Index: /selinux/Makefile =================================================================== --- /selinux/Makefile (revision 78) +++ /selinux/Makefile (revision 79) @@ -1,3 +1,16 @@ -include /usr/share/selinux/devel/include/Makefile +include /usr/share/selinux/devel/Makefile +#include /usr/share/selinux/devel/include/Makefile + +/usr/share/selinux/devel/include/Makefile: + yum -y install selinux-policy-devel build/%.fc: %.fc + rm -rf tmp + +install: + /usr/sbin/setenforce 0; + /usr/sbin/semodule -i afsd.pp; + /usr/sbin/semodule -i misc.pp; + /usr/sbin/getenforce +# export SESTAT=`/usr/sbin/getenforce`; +# /usr/sbin/setenforce $$SESTAT; Index: /selinux/build/afsagent.te =================================================================== --- /selinux/build/afsagent.te (revision 79) +++ /selinux/build/afsagent.te (revision 79) @@ -0,0 +1,8 @@ +policy_module(afsagent,1.0.0) + +require { + type user_t; +}; + +type afsagent_t; +role afsagent_r types afsagent_t; Index: /selinux/build/afsd.fc =================================================================== --- /selinux/build/afsd.fc (revision 78) +++ /selinux/build/afsd.fc (revision 79) @@ -4,6 +4,7 @@ # MCS categories: +/afs -d gen_context(system_u:object_r:default_t,s0) +/etc/openafs(/.*)? gen_context(system_u:object_r:afsd_etc_t,s0) +/usr/vice/etc(/.*)? gen_context(system_u:object_r:afsd_etc_t,s0) /usr/vice/etc/afsd -- gen_context(system_u:object_r:afsd_exec_t,s0) -/usr/vice/etc(/.*)? gen_context(system_u:object_r:afsd_etc_t,s0) /usr/vice/cache(/.*)? gen_context(system_u:object_r:afsd_cache_t,s0) -/afs -d gen_context(system_u:object_r:default_t,s0) Index: /selinux/build/afsd.if =================================================================== --- /selinux/build/afsd.if (revision 78) +++ /selinux/build/afsd.if (revision 79) @@ -32,4 +32,5 @@ allow $1 afsd_etc_t:dir r_dir_perms; allow $1 afsd_etc_t:file r_file_perms; + allow $1 afsd_etc_t:lnk_file r_file_perms; allow $1 autofs_t:dir r_dir_perms; allow $1 autofs_t:lnk_file r_file_perms; Index: /selinux/build/afsd.te =================================================================== --- /selinux/build/afsd.te (revision 78) +++ /selinux/build/afsd.te (revision 79) @@ -14,4 +14,5 @@ type afsd_etc_t; type afsd_cache_t; +#files_type(afsd_etc_t) files_type(afsd_etc_t) files_type(afsd_cache_t) @@ -35,4 +36,5 @@ init_use_script_ptys(afsd_t) domain_use_interactive_fds(afsd_t) +term_use_console(afsd_t) files_mounton_default(afsd_t) @@ -53,7 +55,15 @@ allow afsd_t self:capability { sys_admin sys_nice sys_tty_config}; +#allow afsd_t lo_node_t:node all_node_perms; +#allow afsd_t net_conf_t:file read; +sysnet_dns_name_resolve(afsd_t) +corenet_tcp_sendrecv_all_nodes(afsd_t) +corenet_udp_sendrecv_all_nodes(afsd_t) + + require { type afs_bos_port_t,afs_fs_port_t,afs_fs_port_t,afs_ka_port_t,afs_pt_port_t,afs_vl_port_t; type netif_t, node_t; + type kernel_t; } allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:tcp_socket all_tcp_socket_perms; @@ -62,18 +72,3 @@ allow afsd_t node_t:node { udp_recv udp_send }; -require { - type crond_t, kernel_t, sshd_t, user_t; -} -afs_access(afsd_t); -afs_access(crond_t); -afs_access(kernel_t); -afs_access(sshd_t); -afs_access(user_t); - -require { - type initrc_t; -} -# init.d script sets up cell files: -allow initrc_t afsd_etc_t:file { setattr write }; -# permit aklog: -allow user_t proc_t:file write; +allow afsd_t kernel_t:key all_key_perms; Index: /selinux/build/misc.fc =================================================================== --- /selinux/build/misc.fc (revision 78) +++ /selinux/build/misc.fc (revision 79) @@ -1,2 +1,2 @@ -/var/empty/sshd(.*) gen_context(system_u:object_r:sshd_t,s0) -/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) +#/var/empty/sshd(.*) gen_context(system_u:object_r:sshd_t,s0) +#/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) Index: /selinux/build/misc.te =================================================================== --- /selinux/build/misc.te (revision 78) +++ /selinux/build/misc.te (revision 79) @@ -1,2 +1,58 @@ policy_module(misc,1.0.0) +### AFS ### + +require { + type crond_t, kernel_t, sshd_t, user_t, httpd_t; + type proc_t; +} +afs_access(afsd_t); +afs_access(crond_t); +afs_access(httpd_t); +afs_access(kernel_t); +afs_access(sshd_t); +afs_access(user_t); + +require { + type initrc_t; +} +# init.d script sets up cell files: +allow initrc_t afsd_etc_t:file { setattr write }; +# permit aklog: +allow user_t proc_t:file write; + +### CRON ### + +require { + type crond_t, user_cron_spool_t; + type user_t; +}; + +### crond can switch to user_t rather than user_crond_t +### (we have pam_env set SELINUX_ROLE_TYPE to accomplish this) +domain_cron_exemption_target(user_t) +allow user_t user_cron_spool_t:file entrypoint; +allow crond_t user_t:process transition; +dontaudit crond_t user_t:process { noatsecure siginh rlimitinh }; +allow crond_t user_t:fd use; +allow user_t crond_t:fd use; +allow user_t crond_t:fifo_file rw_file_perms; +allow user_t crond_t:process sigchld; + +### KRB ### + +require { + type sshd_t; +}; + +### sshd GSSAPI authentication +kerberos_read_keytab(sshd_t) +allow user_t kernel_t:key search; + +### MAIL ### +mta_sendmail_exec(user_t) +can_exec(user_t, sendmail_exec_t) + + +### HTTPD ### +allow httpd_t self:key all_key_perms; Index: /selinux/set_booleans.sh =================================================================== --- /selinux/set_booleans.sh (revision 78) +++ /selinux/set_booleans.sh (revision 79) @@ -1,5 +1,6 @@ #!/bin/bash -setsebool -P allow_kerberos=1 \ +setsebool -P \ + allow_gssd_read_tmp=1 \ allow_httpd_anon_write=1 \ allow_httpd_staff_script_anon_write=1 \ @@ -8,4 +9,8 @@ allow_httpd_user_script_anon_write=1 \ allow_java_execstack=1 \ + allow_kerberos=1 \ + allow_mounton_anydir=1 \ + allow_nfsd_anon_write=1 \ + allow_ssh_keysign=1 \ allow_user_mysql_connect=1 \ cron_can_relabel=1 \ @@ -21,7 +26,10 @@ nfs_export_all_rw=1 \ ssh_sysadm_login=1 \ - staff_read_sysadm_file=1 \ use_nfs_home_dirs=1 \ use_samba_home_dirs=1 \ user_ping=1 \ - user_rw_noexattrfile=1 + user_rw_noexattrfile=1 \ + user_tcp_server=1 +# allow_daemons_use_tty=1 \ +# allow_mount_anyfile=1 \ +# staff_read_sysadm_file=1 \ Index: /server/fedora/Makefile =================================================================== --- /server/fedora/Makefile (revision 78) +++ /server/fedora/Makefile (revision 79) @@ -118,4 +118,8 @@ rpmbuild $(rpm_args) -ba ${tmp_specs}/$@*.spec +openafs-kernel: + PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ + rpmbuild $(rpm_args) -bb --define "build_userspace 0" --define "build_modules 1" ${tmp_specs}/openafs*.spec + suexec: install-srpms @rm -rf ${tmp_src}/httpd-2*/; \ Index: /server/fedora/config/etc/pam.d/crond =================================================================== --- /server/fedora/config/etc/pam.d/crond (revision 79) +++ /server/fedora/config/etc/pam.d/crond (revision 79) @@ -0,0 +1,13 @@ +# +# The PAM configuration file for the cron daemon +# +# +auth sufficient pam_rootok.so +auth required pam_env.so +auth include system-auth +account required pam_access.so +account include system-auth +session required pam_loginuid.so +session [default=1 success=ignore] pam_succeed_if.so user notin root quiet +session required pam_env.so envfile=/etc/environment.cron +session include system-auth Index: /server/fedora/config/php.sh =================================================================== --- /server/fedora/config/php.sh (revision 79) +++ /server/fedora/config/php.sh (revision 79) @@ -0,0 +1,12 @@ +#!/bin/bash + +mkdir -p /etc/php.d/disable +mv -f /etc/php.d/*.ini -u /etc/php.d/disable/ +rm -f /etc/php.d/*.ini +pushd /etc/php.d/ >/dev/null +touch `ls /etc/php.d/disable/*.ini | cut -d/ -f5` -t01010000 +popd >/dev/null + +svn revert /etc/php.d/scripts.ini + +restorecon -R /etc Index: /server/fedora/config/selinux.sh =================================================================== --- /server/fedora/config/selinux.sh (revision 79) +++ /server/fedora/config/selinux.sh (revision 79) @@ -0,0 +1,7 @@ +#!/bin/bash + +SESTAT=`getenforce` +setenforce 0 +semanage user -P user -R user_r -R afsagent_r -a afsagent_u +semanage login -s afsagent_u -a afsagent +setenforce $SESTAT Index: /server/fedora/config/services.sh =================================================================== --- /server/fedora/config/services.sh (revision 78) +++ /server/fedora/config/services.sh (revision 79) @@ -14,2 +14,4 @@ /sbin/service $s status || runcon system_u:system_r:initrc_t:s0 /sbin/service $s start done + +restorecon -R /etc