Introduce exec-check interfaces for passwd binaries and useradd binaries

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

1 files changed, 36 insertions, 0 deletions

diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index ace07f5f7..38aad9002 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -140,6 +140,24 @@ interface(`usermanage_kill_passwd',`
 
 ########################################
 ## <summary>
+##	Check if the passwd binary is executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_check_exec_passwd',`
+	gen_require(`
+		type passwd_exec_t;
+	')
+
+	allow $1 passwd_exec_t:file { execute getattr_file_perms };
+')
+
+########################################
+## <summary>
 ##	Execute passwd in the passwd domain, and
 ##	allow the specified role the passwd domain.
 ## </summary>
@@ -253,6 +271,24 @@ interface(`usermanage_domtrans_useradd',`
 
 ########################################
 ## <summary>
+##	Check if the useradd binaries are executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_check_exec_useradd',`
+	gen_require(`
+		type useradd_exec_t;
+	')
+
+	allow $1 useradd_exec_t:file { execute getattr_file_perms };
+')
+
+########################################
+## <summary>
 ##	Execute useradd in the useradd domain, and
 ##	allow the specified role the useradd domain.
 ## </summary>