diff options
Diffstat (limited to 'policy/modules/admin')
| -rw-r--r-- | policy/modules/admin/bootloader.fc | 9 | ||||
| -rw-r--r-- | policy/modules/admin/bootloader.if | 124 | ||||
| -rw-r--r-- | policy/modules/admin/bootloader.te | 211 | ||||
| -rw-r--r-- | policy/modules/admin/consoletype.fc | 2 | ||||
| -rw-r--r-- | policy/modules/admin/consoletype.if | 71 | ||||
| -rw-r--r-- | policy/modules/admin/consoletype.te | 125 | ||||
| -rw-r--r-- | policy/modules/admin/dmesg.fc | 2 | ||||
| -rw-r--r-- | policy/modules/admin/dmesg.if | 40 | ||||
| -rw-r--r-- | policy/modules/admin/dmesg.te | 58 | ||||
| -rw-r--r-- | policy/modules/admin/metadata.xml | 3 | ||||
| -rw-r--r-- | policy/modules/admin/netutils.fc | 15 | ||||
| -rw-r--r-- | policy/modules/admin/netutils.if | 307 | ||||
| -rw-r--r-- | policy/modules/admin/netutils.te | 212 | ||||
| -rw-r--r-- | policy/modules/admin/su.fc | 5 | ||||
| -rw-r--r-- | policy/modules/admin/su.if | 337 | ||||
| -rw-r--r-- | policy/modules/admin/su.te | 11 | ||||
| -rw-r--r-- | policy/modules/admin/sudo.fc | 2 | ||||
| -rw-r--r-- | policy/modules/admin/sudo.if | 180 | ||||
| -rw-r--r-- | policy/modules/admin/sudo.te | 9 | ||||
| -rw-r--r-- | policy/modules/admin/usermanage.fc | 33 | ||||
| -rw-r--r-- | policy/modules/admin/usermanage.if | 297 | ||||
| -rw-r--r-- | policy/modules/admin/usermanage.te | 559 |
22 files changed, 2612 insertions, 0 deletions
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc new file mode 100644 index 00000000..7a6f06f5 --- /dev/null +++ b/policy/modules/admin/bootloader.fc @@ -0,0 +1,9 @@ + +/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) +/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) + +/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) + +/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if new file mode 100644 index 00000000..a778bb15 --- /dev/null +++ b/policy/modules/admin/bootloader.if @@ -0,0 +1,124 @@ +## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary> + +######################################## +## <summary> +## Execute bootloader in the bootloader domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bootloader_domtrans',` + gen_require(` + type bootloader_t, bootloader_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, bootloader_exec_t, bootloader_t) +') + +######################################## +## <summary> +## Execute bootloader interactively and do +## a domain transition to the bootloader domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bootloader_run',` + gen_require(` + attribute_role bootloader_roles; + ') + + bootloader_domtrans($1) + roleattribute $2 bootloader_roles; +') + +######################################## +## <summary> +## Read the bootloader configuration file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bootloader_read_config',` + gen_require(` + type bootloader_etc_t; + ') + + allow $1 bootloader_etc_t:file read_file_perms; +') + +######################################## +## <summary> +## Read and write the bootloader +## configuration file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bootloader_rw_config',` + gen_require(` + type bootloader_etc_t; + ') + + allow $1 bootloader_etc_t:file rw_file_perms; +') + +######################################## +## <summary> +## Read and write the bootloader +## temporary data in /tmp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bootloader_rw_tmp_files',` + gen_require(` + type bootloader_tmp_t; + ') + + files_search_tmp($1) + allow $1 bootloader_tmp_t:file rw_file_perms; +') + +######################################## +## <summary> +## Read and write the bootloader +## temporary data in /tmp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bootloader_create_runtime_file',` + gen_require(` + type boot_runtime_t; + ') + + allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; + files_boot_filetrans($1, boot_runtime_t, file) +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te new file mode 100644 index 00000000..ab0439a2 --- /dev/null +++ b/policy/modules/admin/bootloader.te @@ -0,0 +1,211 @@ +policy_module(bootloader, 1.13.0) + +######################################## +# +# Declarations +# + +attribute_role bootloader_roles; +roleattribute system_r bootloader_roles; + +# +# boot_runtime_t is the type for /boot/kernel.h, +# which is automatically generated at boot time. +# only for Red Hat +# +type boot_runtime_t; +files_type(boot_runtime_t) + +type bootloader_t; +type bootloader_exec_t; +application_domain(bootloader_t, bootloader_exec_t) +role bootloader_roles types bootloader_t; + +# +# bootloader_etc_t is the configuration file, +# grub.conf, lilo.conf, etc. +# +type bootloader_etc_t alias etc_bootloader_t; +files_type(bootloader_etc_t) + +# +# The temp file is used for initrd creation; +# it consists of files and device nodes +# +type bootloader_tmp_t; +files_tmp_file(bootloader_tmp_t) +dev_node(bootloader_tmp_t) + +######################################## +# +# bootloader local policy +# + +allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; +allow bootloader_t self:process { signal_perms execmem }; +allow bootloader_t self:fifo_file rw_fifo_file_perms; + +allow bootloader_t bootloader_etc_t:file read_file_perms; +# uncomment the following lines if you use "lilo -p" +#allow bootloader_t bootloader_etc_t:file manage_file_perms; +#files_etc_filetrans(bootloader_t,bootloader_etc_t,file) + +manage_dirs_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) +manage_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) +manage_lnk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) +manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) +manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t) +files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file }) +# for tune2fs (cjp: ?) +files_root_filetrans(bootloader_t, bootloader_tmp_t, file) + +kernel_getattr_core_if(bootloader_t) +kernel_read_network_state(bootloader_t) +kernel_read_system_state(bootloader_t) +kernel_read_software_raid_state(bootloader_t) +kernel_read_kernel_sysctls(bootloader_t) + +storage_raw_read_fixed_disk(bootloader_t) +storage_raw_write_fixed_disk(bootloader_t) +storage_raw_read_removable_device(bootloader_t) +storage_raw_write_removable_device(bootloader_t) + +dev_getattr_all_chr_files(bootloader_t) +dev_getattr_all_blk_files(bootloader_t) +dev_dontaudit_rw_generic_dev_nodes(bootloader_t) +dev_read_rand(bootloader_t) +dev_read_urand(bootloader_t) +dev_read_sysfs(bootloader_t) +# needed on some hardware +dev_rw_nvram(bootloader_t) + +fs_getattr_xattr_fs(bootloader_t) +fs_getattr_tmpfs(bootloader_t) +fs_read_tmpfs_symlinks(bootloader_t) +#Needed for ia64 +fs_manage_dos_files(bootloader_t) + +mls_file_read_all_levels(bootloader_t) +mls_file_write_all_levels(bootloader_t) + +term_getattr_all_ttys(bootloader_t) +term_dontaudit_manage_pty_dirs(bootloader_t) + +corecmd_exec_all_executables(bootloader_t) + +domain_use_interactive_fds(bootloader_t) + +files_create_boot_dirs(bootloader_t) +files_manage_boot_files(bootloader_t) +files_manage_boot_symlinks(bootloader_t) +files_read_etc_files(bootloader_t) +files_exec_etc_files(bootloader_t) +files_read_usr_src_files(bootloader_t) +files_read_usr_files(bootloader_t) +files_read_var_files(bootloader_t) +files_read_kernel_modules(bootloader_t) +# for nscd +files_dontaudit_search_pids(bootloader_t) +# for blkid.tab +files_manage_etc_runtime_files(bootloader_t) +files_etc_filetrans_etc_runtime(bootloader_t, file) +files_dontaudit_search_home(bootloader_t) + +init_getattr_initctl(bootloader_t) +init_use_script_ptys(bootloader_t) +init_use_script_fds(bootloader_t) +init_rw_script_pipes(bootloader_t) + +libs_read_lib_files(bootloader_t) +libs_exec_lib_files(bootloader_t) + +logging_send_syslog_msg(bootloader_t) +logging_rw_generic_logs(bootloader_t) + +miscfiles_read_localization(bootloader_t) + +modutils_domtrans_insmod(bootloader_t) + +seutil_read_bin_policy(bootloader_t) +seutil_read_loadpolicy(bootloader_t) +seutil_dontaudit_search_config(bootloader_t) + +userdom_use_user_terminals(bootloader_t) +userdom_dontaudit_search_user_home_dirs(bootloader_t) + +ifdef(`distro_debian',` + allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; + fs_list_tmpfs(bootloader_t) + + files_relabel_kernel_modules(bootloader_t) + files_relabelfrom_boot_files(bootloader_t) + files_delete_kernel_modules(bootloader_t) + files_relabelto_usr_files(bootloader_t) + files_search_var_lib(bootloader_t) + # for /usr/share/initrd-tools/scripts + files_exec_usr_files(bootloader_t) + + fstools_manage_entry_files(bootloader_t) + fstools_relabelto_entry_files(bootloader_t) + + libs_relabelto_lib_files(bootloader_t) +') + +ifdef(`distro_redhat',` + # for memlock + allow bootloader_t self:capability ipc_lock; + + # new file system defaults to file_t, granting file_t access is still bad. + allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms }; + + # new file system defaults to file_t, granting file_t access is still bad. + files_manage_isid_type_dirs(bootloader_t) + files_manage_isid_type_files(bootloader_t) + files_manage_isid_type_symlinks(bootloader_t) + files_manage_isid_type_blk_files(bootloader_t) + files_manage_isid_type_chr_files(bootloader_t) + + # for mke2fs + mount_run(bootloader_t, bootloader_roles) + + optional_policy(` + unconfined_domain(bootloader_t) + ') +') + +optional_policy(` + fstools_exec(bootloader_t) +') + +optional_policy(` + hal_dontaudit_append_lib_files(bootloader_t) + hal_write_log(bootloader_t) +') + +optional_policy(` + kudzu_domtrans(bootloader_t) +') + +optional_policy(` + dev_rw_lvm_control(bootloader_t) + + lvm_domtrans(bootloader_t) + lvm_read_config(bootloader_t) +') + +optional_policy(` + modutils_exec_insmod(bootloader_t) + modutils_read_module_deps(bootloader_t) + modutils_read_module_config(bootloader_t) + modutils_exec_insmod(bootloader_t) + modutils_exec_depmod(bootloader_t) + modutils_exec_update_mods(bootloader_t) +') + +optional_policy(` + nscd_socket_use(bootloader_t) +') + +optional_policy(` + rpm_rw_pipes(bootloader_t) +') diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc new file mode 100644 index 00000000..b7f053bf --- /dev/null +++ b/policy/modules/admin/consoletype.fc @@ -0,0 +1,2 @@ + +/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if new file mode 100644 index 00000000..0f57d3bc --- /dev/null +++ b/policy/modules/admin/consoletype.if @@ -0,0 +1,71 @@ +## <summary> +## Determine of the console connected to the controlling terminal. +## </summary> + +######################################## +## <summary> +## Execute consoletype in the consoletype domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`consoletype_domtrans',` + gen_require(` + type consoletype_t, consoletype_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, consoletype_exec_t, consoletype_t) + + ifdef(`hide_broken_symptoms', ` + dontaudit consoletype_t $1:socket_class_set { read write }; + ') +') + +######################################## +## <summary> +## Execute consoletype in the consoletype domain, and +## allow the specified role the consoletype domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`consoletype_run',` + gen_require(` + type consoletype_t; + ') + + consoletype_domtrans($1) + role $2 types consoletype_t; +') + +######################################## +## <summary> +## Execute consoletype in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`consoletype_exec',` + gen_require(` + type consoletype_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, consoletype_exec_t) +') diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te new file mode 100644 index 00000000..cd5e005c --- /dev/null +++ b/policy/modules/admin/consoletype.te @@ -0,0 +1,125 @@ +policy_module(consoletype, 1.10.0) + +######################################## +# +# Declarations +# + +type consoletype_t; +type consoletype_exec_t; +init_domain(consoletype_t, consoletype_exec_t) +init_system_domain(consoletype_t, consoletype_exec_t) + +######################################## +# +# Local declarations +# + +allow consoletype_t self:capability { sys_admin sys_tty_config }; +allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow consoletype_t self:fd use; +allow consoletype_t self:fifo_file rw_fifo_file_perms; +allow consoletype_t self:sock_file read_sock_file_perms; +allow consoletype_t self:unix_dgram_socket create_socket_perms; +allow consoletype_t self:unix_stream_socket create_stream_socket_perms; +allow consoletype_t self:unix_dgram_socket sendto; +allow consoletype_t self:unix_stream_socket connectto; +allow consoletype_t self:shm create_shm_perms; +allow consoletype_t self:sem create_sem_perms; +allow consoletype_t self:msgq create_msgq_perms; +allow consoletype_t self:msg { send receive }; + +kernel_use_fds(consoletype_t) +kernel_dontaudit_read_system_state(consoletype_t) + +dev_dontaudit_rw_generic_chr_files(consoletype_t) + +domain_use_interactive_fds(consoletype_t) + +files_dontaudit_read_root_files(consoletype_t) +files_list_usr(consoletype_t) + +fs_getattr_all_fs(consoletype_t) +fs_search_auto_mountpoints(consoletype_t) +fs_write_nfs_files(consoletype_t) +fs_list_inotifyfs(consoletype_t) + +mls_file_read_all_levels(consoletype_t) +mls_file_write_all_levels(consoletype_t) + +term_use_all_terms(consoletype_t) + +init_use_fds(consoletype_t) +init_use_script_ptys(consoletype_t) +init_use_script_fds(consoletype_t) +init_rw_script_pipes(consoletype_t) + +userdom_use_user_terminals(consoletype_t) + +ifdef(`distro_redhat',` + fs_rw_tmpfs_chr_files(consoletype_t) +') + +optional_policy(` + apm_use_fds(consoletype_t) + apm_write_pipes(consoletype_t) +') + +optional_policy(` + auth_read_pam_pid(consoletype_t) +') + +optional_policy(` + cron_read_pipes(consoletype_t) + cron_use_system_job_fds(consoletype_t) +') + +optional_policy(` + dbus_use_system_bus_fds(consoletype_t) +') + +optional_policy(` + files_read_etc_files(consoletype_t) + firstboot_use_fds(consoletype_t) + firstboot_rw_pipes(consoletype_t) +') + +optional_policy(` + hal_dontaudit_use_fds(consoletype_t) + hal_dontaudit_rw_pipes(consoletype_t) + hal_dontaudit_rw_dgram_sockets(consoletype_t) + hal_dontaudit_write_log(consoletype_t) +') + +optional_policy(` + hotplug_dontaudit_use_fds(consoletype_t) +') + +optional_policy(` + logrotate_dontaudit_use_fds(consoletype_t) +') + +optional_policy(` + lpd_read_config(consoletype_t) +') + +optional_policy(` + nis_use_ypbind(consoletype_t) +') + +optional_policy(` + # Commonly used from postinst scripts + rpm_read_pipes(consoletype_t) +') + +optional_policy(` + userdom_use_unpriv_users_fds(consoletype_t) +') + +optional_policy(` + kernel_read_xen_state(consoletype_t) + kernel_write_xen_state(consoletype_t) + xen_append_log(consoletype_t) + xen_dontaudit_rw_unix_stream_sockets(consoletype_t) + xen_dontaudit_use_fds(consoletype_t) +') diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc new file mode 100644 index 00000000..d6cc2d97 --- /dev/null +++ b/policy/modules/admin/dmesg.fc @@ -0,0 +1,2 @@ + +/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if new file mode 100644 index 00000000..e1973c78 --- /dev/null +++ b/policy/modules/admin/dmesg.if @@ -0,0 +1,40 @@ +## <summary>Policy for dmesg.</summary> + +######################################## +## <summary> +## Execute dmesg in the dmesg domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dmesg_domtrans',` + gen_require(` + type dmesg_t, dmesg_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dmesg_exec_t, dmesg_t) +') + +######################################## +## <summary> +## Execute dmesg in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`dmesg_exec',` + gen_require(` + type dmesg_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, dmesg_exec_t) +') diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te new file mode 100644 index 00000000..72bc6d81 --- /dev/null +++ b/policy/modules/admin/dmesg.te @@ -0,0 +1,58 @@ +policy_module(dmesg, 1.3.0) + +######################################## +# +# Declarations +# + +type dmesg_t; +type dmesg_exec_t; +init_system_domain(dmesg_t, dmesg_exec_t) + +######################################## +# +# Local policy +# + +allow dmesg_t self:capability sys_admin; +dontaudit dmesg_t self:capability sys_tty_config; + +allow dmesg_t self:process signal_perms; + +kernel_read_kernel_sysctls(dmesg_t) +kernel_read_ring_buffer(dmesg_t) +kernel_clear_ring_buffer(dmesg_t) +kernel_change_ring_buffer_level(dmesg_t) +kernel_list_proc(dmesg_t) +kernel_read_proc_symlinks(dmesg_t) + +dev_read_sysfs(dmesg_t) + +fs_search_auto_mountpoints(dmesg_t) + +term_dontaudit_use_console(dmesg_t) + +domain_use_interactive_fds(dmesg_t) + +files_list_etc(dmesg_t) +# for when /usr is not mounted: +files_dontaudit_search_isid_type_dirs(dmesg_t) + +init_use_fds(dmesg_t) +init_use_script_ptys(dmesg_t) + +logging_send_syslog_msg(dmesg_t) +logging_write_generic_logs(dmesg_t) + +miscfiles_read_localization(dmesg_t) + +userdom_dontaudit_use_unpriv_user_fds(dmesg_t) +userdom_use_user_terminals(dmesg_t) + +optional_policy(` + seutil_sigchld_newrole(dmesg_t) +') + +optional_policy(` + udev_read_db(dmesg_t) +') diff --git a/policy/modules/admin/metadata.xml b/policy/modules/admin/metadata.xml new file mode 100644 index 00000000..bd8d1747 --- /dev/null +++ b/policy/modules/admin/metadata.xml @@ -0,0 +1,3 @@ +<summary> + Policy modules for administrative functions, such as package management. +</summary> diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc new file mode 100644 index 00000000..407078f4 --- /dev/null +++ b/policy/modules/admin/netutils.fc @@ -0,0 +1,15 @@ +/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) +/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + +/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) + +/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + +/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0) +/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) +/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) +/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if new file mode 100644 index 00000000..c6ca761c --- /dev/null +++ b/policy/modules/admin/netutils.if @@ -0,0 +1,307 @@ +## <summary>Network analysis utilities</summary> + +######################################## +## <summary> +## Execute network utilities in the netutils domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`netutils_domtrans',` + gen_require(` + type netutils_t, netutils_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, netutils_exec_t, netutils_t) +') + +######################################## +## <summary> +## Execute network utilities in the netutils domain, and +## allow the specified role the netutils domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`netutils_run',` + gen_require(` + type netutils_t; + ') + + netutils_domtrans($1) + role $2 types netutils_t; +') + +######################################## +## <summary> +## Execute network utilities in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`netutils_exec',` + gen_require(` + type netutils_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, netutils_exec_t) +') + +######################################## +## <summary> +## Send generic signals to network utilities. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`netutils_signal',` + gen_require(` + type netutils_t; + ') + + allow $1 netutils_t:process signal; +') + +######################################## +## <summary> +## Execute ping in the ping domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`netutils_domtrans_ping',` + gen_require(` + type ping_t, ping_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ping_exec_t, ping_t) +') + +######################################## +## <summary> +## Send a kill (SIGKILL) signal to ping. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`netutils_kill_ping',` + gen_require(` + type ping_t; + ') + + allow $1 ping_t:process sigkill; +') + +######################################## +## <summary> +## Send generic signals to ping. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`netutils_signal_ping',` + gen_require(` + type ping_t; + ') + + allow $1 ping_t:process signal; +') + +######################################## +## <summary> +## Execute ping in the ping domain, and +## allow the specified role the ping domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`netutils_run_ping',` + gen_require(` + type ping_t; + ') + + netutils_domtrans_ping($1) + role $2 types ping_t; +') + +######################################## +## <summary> +## Conditionally execute ping in the ping domain, and +## allow the specified role the ping domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`netutils_run_ping_cond',` + gen_require(` + type ping_t; + bool user_ping; + ') + + role $2 types ping_t; + + if ( user_ping ) { + netutils_domtrans_ping($1) + } +') + +######################################## +## <summary> +## Execute ping in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`netutils_exec_ping',` + gen_require(` + type ping_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, ping_exec_t) +') + +######################################## +## <summary> +## Execute traceroute in the traceroute domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`netutils_domtrans_traceroute',` + gen_require(` + type traceroute_t, traceroute_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, traceroute_exec_t, traceroute_t) +') + +######################################## +## <summary> +## Execute traceroute in the traceroute domain, and +## allow the specified role the traceroute domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`netutils_run_traceroute',` + gen_require(` + type traceroute_t; + ') + + netutils_domtrans_traceroute($1) + role $2 types traceroute_t; +') + +######################################## +## <summary> +## Conditionally execute traceroute in the traceroute domain, and +## allow the specified role the traceroute domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`netutils_run_traceroute_cond',` + gen_require(` + type traceroute_t; + bool user_ping; + ') + + role $2 types traceroute_t; + + if( user_ping ) { + netutils_domtrans_traceroute($1) + } +') + +######################################## +## <summary> +## Execute traceroute in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`netutils_exec_traceroute',` + gen_require(` + type traceroute_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, traceroute_exec_t) +') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te new file mode 100644 index 00000000..e0791b96 --- /dev/null +++ b/policy/modules/admin/netutils.te @@ -0,0 +1,212 @@ +policy_module(netutils, 1.11.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Control users use of ping and traceroute +## </p> +## </desc> +gen_tunable(user_ping, false) + +type netutils_t; +type netutils_exec_t; +init_system_domain(netutils_t, netutils_exec_t) + +type netutils_tmp_t; +files_tmp_file(netutils_tmp_t) + +type ping_t; +type ping_exec_t; +init_system_domain(ping_t, ping_exec_t) + +type traceroute_t; +type traceroute_exec_t; +init_system_domain(traceroute_t, traceroute_exec_t) + +######################################## +# +# Netutils local policy +# + +# Perform network administration operations and have raw access to the network. +allow netutils_t self:capability { net_admin net_raw setuid setgid }; +dontaudit netutils_t self:capability sys_tty_config; +allow netutils_t self:process signal_perms; +allow netutils_t self:netlink_route_socket create_netlink_socket_perms; +allow netutils_t self:packet_socket create_socket_perms; +allow netutils_t self:udp_socket create_socket_perms; +allow netutils_t self:tcp_socket create_stream_socket_perms; +allow netutils_t self:socket create_socket_perms; + +manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) +manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) +files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) + +kernel_search_proc(netutils_t) +kernel_read_all_sysctls(netutils_t) + +corenet_all_recvfrom_unlabeled(netutils_t) +corenet_all_recvfrom_netlabel(netutils_t) +corenet_tcp_sendrecv_generic_if(netutils_t) +corenet_raw_sendrecv_generic_if(netutils_t) +corenet_udp_sendrecv_generic_if(netutils_t) +corenet_tcp_sendrecv_generic_node(netutils_t) +corenet_raw_sendrecv_generic_node(netutils_t) +corenet_udp_sendrecv_generic_node(netutils_t) +corenet_tcp_sendrecv_all_ports(netutils_t) +corenet_udp_sendrecv_all_ports(netutils_t) +corenet_tcp_connect_all_ports(netutils_t) +corenet_sendrecv_all_client_packets(netutils_t) +corenet_udp_bind_generic_node(netutils_t) + +dev_read_sysfs(netutils_t) + +fs_getattr_xattr_fs(netutils_t) + +domain_use_interactive_fds(netutils_t) + +files_read_etc_files(netutils_t) +# for nscd +files_dontaudit_search_var(netutils_t) + +init_use_fds(netutils_t) +init_use_script_ptys(netutils_t) + +auth_use_nsswitch(netutils_t) + +logging_send_syslog_msg(netutils_t) + +miscfiles_read_localization(netutils_t) + +term_dontaudit_use_console(netutils_t) +userdom_use_user_terminals(netutils_t) +userdom_use_all_users_fds(netutils_t) + +optional_policy(` + nis_use_ypbind(netutils_t) +') + +optional_policy(` + vmware_append_log(netutils_t) +') + +optional_policy(` + xen_append_log(netutils_t) +') + +######################################## +# +# Ping local policy +# + +allow ping_t self:capability { setuid net_raw }; +dontaudit ping_t self:capability sys_tty_config; +allow ping_t self:tcp_socket create_socket_perms; +allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; +allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; +allow ping_t self:netlink_route_socket create_netlink_socket_perms; + +corenet_all_recvfrom_unlabeled(ping_t) +corenet_all_recvfrom_netlabel(ping_t) +corenet_tcp_sendrecv_generic_if(ping_t) +corenet_raw_sendrecv_generic_if(ping_t) +corenet_raw_sendrecv_generic_node(ping_t) +corenet_tcp_sendrecv_generic_node(ping_t) +corenet_raw_bind_generic_node(ping_t) +corenet_tcp_sendrecv_all_ports(ping_t) + +fs_dontaudit_getattr_xattr_fs(ping_t) + +domain_use_interactive_fds(ping_t) + +files_read_etc_files(ping_t) +files_dontaudit_search_var(ping_t) + +kernel_read_system_state(ping_t) + +auth_use_nsswitch(ping_t) + +logging_send_syslog_msg(ping_t) + +miscfiles_read_localization(ping_t) + +userdom_use_user_terminals(ping_t) + +ifdef(`hide_broken_symptoms',` + init_dontaudit_use_fds(ping_t) + + optional_policy(` + nagios_dontaudit_rw_log(ping_t) + nagios_dontaudit_rw_pipes(ping_t) + ') +') + +optional_policy(` + munin_append_log(ping_t) +') + +optional_policy(` + pcmcia_use_cardmgr_fds(ping_t) +') + +optional_policy(` + hotplug_use_fds(ping_t) +') + +######################################## +# +# Traceroute local policy +# + +allow traceroute_t self:capability { net_admin net_raw setuid setgid }; +allow traceroute_t self:rawip_socket create_socket_perms; +allow traceroute_t self:packet_socket create_socket_perms; +allow traceroute_t self:udp_socket create_socket_perms; + +kernel_read_system_state(traceroute_t) +kernel_read_network_state(traceroute_t) + +corenet_all_recvfrom_unlabeled(traceroute_t) +corenet_all_recvfrom_netlabel(traceroute_t) +corenet_tcp_sendrecv_generic_if(traceroute_t) +corenet_udp_sendrecv_generic_if(traceroute_t) +corenet_raw_sendrecv_generic_if(traceroute_t) +corenet_tcp_sendrecv_generic_node(traceroute_t) +corenet_udp_sendrecv_generic_node(traceroute_t) +corenet_raw_sendrecv_generic_node(traceroute_t) +corenet_tcp_sendrecv_all_ports(traceroute_t) +corenet_udp_sendrecv_all_ports(traceroute_t) +corenet_udp_bind_generic_node(traceroute_t) +corenet_tcp_bind_generic_node(traceroute_t) +# traceroute needs this but not tracepath +corenet_raw_bind_generic_node(traceroute_t) +corenet_udp_bind_traceroute_port(traceroute_t) +corenet_tcp_connect_all_ports(traceroute_t) +corenet_sendrecv_all_client_packets(traceroute_t) +corenet_sendrecv_traceroute_server_packets(traceroute_t) + +fs_dontaudit_getattr_xattr_fs(traceroute_t) + +domain_use_interactive_fds(traceroute_t) + +files_read_etc_files(traceroute_t) +files_dontaudit_search_var(traceroute_t) + +init_use_fds(traceroute_t) + +auth_use_nsswitch(traceroute_t) + +logging_send_syslog_msg(traceroute_t) + +miscfiles_read_localization(traceroute_t) + +userdom_use_user_terminals(traceroute_t) + +#rules needed for nmap +dev_read_rand(traceroute_t) +dev_read_urand(traceroute_t) +files_read_usr_files(traceroute_t) diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc new file mode 100644 index 00000000..688abc2a --- /dev/null +++ b/policy/modules/admin/su.fc @@ -0,0 +1,5 @@ + +/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) + +/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if new file mode 100644 index 00000000..c9196e3d --- /dev/null +++ b/policy/modules/admin/su.if @@ -0,0 +1,337 @@ +## <summary>Run shells with substitute user and group</summary> + +####################################### +## <summary> +## Restricted su domain template. +## </summary> +## <desc> +## <p> +## This template creates a derived domain which is allowed +## to change the linux user id, to run shells as a different +## user. +## </p> +## </desc> +## <param name="userdomain_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +# +template(`su_restricted_domain_template', ` + gen_require(` + type su_exec_t; + ') + + type $1_su_t; + domain_entry_file($1_su_t, su_exec_t) + domain_type($1_su_t) + domain_interactive_fd($1_su_t) + role $3 types $1_su_t; + + allow $2 $1_su_t:process signal; + + allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + dontaudit $1_su_t self:capability sys_tty_config; + allow $1_su_t self:key { search write }; + allow $1_su_t self:process { setexec setsched setrlimit }; + allow $1_su_t self:fifo_file rw_fifo_file_perms; + allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + allow $1_su_t self:unix_stream_socket create_stream_socket_perms; + + # Transition from the user domain to this domain. + domtrans_pattern($2, su_exec_t, $1_su_t) + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_su_t,$2) + allow $2 $1_su_t:fd use; + allow $2 $1_su_t:fifo_file rw_file_perms; + allow $2 $1_su_t:process sigchld; + + kernel_read_system_state($1_su_t) + kernel_read_kernel_sysctls($1_su_t) + kernel_search_key($1_su_t) + kernel_link_key($1_su_t) + + # for SSP + dev_read_urand($1_su_t) + + files_read_etc_files($1_su_t) + files_read_etc_runtime_files($1_su_t) + files_search_var_lib($1_su_t) + files_dontaudit_getattr_tmp_dirs($1_su_t) + + # for the rootok check + selinux_compute_access_vector($1_su_t) + selinux_get_fs_mount($1_su_t) + + auth_domtrans_chk_passwd($1_su_t) + auth_dontaudit_read_shadow($1_su_t) + auth_use_nsswitch($1_su_t) + auth_rw_faillog($1_su_t) + + domain_use_interactive_fds($1_su_t) + + init_dontaudit_use_fds($1_su_t) + init_dontaudit_use_script_ptys($1_su_t) + # Write to utmp. + init_rw_utmp($1_su_t) + init_search_script_keys($1_su_t) + + logging_send_syslog_msg($1_su_t) + + miscfiles_read_localization($1_su_t) + + ifdef(`distro_redhat',` + # RHEL5 and possibly newer releases incl. Fedora + auth_domtrans_upd_passwd($1_su_t) + + optional_policy(` + locallogin_search_keys($1_su_t) + ') + ') + + ifdef(`distro_rhel4',` + domain_role_change_exemption($1_su_t) + domain_subj_id_change_exemption($1_su_t) + domain_obj_id_change_exemption($1_su_t) + + selinux_get_fs_mount($1_su_t) + selinux_validate_context($1_su_t) + selinux_compute_access_vector($1_su_t) + selinux_compute_create_context($1_su_t) + selinux_compute_relabel_context($1_su_t) + selinux_compute_user_contexts($1_su_t) + + seutil_read_config($1_su_t) + seutil_read_default_contexts($1_su_t) + + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) + ') + + ifdef(`hide_broken_symptoms',` + # dontaudit leaked sockets from parent + dontaudit $1_su_t $2:socket_class_set { read write }; + ') + + optional_policy(` + cron_read_pipes($1_su_t) + ') + + optional_policy(` + kerberos_use($1_su_t) + ') + + optional_policy(` + # used when the password has expired + usermanage_read_crack_db($1_su_t) + ') +') + +####################################### +## <summary> +## The role template for the su module. +## </summary> +## <param name="role_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +# +template(`su_role_template',` + gen_require(` + attribute su_domain_type; + type su_exec_t; + bool secure_mode; + ') + + type $1_su_t, su_domain_type; + userdom_user_application_domain($1_su_t, su_exec_t) + domain_interactive_fd($1_su_t) + role $2 types $1_su_t; + + allow $3 $1_su_t:process signal; + + allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + dontaudit $1_su_t self:capability sys_tty_config; + allow $1_su_t self:process { setexec setsched setrlimit }; + allow $1_su_t self:fifo_file rw_fifo_file_perms; + allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + allow $1_su_t self:key { search write }; + + allow $1_su_t $3:key search; + + # Transition from the user domain to this domain. + domtrans_pattern($3, su_exec_t, $1_su_t) + + ps_process_pattern($3, $1_su_t) + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_su_t, $3) + allow $3 $1_su_t:fd use; + allow $3 $1_su_t:fifo_file rw_file_perms; + allow $3 $1_su_t:process sigchld; + + kernel_read_system_state($1_su_t) + kernel_read_kernel_sysctls($1_su_t) + kernel_search_key($1_su_t) + kernel_link_key($1_su_t) + + # for SSP + dev_read_urand($1_su_t) + + fs_search_auto_mountpoints($1_su_t) + + # needed for pam_rootok + selinux_compute_access_vector($1_su_t) + selinux_get_fs_mount($1_su_t) + + auth_domtrans_chk_passwd($1_su_t) + auth_dontaudit_read_shadow($1_su_t) + auth_use_nsswitch($1_su_t) + auth_rw_faillog($1_su_t) + + corecmd_search_bin($1_su_t) + + domain_use_interactive_fds($1_su_t) + + files_read_etc_files($1_su_t) + files_read_etc_runtime_files($1_su_t) + files_search_var_lib($1_su_t) + files_dontaudit_getattr_tmp_dirs($1_su_t) + + init_dontaudit_use_fds($1_su_t) + # Write to utmp. + init_rw_utmp($1_su_t) + + mls_file_write_all_levels($1_su_t) + + logging_send_syslog_msg($1_su_t) + + miscfiles_read_localization($1_su_t) + + userdom_use_user_terminals($1_su_t) + userdom_search_user_home_dirs($1_su_t) + + ifdef(`distro_redhat',` + # RHEL5 and possibly newer releases incl. Fedora + auth_domtrans_upd_passwd($1_su_t) + + optional_policy(` + locallogin_search_keys($1_su_t) + ') + ') + + ifdef(`distro_rhel4',` + domain_role_change_exemption($1_su_t) + domain_subj_id_change_exemption($1_su_t) + domain_obj_id_change_exemption($1_su_t) + + selinux_get_fs_mount($1_su_t) + selinux_validate_context($1_su_t) + selinux_compute_create_context($1_su_t) + selinux_compute_relabel_context($1_su_t) + selinux_compute_user_contexts($1_su_t) + + # Relabel ttys and ptys. + term_relabel_all_ttys($1_su_t) + term_relabel_all_ptys($1_su_t) + # Close and re-open ttys and ptys to get the fd into the correct domain. + term_use_all_ttys($1_su_t) + term_use_all_ptys($1_su_t) + + seutil_read_config($1_su_t) + seutil_read_default_contexts($1_su_t) + + if(secure_mode) { + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) + } else { + # Allow transitions to all user domains + userdom_spec_domtrans_all_users($1_su_t) + } + + optional_policy(` + unconfined_domtrans($1_su_t) + unconfined_signal($1_su_t) + ') + ') + + ifdef(`hide_broken_symptoms',` + # dontaudit leaked sockets from parent + dontaudit $1_su_t $3:socket_class_set { read write }; + ') + + tunable_policy(`allow_polyinstantiation',` + fs_mount_xattr_fs($1_su_t) + fs_unmount_xattr_fs($1_su_t) + ') + + tunable_policy(`use_nfs_home_dirs',` + fs_search_nfs($1_su_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_search_cifs($1_su_t) + ') + + optional_policy(` + cron_read_pipes($1_su_t) + ') + + optional_policy(` + kerberos_use($1_su_t) + ') + + optional_policy(` + # used when the password has expired + usermanage_read_crack_db($1_su_t) + ') + + # Modify .Xauthority file (via xauth program). + optional_policy(` + xserver_user_home_dir_filetrans_user_xauth($1_su_t) + xserver_domtrans_xauth($1_su_t) + ') +') + +####################################### +## <summary> +## Execute su in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`su_exec',` + gen_require(` + type su_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, su_exec_t) +') diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te new file mode 100644 index 00000000..85bb77e0 --- /dev/null +++ b/policy/modules/admin/su.te @@ -0,0 +1,11 @@ +policy_module(su, 1.12.0) + +######################################## +# +# Declarations +# + +attribute su_domain_type; + +type su_exec_t; +corecmd_executable_file(su_exec_t) diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc new file mode 100644 index 00000000..7bddc02a --- /dev/null +++ b/policy/modules/admin/sudo.fc @@ -0,0 +1,2 @@ + +/usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if new file mode 100644 index 00000000..09601993 --- /dev/null +++ b/policy/modules/admin/sudo.if @@ -0,0 +1,180 @@ +## <summary>Execute a command with a substitute user</summary> + +####################################### +## <summary> +## The role template for the sudo module. +## </summary> +## <desc> +## <p> +## This template creates a derived domain which is allowed +## to change the linux user id, to run commands as a different +## user. +## </p> +## </desc> +## <param name="role_prefix"> +## <summary> +## The prefix of the user role (e.g., user +## is the prefix for user_r). +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The user role. +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The user domain associated with the role. +## </summary> +## </param> +# +template(`sudo_role_template',` + + gen_require(` + type sudo_exec_t; + attribute sudodomain; + ') + + ############################## + # + # Declarations + # + + type $1_sudo_t, sudodomain; + userdom_user_application_domain($1_sudo_t, sudo_exec_t) + domain_interactive_fd($1_sudo_t) + domain_role_change_exemption($1_sudo_t) + role $2 types $1_sudo_t; + + ############################## + # + # Local Policy + # + + # Use capabilities. + allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; + allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_sudo_t self:process { setexec setrlimit }; + allow $1_sudo_t self:fd use; + allow $1_sudo_t self:fifo_file rw_fifo_file_perms; + allow $1_sudo_t self:shm create_shm_perms; + allow $1_sudo_t self:sem create_sem_perms; + allow $1_sudo_t self:msgq create_msgq_perms; + allow $1_sudo_t self:msg { send receive }; + allow $1_sudo_t self:unix_dgram_socket create_socket_perms; + allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; + allow $1_sudo_t self:unix_dgram_socket sendto; + allow $1_sudo_t self:unix_stream_socket connectto; + allow $1_sudo_t self:key manage_key_perms; + + allow $1_sudo_t $3:key search; + + # Enter this derived domain from the user domain + domtrans_pattern($3, sudo_exec_t, $1_sudo_t) + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_sudo_t, $3) + corecmd_bin_domtrans($1_sudo_t, $3) + allow $3 $1_sudo_t:fd use; + allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; + allow $3 $1_sudo_t:process signal_perms; + + kernel_read_kernel_sysctls($1_sudo_t) + kernel_read_system_state($1_sudo_t) + kernel_link_key($1_sudo_t) + + corecmd_read_bin_symlinks($1_sudo_t) + corecmd_exec_all_executables($1_sudo_t) + + dev_getattr_fs($1_sudo_t) + dev_read_urand($1_sudo_t) + dev_rw_generic_usb_dev($1_sudo_t) + dev_read_sysfs($1_sudo_t) + + domain_use_interactive_fds($1_sudo_t) + domain_sigchld_interactive_fds($1_sudo_t) + domain_getattr_all_entry_files($1_sudo_t) + + files_read_etc_files($1_sudo_t) + files_read_var_files($1_sudo_t) + files_read_usr_symlinks($1_sudo_t) + files_getattr_usr_files($1_sudo_t) + # for some PAM modules and for cwd + files_dontaudit_search_home($1_sudo_t) + files_list_tmp($1_sudo_t) + + fs_search_auto_mountpoints($1_sudo_t) + fs_getattr_xattr_fs($1_sudo_t) + + selinux_validate_context($1_sudo_t) + selinux_compute_relabel_context($1_sudo_t) + + term_getattr_pty_fs($1_sudo_t) + term_relabel_all_ttys($1_sudo_t) + term_relabel_all_ptys($1_sudo_t) + + auth_run_chk_passwd($1_sudo_t, $2) + # sudo stores a token in the pam_pid directory + auth_manage_pam_pid($1_sudo_t) + auth_use_nsswitch($1_sudo_t) + + init_rw_utmp($1_sudo_t) + + logging_send_audit_msgs($1_sudo_t) + logging_send_syslog_msg($1_sudo_t) + + miscfiles_read_localization($1_sudo_t) + + seutil_search_default_contexts($1_sudo_t) + seutil_libselinux_linked($1_sudo_t) + + userdom_spec_domtrans_all_users($1_sudo_t) + userdom_create_all_users_keys($1_sudo_t) + userdom_manage_user_home_content_files($1_sudo_t) + userdom_manage_user_home_content_symlinks($1_sudo_t) + userdom_manage_user_tmp_files($1_sudo_t) + userdom_manage_user_tmp_symlinks($1_sudo_t) + userdom_use_user_terminals($1_sudo_t) + # for some PAM modules and for cwd + userdom_dontaudit_search_user_home_content($1_sudo_t) + userdom_dontaudit_search_user_home_dirs($1_sudo_t) + + ifdef(`hide_broken_symptoms', ` + dontaudit $1_sudo_t $3:socket_class_set { read write }; + ') + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_sudo_t) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files($1_sudo_t) + ') + + optional_policy(` + dbus_system_bus_client($1_sudo_t) + ') + + optional_policy(` + fprintd_dbus_chat($1_sudo_t) + ') + +') + +######################################## +## <summary> +## Send a SIGCHLD signal to the sudo domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sudo_sigchld',` + gen_require(` + attribute sudodomain; + ') + + allow $1 sudodomain:process sigchld; +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te new file mode 100644 index 00000000..56ead1de --- /dev/null +++ b/policy/modules/admin/sudo.te @@ -0,0 +1,9 @@ +policy_module(sudo, 1.9.0) + +######################################## +# +# Declarations +attribute sudodomain; + +type sudo_exec_t; +application_executable_file(sudo_exec_t) diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc new file mode 100644 index 00000000..c4671440 --- /dev/null +++ b/policy/modules/admin/usermanage.fc @@ -0,0 +1,33 @@ +ifdef(`distro_gentoo',` +/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) +') + +/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) +/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) +/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) +/usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) +/usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) +/usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) +/usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + +/usr/lib(64)?/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) + +/usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) +/usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) +/usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0) +/usr/sbin/groupadd -- gen_context(system_u:object_r:groupadd_exec_t,s0) +/usr/sbin/groupdel -- gen_context(system_u:object_r:groupadd_exec_t,s0) +/usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0) +/usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) +/usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) +/usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) +/usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) +/usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) +/usr/sbin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0) +/usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) +/usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) +/usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + +/usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) + +/var/cache/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if new file mode 100644 index 00000000..98b8b2d4 --- /dev/null +++ b/policy/modules/admin/usermanage.if @@ -0,0 +1,297 @@ +## <summary>Policy for managing user accounts.</summary> + +######################################## +## <summary> +## Execute chfn in the chfn domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usermanage_domtrans_chfn',` + gen_require(` + type chfn_t, chfn_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, chfn_exec_t, chfn_t) + + ifdef(`hide_broken_symptoms',` + dontaudit chfn_t $1:socket_class_set { read write }; + ') +') + +######################################## +## <summary> +## Execute chfn in the chfn domain, and +## allow the specified role the chfn domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`usermanage_run_chfn',` + gen_require(` + attribute_role chfn_roles; + ') + + usermanage_domtrans_chfn($1) + roleattribute $2 chfn_roles; +') + +######################################## +## <summary> +## Execute groupadd in the groupadd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usermanage_domtrans_groupadd',` + gen_require(` + type groupadd_t, groupadd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, groupadd_exec_t, groupadd_t) + + ifdef(`hide_broken_symptoms',` + dontaudit groupadd_t $1:socket_class_set { read write }; + ') +') + +######################################## +## <summary> +## Execute groupadd in the groupadd domain, and +## allow the specified role the groupadd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`usermanage_run_groupadd',` + gen_require(` + attribute_role groupadd_roles; + ') + + usermanage_domtrans_groupadd($1) + roleattribute $2 groupadd_roles; +') + +######################################## +## <summary> +## Execute passwd in the passwd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usermanage_domtrans_passwd',` + gen_require(` + type passwd_t, passwd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, passwd_exec_t, passwd_t) + + ifdef(`hide_broken_symptoms',` + dontaudit passwd_t $1:socket_class_set { read write }; + ') +') + +######################################## +## <summary> +## Send sigkills to passwd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`usermanage_kill_passwd',` + gen_require(` + type passwd_t; + ') + + allow $1 passwd_t:process sigkill; +') + +######################################## +## <summary> +## Execute passwd in the passwd domain, and +## allow the specified role the passwd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`usermanage_run_passwd',` + gen_require(` + attribute_role passwd_roles; + ') + + usermanage_domtrans_passwd($1) + roleattribute $2 passwd_roles; +') + +######################################## +## <summary> +## Execute password admin functions in +## the admin passwd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usermanage_domtrans_admin_passwd',` + gen_require(` + type sysadm_passwd_t, admin_passwd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, admin_passwd_exec_t, sysadm_passwd_t) +') + +######################################## +## <summary> +## Execute passwd admin functions in the admin +## passwd domain, and allow the specified role +## the admin passwd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`usermanage_run_admin_passwd',` + gen_require(` + attribute_role sysadm_passwd_roles; + ') + + usermanage_domtrans_admin_passwd($1) + roleattribute $2 sysadm_passwd_roles; +') + +######################################## +## <summary> +## Do not audit attempts to use useradd fds. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`usermanage_dontaudit_use_useradd_fds',` + gen_require(` + type useradd_t; + ') + + dontaudit $1 useradd_t:fd use; +') + +######################################## +## <summary> +## Execute useradd in the useradd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`usermanage_domtrans_useradd',` + gen_require(` + type useradd_t, useradd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, useradd_exec_t, useradd_t) + + ifdef(`hide_broken_symptoms',` + dontaudit useradd_t $1:socket_class_set { read write }; + ') +') + +######################################## +## <summary> +## Execute useradd in the useradd domain, and +## allow the specified role the useradd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`usermanage_run_useradd',` + gen_require(` + attribute_role useradd_roles; + ') + + usermanage_domtrans_useradd($1) + roleattribute $2 useradd_roles; +') + +######################################## +## <summary> +## Read the crack database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`usermanage_read_crack_db',` + gen_require(` + type crack_db_t; + ') + + files_search_var($1) + read_files_pattern($1, crack_db_t, crack_db_t) +') diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te new file mode 100644 index 00000000..7cac66fb --- /dev/null +++ b/policy/modules/admin/usermanage.te @@ -0,0 +1,559 @@ +policy_module(usermanage, 1.17.0) + +######################################## +# +# Declarations +# + +attribute_role chfn_roles; +role chfn_roles types chfn_t; +role system_r types chfn_t; + +attribute_role groupadd_roles; +role groupadd_roles types groupadd_t; + +attribute_role passwd_roles; +roleattribute system_r passwd_roles; + +attribute_role sysadm_passwd_roles; +roleattribute system_r sysadm_passwd_roles; + +attribute_role useradd_roles; +role useradd_roles types useradd_t; + +type admin_passwd_exec_t; +files_type(admin_passwd_exec_t) + +type chfn_t; +type chfn_exec_t; +domain_obj_id_change_exemption(chfn_t) +application_domain(chfn_t, chfn_exec_t) + +type crack_t; +type crack_exec_t; +application_domain(crack_t, crack_exec_t) +role system_r types crack_t; + +type crack_db_t; +files_type(crack_db_t) + +type crack_tmp_t; +files_tmp_file(crack_tmp_t) + +type groupadd_t; +type groupadd_exec_t; +domain_obj_id_change_exemption(groupadd_t) +init_system_domain(groupadd_t, groupadd_exec_t) + +type passwd_t; +type passwd_exec_t; +domain_obj_id_change_exemption(passwd_t) +application_domain(passwd_t, passwd_exec_t) +role passwd_roles types passwd_t; + +type sysadm_passwd_t; +domain_obj_id_change_exemption(sysadm_passwd_t) +application_domain(sysadm_passwd_t, admin_passwd_exec_t) +role sysadm_passwd_roles types sysadm_passwd_t; + +type sysadm_passwd_tmp_t; +files_tmp_file(sysadm_passwd_tmp_t) + +type useradd_t; +type useradd_exec_t; +domain_obj_id_change_exemption(useradd_t) +init_system_domain(useradd_t, useradd_exec_t) + +######################################## +# +# Chfn local policy +# + +allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; +allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; +allow chfn_t self:process { setrlimit setfscreate }; +allow chfn_t self:fd use; +allow chfn_t self:fifo_file rw_fifo_file_perms; +allow chfn_t self:sock_file read_sock_file_perms; +allow chfn_t self:shm create_shm_perms; +allow chfn_t self:sem create_sem_perms; +allow chfn_t self:msgq create_msgq_perms; +allow chfn_t self:msg { send receive }; +allow chfn_t self:unix_dgram_socket create_socket_perms; +allow chfn_t self:unix_stream_socket create_stream_socket_perms; +allow chfn_t self:unix_dgram_socket sendto; +allow chfn_t self:unix_stream_socket connectto; + +kernel_read_system_state(chfn_t) +kernel_read_kernel_sysctls(chfn_t) + +selinux_get_fs_mount(chfn_t) +selinux_validate_context(chfn_t) +selinux_compute_access_vector(chfn_t) +selinux_compute_create_context(chfn_t) +selinux_compute_relabel_context(chfn_t) +selinux_compute_user_contexts(chfn_t) + +term_use_all_ttys(chfn_t) +term_use_all_ptys(chfn_t) + +fs_getattr_xattr_fs(chfn_t) +fs_search_auto_mountpoints(chfn_t) + +# for SSP +dev_read_urand(chfn_t) + +auth_run_chk_passwd(chfn_t, chfn_roles) +auth_dontaudit_read_shadow(chfn_t) +auth_use_nsswitch(chfn_t) + +# allow checking if a shell is executable +corecmd_check_exec_shell(chfn_t) + +domain_use_interactive_fds(chfn_t) + +files_manage_etc_files(chfn_t) +files_read_etc_runtime_files(chfn_t) +files_dontaudit_search_var(chfn_t) +files_dontaudit_search_home(chfn_t) + +# /usr/bin/passwd asks for w access to utmp, but it will operate +# correctly without it. Do not audit write denials to utmp. +init_dontaudit_rw_utmp(chfn_t) + +miscfiles_read_localization(chfn_t) + +logging_send_syslog_msg(chfn_t) + +# uses unix_chkpwd for checking passwords +seutil_dontaudit_search_config(chfn_t) + +userdom_use_unpriv_users_fds(chfn_t) +# user generally runs this from their home directory, so do not audit a search +# on user home dir +userdom_dontaudit_search_user_home_content(chfn_t) + +######################################## +# +# Crack local policy +# + +allow crack_t self:process signal_perms; +allow crack_t self:fifo_file rw_fifo_file_perms; + +manage_files_pattern(crack_t, crack_db_t, crack_db_t) +manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t) +files_search_var(crack_t) + +manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t) +manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t) +files_tmp_filetrans(crack_t, crack_tmp_t, { file dir }) + +kernel_read_system_state(crack_t) + +# for SSP +dev_read_urand(crack_t) + +fs_getattr_xattr_fs(crack_t) + +files_read_etc_files(crack_t) +files_read_etc_runtime_files(crack_t) +# for dictionaries +files_read_usr_files(crack_t) + +corecmd_exec_bin(crack_t) + +logging_send_syslog_msg(crack_t) + +userdom_dontaudit_search_user_home_dirs(crack_t) + +ifdef(`distro_debian',` + # the package cracklib-runtime on Debian contains a daily maintenance + # script /etc/cron.daily/cracklib-runtime, that calls + # update-cracklib and that calls crack_mkdict, which is a shell script. + corecmd_exec_shell(crack_t) +') + +optional_policy(` + cron_system_entry(crack_t, crack_exec_t) +') + +######################################## +# +# Groupadd local policy +# + +allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; +dontaudit groupadd_t self:capability { fsetid sys_tty_config }; +allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; +allow groupadd_t self:process { setrlimit setfscreate }; +allow groupadd_t self:fd use; +allow groupadd_t self:fifo_file rw_fifo_file_perms; +allow groupadd_t self:shm create_shm_perms; +allow groupadd_t self:sem create_sem_perms; +allow groupadd_t self:msgq create_msgq_perms; +allow groupadd_t self:msg { send receive }; +allow groupadd_t self:unix_dgram_socket create_socket_perms; +allow groupadd_t self:unix_stream_socket create_stream_socket_perms; +allow groupadd_t self:unix_dgram_socket sendto; +allow groupadd_t self:unix_stream_socket connectto; + +fs_getattr_xattr_fs(groupadd_t) +fs_search_auto_mountpoints(groupadd_t) + +# Allow access to context for shadow file +selinux_get_fs_mount(groupadd_t) +selinux_validate_context(groupadd_t) +selinux_compute_access_vector(groupadd_t) +selinux_compute_create_context(groupadd_t) +selinux_compute_relabel_context(groupadd_t) +selinux_compute_user_contexts(groupadd_t) + +term_use_all_ttys(groupadd_t) +term_use_all_ptys(groupadd_t) + +init_use_fds(groupadd_t) +init_read_utmp(groupadd_t) +init_dontaudit_write_utmp(groupadd_t) + +domain_use_interactive_fds(groupadd_t) + +files_manage_etc_files(groupadd_t) +files_relabel_etc_files(groupadd_t) +files_read_etc_runtime_files(groupadd_t) +files_read_usr_symlinks(groupadd_t) + +# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}. +corecmd_exec_bin(groupadd_t) + +logging_send_audit_msgs(groupadd_t) +logging_send_syslog_msg(groupadd_t) + +miscfiles_read_localization(groupadd_t) + +auth_run_chk_passwd(groupadd_t, groupadd_roles) +auth_rw_lastlog(groupadd_t) +auth_use_nsswitch(groupadd_t) +# these may be unnecessary due to the above +# domtrans_chk_passwd() call. +auth_manage_shadow(groupadd_t) +auth_relabel_shadow(groupadd_t) +auth_etc_filetrans_shadow(groupadd_t) + +seutil_read_config(groupadd_t) + +userdom_use_unpriv_users_fds(groupadd_t) +# for when /root is the cwd +userdom_dontaudit_search_user_home_dirs(groupadd_t) + +optional_policy(` + dpkg_use_fds(groupadd_t) + dpkg_rw_pipes(groupadd_t) +') + +optional_policy(` + nscd_run(groupadd_t, groupadd_roles) +') + +optional_policy(` + puppet_rw_tmp(groupadd_t) +') + +optional_policy(` + rpm_use_fds(groupadd_t) + rpm_rw_pipes(groupadd_t) +') + +######################################## +# +# Passwd local policy +# + +allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; +dontaudit passwd_t self:capability sys_tty_config; +allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow passwd_t self:process { setrlimit setfscreate }; +allow passwd_t self:fd use; +allow passwd_t self:fifo_file rw_fifo_file_perms; +allow passwd_t self:sock_file read_sock_file_perms; +allow passwd_t self:unix_dgram_socket create_socket_perms; +allow passwd_t self:unix_stream_socket create_stream_socket_perms; +allow passwd_t self:unix_dgram_socket sendto; +allow passwd_t self:unix_stream_socket connectto; +allow passwd_t self:shm create_shm_perms; +allow passwd_t self:sem create_sem_perms; +allow passwd_t self:msgq create_msgq_perms; +allow passwd_t self:msg { send receive }; + +allow passwd_t crack_db_t:dir list_dir_perms; +read_files_pattern(passwd_t, crack_db_t, crack_db_t) + +kernel_read_kernel_sysctls(passwd_t) + +# for SSP +dev_read_urand(passwd_t) + +fs_getattr_xattr_fs(passwd_t) +fs_search_auto_mountpoints(passwd_t) + +mls_file_write_all_levels(passwd_t) +mls_file_downgrade(passwd_t) + +selinux_get_fs_mount(passwd_t) +selinux_validate_context(passwd_t) +selinux_compute_access_vector(passwd_t) +selinux_compute_create_context(passwd_t) +selinux_compute_relabel_context(passwd_t) +selinux_compute_user_contexts(passwd_t) + +term_use_all_ttys(passwd_t) +term_use_all_ptys(passwd_t) + +auth_run_chk_passwd(passwd_t, passwd_roles) +auth_manage_shadow(passwd_t) +auth_relabel_shadow(passwd_t) +auth_etc_filetrans_shadow(passwd_t) +auth_use_nsswitch(passwd_t) + +# allow checking if a shell is executable +corecmd_check_exec_shell(passwd_t) + +domain_use_interactive_fds(passwd_t) + +files_read_etc_runtime_files(passwd_t) +files_manage_etc_files(passwd_t) +files_search_var(passwd_t) +files_dontaudit_search_pids(passwd_t) +files_relabel_etc_files(passwd_t) + +# /usr/bin/passwd asks for w access to utmp, but it will operate +# correctly without it. Do not audit write denials to utmp. +init_dontaudit_rw_utmp(passwd_t) +init_use_fds(passwd_t) + +logging_send_audit_msgs(passwd_t) +logging_send_syslog_msg(passwd_t) + +miscfiles_read_localization(passwd_t) + +seutil_dontaudit_search_config(passwd_t) + +userdom_use_user_terminals(passwd_t) +userdom_use_unpriv_users_fds(passwd_t) +# make sure that getcon succeeds +userdom_getattr_all_users(passwd_t) +userdom_read_all_users_state(passwd_t) +userdom_read_user_tmp_files(passwd_t) +# user generally runs this from their home directory, so do not audit a search +# on user home dir +userdom_dontaudit_search_user_home_content(passwd_t) + +optional_policy(` + nscd_run(passwd_t, passwd_roles) +') + +######################################## +# +# Password admin local policy +# + +allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; +allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow sysadm_passwd_t self:process { setrlimit setfscreate }; +allow sysadm_passwd_t self:fd use; +allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms; +allow sysadm_passwd_t self:sock_file read_sock_file_perms; +allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms; +allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms; +allow sysadm_passwd_t self:unix_dgram_socket sendto; +allow sysadm_passwd_t self:unix_stream_socket connectto; +allow sysadm_passwd_t self:shm create_shm_perms; +allow sysadm_passwd_t self:sem create_sem_perms; +allow sysadm_passwd_t self:msgq create_msgq_perms; +allow sysadm_passwd_t self:msg { send receive }; + +# allow vipw to create temporary files under /var/tmp/vi.recover +manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t) +manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t) +files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) +files_search_var(sysadm_passwd_t) +files_dontaudit_search_home(sysadm_passwd_t) + +kernel_read_kernel_sysctls(sysadm_passwd_t) +# for /proc/meminfo +kernel_read_system_state(sysadm_passwd_t) + +selinux_get_fs_mount(sysadm_passwd_t) +selinux_validate_context(sysadm_passwd_t) +selinux_compute_access_vector(sysadm_passwd_t) +selinux_compute_create_context(sysadm_passwd_t) +selinux_compute_relabel_context(sysadm_passwd_t) +selinux_compute_user_contexts(sysadm_passwd_t) + +# for SSP +dev_read_urand(sysadm_passwd_t) + +fs_getattr_xattr_fs(sysadm_passwd_t) +fs_search_auto_mountpoints(sysadm_passwd_t) + +term_use_all_ttys(sysadm_passwd_t) +term_use_all_ptys(sysadm_passwd_t) + +auth_manage_shadow(sysadm_passwd_t) +auth_relabel_shadow(sysadm_passwd_t) +auth_etc_filetrans_shadow(sysadm_passwd_t) +auth_use_nsswitch(sysadm_passwd_t) + +# allow vipw to exec the editor +corecmd_exec_bin(sysadm_passwd_t) +corecmd_exec_shell(sysadm_passwd_t) +files_read_usr_files(sysadm_passwd_t) + +domain_use_interactive_fds(sysadm_passwd_t) + +files_manage_etc_files(sysadm_passwd_t) +files_relabel_etc_files(sysadm_passwd_t) +files_read_etc_runtime_files(sysadm_passwd_t) +# for nscd lookups +files_dontaudit_search_pids(sysadm_passwd_t) + +# /usr/bin/passwd asks for w access to utmp, but it will operate +# correctly without it. Do not audit write denials to utmp. +init_dontaudit_rw_utmp(sysadm_passwd_t) + +miscfiles_read_localization(sysadm_passwd_t) + +logging_send_syslog_msg(sysadm_passwd_t) + +seutil_dontaudit_search_config(sysadm_passwd_t) + +userdom_use_unpriv_users_fds(sysadm_passwd_t) +# user generally runs this from their home directory, so do not audit a search +# on user home dir +userdom_dontaudit_search_user_home_content(sysadm_passwd_t) + +optional_policy(` + nscd_run(sysadm_passwd_t, sysadm_passwd_roles) +') + +######################################## +# +# Useradd local policy +# + +allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; +dontaudit useradd_t self:capability sys_tty_config; +allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow useradd_t self:process setfscreate; +allow useradd_t self:fd use; +allow useradd_t self:fifo_file rw_fifo_file_perms; +allow useradd_t self:shm create_shm_perms; +allow useradd_t self:sem create_sem_perms; +allow useradd_t self:msgq create_msgq_perms; +allow useradd_t self:msg { send receive }; +allow useradd_t self:unix_dgram_socket create_socket_perms; +allow useradd_t self:unix_stream_socket create_stream_socket_perms; +allow useradd_t self:unix_dgram_socket sendto; +allow useradd_t self:unix_stream_socket connectto; + +# for getting the number of groups +kernel_read_kernel_sysctls(useradd_t) + +corecmd_exec_shell(useradd_t) +# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. +corecmd_exec_bin(useradd_t) + +domain_use_interactive_fds(useradd_t) +domain_read_all_domains_state(useradd_t) + +files_manage_etc_files(useradd_t) +files_search_var_lib(useradd_t) +files_relabel_etc_files(useradd_t) +files_read_etc_runtime_files(useradd_t) + +fs_search_auto_mountpoints(useradd_t) +fs_getattr_xattr_fs(useradd_t) + +mls_file_upgrade(useradd_t) + +# Allow access to context for shadow file +selinux_get_fs_mount(useradd_t) +selinux_validate_context(useradd_t) +selinux_compute_access_vector(useradd_t) +selinux_compute_create_context(useradd_t) +selinux_compute_relabel_context(useradd_t) +selinux_compute_user_contexts(useradd_t) + +term_use_all_ttys(useradd_t) +term_use_all_ptys(useradd_t) + +auth_run_chk_passwd(useradd_t, useradd_roles) +auth_rw_lastlog(useradd_t) +auth_rw_faillog(useradd_t) +auth_use_nsswitch(useradd_t) +# these may be unnecessary due to the above +# domtrans_chk_passwd() call. +auth_manage_shadow(useradd_t) +auth_relabel_shadow(useradd_t) +auth_etc_filetrans_shadow(useradd_t) + +init_use_fds(useradd_t) +init_rw_utmp(useradd_t) + +logging_send_audit_msgs(useradd_t) +logging_send_syslog_msg(useradd_t) + +miscfiles_read_localization(useradd_t) + +seutil_read_config(useradd_t) +seutil_read_file_contexts(useradd_t) +seutil_read_default_contexts(useradd_t) +seutil_run_semanage(useradd_t, useradd_roles) +seutil_run_setfiles(useradd_t, useradd_roles) + +userdom_use_unpriv_users_fds(useradd_t) +# Add/remove user home directories +userdom_manage_user_home_dirs(useradd_t) +userdom_home_filetrans_user_home_dir(useradd_t) +userdom_manage_user_home_content_dirs(useradd_t) +userdom_manage_user_home_content_files(useradd_t) +userdom_home_filetrans_user_home_dir(useradd_t) +userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) + +optional_policy(` + mta_manage_spool(useradd_t) +') + +ifdef(`distro_redhat',` + optional_policy(` + unconfined_domain(useradd_t) + ') +') + +optional_policy(` + apache_manage_all_user_content(useradd_t) +') + +optional_policy(` + dpkg_use_fds(useradd_t) + dpkg_rw_pipes(useradd_t) +') + +optional_policy(` + nscd_run(useradd_t, useradd_roles) +') + +optional_policy(` + puppet_rw_tmp(useradd_t) +') + +optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(useradd_t) + ') +') + +optional_policy(` + rpm_use_fds(useradd_t) + rpm_rw_pipes(useradd_t) +') |