diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-12-17 10:42:50 +0100 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2013-01-03 17:24:07 +0100 |
commit | 80a0782dc605b835f9919edb9c99dbe1e80d9950 (patch) | |
tree | 741886dae6d5ae4a37fa006e002f52aa2158b9b3 /policy/modules/admin/usermanage.if | |
parent | Allow initrc_t to read stunnel configuration (diff) | |
download | hardened-refpolicy-80a0782dc605b835f9919edb9c99dbe1e80d9950.tar.gz hardened-refpolicy-80a0782dc605b835f9919edb9c99dbe1e80d9950.tar.bz2 hardened-refpolicy-80a0782dc605b835f9919edb9c99dbe1e80d9950.zip |
Introduce exec-check interfaces for passwd binaries and useradd binaries
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Diffstat (limited to 'policy/modules/admin/usermanage.if')
-rw-r--r-- | policy/modules/admin/usermanage.if | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index ace07f5f7..38aad9002 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -140,6 +140,24 @@ interface(`usermanage_kill_passwd',` ######################################## ## <summary> +## Check if the passwd binary is executable. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`usermanage_check_exec_passwd',` + gen_require(` + type passwd_exec_t; + ') + + allow $1 passwd_exec_t:file { execute getattr_file_perms }; +') + +######################################## +## <summary> ## Execute passwd in the passwd domain, and ## allow the specified role the passwd domain. ## </summary> @@ -253,6 +271,24 @@ interface(`usermanage_domtrans_useradd',` ######################################## ## <summary> +## Check if the useradd binaries are executable. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`usermanage_check_exec_useradd',` + gen_require(` + type useradd_exec_t; + ') + + allow $1 useradd_exec_t:file { execute getattr_file_perms }; +') + +######################################## +## <summary> ## Execute useradd in the useradd domain, and ## allow the specified role the useradd domain. ## </summary> |