Changeset 118
- Timestamp:
- Jan 26, 2007, 5:07:10 PM (19 years ago)
- File:
- 
          - 1 edited
 
 - 
          selinux/build/scripts.te (modified) (7 diffs)
 
Legend:
- Unmodified
- Added
- Removed
- 
        selinux/build/scripts.ter117 r118 9 9 require { 10 10 attribute domain, userdomain, unpriv_userdomain; 11 type user_t; 12 }; 11 attribute can_change_process_identity, can_change_process_role; 12 type user_t, user_tmp_t; 13 type staff_t, sysadm_t; 14 }; 15 16 corenet_tcp_bind_all_nodes(user_t) 17 corenet_tcp_bind_all_ports(user_t) 18 #corenet_udp_bind_generic_port(user_t) 19 20 ## user_setuid_t ## 13 21 14 22 type user_setuid_t, domain, userdomain, unpriv_userdomain; … … 21 29 corecmd_exec_all_executables(user_setuid_t) 22 30 term_use_all_user_ptys(user_setuid_t) 31 kernel_read_system_state(user_setuid_t) 23 32 24 33 allow user_setuid_t bin_t:file entrypoint; … … 34 43 allow user_setuid_t user_t:process sigchld; 35 44 45 ## user_script_t ## 46 userdom_base_user_template(user_script) 47 userdom_basic_networking_template(user_script) 48 domain_interactive_fd(user_script_t) 49 corecmd_exec_all_executables(user_script_t) 50 files_exec_usr_files(user_script_t) 51 corenet_tcp_bind_all_nodes(user_script_t) 52 corenet_tcp_bind_all_ports(user_script_t) 53 corenet_udp_bind_all_nodes(user_script_t) 54 corenet_udp_bind_all_ports(user_script_t) 55 #corenet_udp_bind_generic_port(user_script_t) 56 kerberos_use(user_script_t) 57 files_read_kernel_symbol_table(user_script_t) 58 kernel_dontaudit_read_ring_buffer(user_script_t) 59 dev_read_urand(user_script_t) 60 apache_append_log(user_script_t) 61 allow user_script_t user_tmp_t:file all_file_perms; 62 allow user_script_t user_tmp_t:dir all_dir_perms; 63 allow user_script_t user_tmp_t:fifo_file all_fifo_file_perms; 64 kernel_read_system_state(user_script_t) 65 36 66 afs_access(user_t); 67 afs_access(user_script_t); 37 68 afs_access(user_setuid_t); 69 afs_access(staff_t); 70 afs_access(sysadm_t); 38 71 zephyr_access(user_t); 72 zephyr_access(user_script_t); 39 73 40 74 # permit aklog: … … 103 137 104 138 dontaudit user_t kernel_t:key all_key_perms; 139 dontaudit user_script_t kernel_t:key all_key_perms; 105 140 106 141 # (for admof) 107 # perl 108 corecmd_exec_bin(sshd_t) 109 # aklog 110 corecmd_exec_sbin(sshd_t) 111 # exec 112 corecmd_exec_shell(sshd_t) 113 # fs 142 corecmd_exec_all_executables(sshd_t) 114 143 kernel_write_proc_files(sshd_t) 115 144 … … 123 152 afs_access(procmail_t); 124 153 mta_sendmail_exec(user_t) 154 mta_sendmail_exec(user_script_t) 125 155 mta_sendmail_exec(system_crond_t) 126 156 can_exec(user_t, sendmail_exec_t) 157 can_exec(user_script_t, sendmail_exec_t) 127 158 can_exec(system_crond_t, sendmail_exec_t) 128 159 allow sendmail_t postfix_local_t:fd use; … … 153 184 # SUEXEC PHASE 2 154 185 allow httpd_suexec_t self:process { setexec }; 155 allow httpd_suexec_t user_t:process { transition siginh rlimitinh noatsecure };186 allow httpd_suexec_t { user_t user_script_t }:process { transition siginh rlimitinh noatsecure }; 156 187 157 188 # SUEXEC PHASE 3 158 allow { httpd_suexec_t user_t } httpd_t:fd { use }; 159 allow { httpd_suexec_t user_t } httpd_t:fifo_file { read write }; 160 allow { httpd_suexec_t user_t } httpd_t:process { sigchld }; 161 allow { user_t } httpd_suexec_t:fd { use }; 162 #allow httpd_suexec_t user_t:process transition; 163 domain_unconfined(httpd_suexec_t) 189 allow { httpd_suexec_t user_t user_script_t } httpd_t:fd { use }; 190 allow { httpd_suexec_t user_t user_script_t } httpd_t:fifo_file { read write }; 191 allow { httpd_suexec_t user_t user_script_t } httpd_t:process { sigchld }; 192 allow { user_t user_script_t } httpd_suexec_t:fd { use }; 193 allow httpd_suexec_t { user_t user_script_t }:process transition; 194 typeattribute httpd_suexec_t can_change_process_identity, can_change_process_role; 195 #domain_unconfined(httpd_suexec_t) 196 apache_append_log(user_t) 197 198 # mod_fcgid in user_t 199 allow { httpd_suexec_t user_t user_script_t } httpd_t:unix_stream_socket all_unix_stream_socket_perms; 200 allow httpd_t { user_t user_script_t }:process { sigkill signal }; 164 201 165 202 ### *** ### … … 179 216 require { type restorecond_t, crond_t; }; 180 217 dontaudit restorecond_t kernel_t:key all_key_perms; 181 dontaudit crond_tsshd_t:key all_key_perms;218 dontaudit { domain userdomain crond_t } sshd_t:key all_key_perms; 
Note: See TracChangeset
          for help on using the changeset viewer.
      
