Context Navigation

signup.te @ 862

Last change on this file since 862 was 117, checked in by presbrey, 19 years ago
appropriately named the signup_t domain module new domain user_setuid_t to confine setuid user programs (i.e. SQL signup)
File size: 2.1 KB

Rev	Line
[99]	1	# Joe Presbrey
	2	# presbrey@mit.edu
	3	# 2006/1/15
[79]	4
[99]	5	policy_module(signup,1.0.0)
	6
[79]	7	require {
[99]	8	attribute domain, userdomain, unpriv_userdomain;
[79]	9	};
	10
[99]	11	require { type sudo_exec_t; };
	12	type signup_t, domain, userdomain, unpriv_userdomain;
	13	type signup_su_t, domain, userdomain;
	14	role system_r types { signup_t signup_su_t };
	15	role user_r types { signup_t signup_su_t };
	16	afs_access(signup_t)
	17	afs_access(signup_su_t)
	18	afs_access(useradd_t)
	19	files_read_etc_files(signup_t)
	20	libs_use_ld_so(signup_t)
	21	libs_use_shared_libs(signup_t)
	22	miscfiles_read_localization(signup_t)
	23	files_read_etc_files(signup_su_t)
	24	libs_use_ld_so(signup_su_t)
	25	libs_use_shared_libs(signup_su_t)
	26	miscfiles_read_localization(signup_su_t)
	27	domain_auto_trans(signup_t, sudo_exec_t, signup_su_t)
	28	auth_rw_shadow(signup_su_t)
	29	sysnet_dns_name_resolve(signup_t)
	30	sysnet_dns_name_resolve(signup_su_t)
	31	usermanage_run_useradd(signup_su_t,system_r,signup_t)
	32	usermanage_run_groupadd(signup_su_t,system_r,signup_t)
	33	allow groupadd_t signup_t:fifo_file { getattr ioctl read write };
	34	allow groupadd_t signup_t:process sigchld;
	35
	36	allow useradd_t { httpd_t signup_t }:fd use;
	37	allow useradd_t { httpd_t signup_t }:fifo_file { getattr ioctl read write};
	38	allow useradd_t signup_t:process sigchld;
	39	allow signup_su_t signup_t:fd use;
	40	allow signup_su_t signup_t:fifo_file { ioctl write };
	41	allow signup_su_t signup_t:process sigchld;
	42	allow signup_su_t sudo_exec_t:file entrypoint;
	43	allow signup_su_t self:capability { audit_write setgid setuid };
	44	dev_read_urand(signup_t)
	45	kernel_read_system_state(signup_t)
	46	logging_send_syslog_msg(signup_su_t)
	47
	48	corecmd_exec_all_executables(signup_t)
	49	allow signup_t sbin_t:dir search;
	50	allow signup_t sbin_t:file { execute execute_no_trans read };
	51	allow signup_t shell_exec_t:file { execute execute_no_trans getattr read };
	52	allow signup_t self:fifo_file { getattr ioctl read write };
	53
	54	# SUEXEC #
	55	require { type httpd_suexec_t, httpd_t; };
	56	allow httpd_suexec_t { signup_t }:process { transition siginh rlimitinh noatsecure };
	57	allow { signup_t } httpd_t:fd { use };
	58	allow { signup_t } httpd_t:fifo_file { getattr ioctl read write };
	59	allow { signup_t } httpd_t:process { sigchld };
	60	allow { signup_t } httpd_suexec_t:fd { use };

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format