 allow user_t crond_t:process sigchld; 41 42 ### KRB ### 43 44 require { 45 type sshd_t; 46 }; 47 48 ### sshd GSSAPI authentication 49 kerberos_read_keytab(sshd_t) 50 allow user_t kernel_t:key search; 51 52 ### MAIL ### 53 mta_sendmail_exec(user_t) 54 can_exec(user_t, sendmail_exec_t) 55 56 57 ### HTTPD ### 58 allow httpd_t self:key all_key_perms;
Note: See TracChangeset
for help on using the changeset viewer.