diff options
Diffstat (limited to 'policy/modules/admin/usermanage.if')
-rw-r--r-- | policy/modules/admin/usermanage.if | 297 |
1 files changed, 297 insertions, 0 deletions
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if new file mode 100644 index 00000000..98b8b2d4 --- /dev/null +++ b/policy/modules/admin/usermanage.if @@ -0,0 +1,297 @@ +## <summary>Policy for managing user accounts.</summary> + +######################################## +## <summary> +## Execute chfn in the chfn domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usermanage_domtrans_chfn',` + gen_require(` + type chfn_t, chfn_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chfn_exec_t, chfn_t) + + ifdef(`hide_broken_symptoms',` + dontaudit chfn_t $1:socket_class_set { read write }; + ') +') + +######################################## +## <summary> +## Execute chfn in the chfn domain, and +## allow the specified role the chfn domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`usermanage_run_chfn',` + gen_require(` + attribute_role chfn_roles; + ') + + usermanage_domtrans_chfn($1) + roleattribute $2 chfn_roles; +') + +######################################## +## <summary> +## Execute groupadd in the groupadd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usermanage_domtrans_groupadd',` + gen_require(` + type groupadd_t, groupadd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, groupadd_exec_t, groupadd_t) + + ifdef(`hide_broken_symptoms',` + dontaudit groupadd_t $1:socket_class_set { read write }; + ') +') + +######################################## +## <summary> +## Execute groupadd in the groupadd domain, and +## allow the specified role the groupadd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`usermanage_run_groupadd',` + gen_require(` + attribute_role groupadd_roles; + ') + + usermanage_domtrans_groupadd($1) + roleattribute $2 groupadd_roles; +') + +######################################## +## <summary> +## Execute passwd in the passwd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usermanage_domtrans_passwd',` + gen_require(` + type passwd_t, passwd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, passwd_exec_t, passwd_t) + + ifdef(`hide_broken_symptoms',` + dontaudit passwd_t $1:socket_class_set { read write }; + ') +') + +######################################## +## <summary> +## Send sigkills to passwd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`usermanage_kill_passwd',` + gen_require(` + type passwd_t; + ') + + allow $1 passwd_t:process sigkill; +') + +######################################## +## <summary> +## Execute passwd in the passwd domain, and +## allow the specified role the passwd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`usermanage_run_passwd',` + gen_require(` + attribute_role passwd_roles; + ') + + usermanage_domtrans_passwd($1) + roleattribute $2 passwd_roles; +') + +######################################## +## <summary> +## Execute password admin functions in +## the admin passwd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usermanage_domtrans_admin_passwd',` + gen_require(` + type sysadm_passwd_t, admin_passwd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, admin_passwd_exec_t, sysadm_passwd_t) +') + +######################################## +## <summary> +## Execute passwd admin functions in the admin +## passwd domain, and allow the specified role +## the admin passwd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`usermanage_run_admin_passwd',` + gen_require(` + attribute_role sysadm_passwd_roles; + ') + + usermanage_domtrans_admin_passwd($1) + roleattribute $2 sysadm_passwd_roles; +') + +######################################## +## <summary> +## Do not audit attempts to use useradd fds. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`usermanage_dontaudit_use_useradd_fds',` + gen_require(` + type useradd_t; + ') + + dontaudit $1 useradd_t:fd use; +') + +######################################## +## <summary> +## Execute useradd in the useradd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usermanage_domtrans_useradd',` + gen_require(` + type useradd_t, useradd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, useradd_exec_t, useradd_t) + + ifdef(`hide_broken_symptoms',` + dontaudit useradd_t $1:socket_class_set { read write }; + ') +') + +######################################## +## <summary> +## Execute useradd in the useradd domain, and +## allow the specified role the useradd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`usermanage_run_useradd',` + gen_require(` + attribute_role useradd_roles; + ') + + usermanage_domtrans_useradd($1) + roleattribute $2 useradd_roles; +') + +######################################## +## <summary> +## Read the crack database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`usermanage_read_crack_db',` + gen_require(` + type crack_db_t; + ') + + files_search_var($1) + read_files_pattern($1, crack_db_t, crack_db_t) +') |