selinux-policy/targeted/domains/program/passwd.te

#DESC Passwd - Password utilities
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
# X-Debian-Packages: passwd
#

#################################
#
# Rules for the passwd_t domain.
#
define(`base_passwd_domain', `
type $1_t, domain, privlog, $2;

# for SSP
allow $1_t urandom_device_t:chr_file read;

allow $1_t self:process setrlimit;

general_domain_access($1_t);
uses_shlib($1_t);

# Inherit and use descriptors from login.
allow $1_t privfd:fd use;
ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')

read_locale($1_t)

allow $1_t fs_t:filesystem getattr;

# allow checking if a shell is executable
allow $1_t shell_exec_t:file execute;

# Obtain contexts
can_getsecurity($1_t)

allow $1_t etc_t:file create_file_perms;

# read /etc/mtab
allow $1_t etc_runtime_t:file { getattr read };

# Allow etc_t symlinks for /etc/alternatives on Debian.
allow $1_t etc_t:lnk_file read;

# Use capabilities.
allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource };

# Access terminals.
allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
allow $1_t devtty_t:chr_file rw_file_perms;

dontaudit $1_t devpts_t:dir getattr;

# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it.  Do not audit write denials to utmp.
dontaudit $1_t initrc_var_run_t:file { read write };

# user generally runs this from their home directory, so do not audit a search
# on user home dir
dontaudit $1_t { user_home_dir_type user_home_type }:dir search;

# When the wrong current passwd is entered, passwd, for some reason, 
# attempts to access /proc and /dev, but handles failure appropriately. So
# do not audit those denials.
dontaudit $1_t { proc_t device_t }:dir { search read };

allow $1_t device_t:dir getattr;
read_sysctl($1_t)
')

#################################
#
# Rules for the passwd_t domain.
#
define(`passwd_domain', `
base_passwd_domain($1, `auth_write, privowner')
# Update /etc/shadow and /etc/passwd
file_type_auto_trans($1_t, etc_t, shadow_t, file)
allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
can_setfscreate($1_t)
')

passwd_domain(passwd)
passwd_domain(sysadm_passwd)
base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner')
can_setfscreate(chfn_t)

# can exec /sbin/unix_chkpwd
allow chfn_t { bin_t sbin_t }:dir search;

# uses unix_chkpwd for checking passwords
dontaudit chfn_t shadow_t:file read;
allow chfn_t etc_t:dir rw_dir_perms;
allow chfn_t etc_t:file create_file_perms;
allow chfn_t proc_t:file { getattr read };
allow chfn_t self:file write;

in_user_role(passwd_t)
in_user_role(chfn_t)
role sysadm_r types passwd_t;
role sysadm_r types sysadm_passwd_t;
role sysadm_r types chfn_t;
role system_r types passwd_t;
role system_r types chfn_t;

type admin_passwd_exec_t, file_type, sysadmfile;
type passwd_exec_t, file_type, sysadmfile, exec_type;
type chfn_exec_t, file_type, sysadmfile, exec_type;

domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)

dontaudit chfn_t var_t:dir search;

ifdef(`crack.te', `
allow passwd_t var_t:dir search;
dontaudit passwd_t var_run_t:dir search;
allow passwd_t crack_db_t:dir r_dir_perms;
allow passwd_t crack_db_t:file r_file_perms;
', `
dontaudit passwd_t var_t:dir search;
')

# allow vipw to exec the editor
allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search;
allow sysadm_passwd_t bin_t:lnk_file read;
can_exec(sysadm_passwd_t, { shell_exec_t bin_t })
r_dir_file(sysadm_passwd_t, usr_t)

# allow vipw to create temporary files under /var/tmp/vi.recover
allow sysadm_passwd_t var_t:dir search;
tmp_domain(sysadm_passwd)
# for vipw - vi looks in the root home directory for config
dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
# for /etc/alternatives/vi
allow sysadm_passwd_t etc_t:lnk_file read;

# for nscd lookups
dontaudit sysadm_passwd_t var_run_t:dir search;

# for /proc/meminfo
allow sysadm_passwd_t proc_t:file { getattr read };

dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search;
dontaudit sysadm_passwd_t devpts_t:dir search;

# make sure that getcon succeeds
allow passwd_t userdomain:dir search;
allow passwd_t userdomain:file { getattr read };
allow passwd_t userdomain:process getattr;

allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

ifdef(`targeted_policy', `
role system_r types sysadm_passwd_t;
')
add 1.27.1-22 targeted policy 2005-10-21 18:05:21 +00:00			`#DESC Passwd - Password utilities`
			`#`
			`# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser`
			`# X-Debian-Packages: passwd`
			`#`

			`#################################`
			`#`
			`# Rules for the passwd_t domain.`
			`#`
			define(`base_passwd_domain', `
			`type $1_t, domain, privlog, $2;`

			`# for SSP`
			`allow $1_t urandom_device_t:chr_file read;`

			`allow $1_t self:process setrlimit;`

			`general_domain_access($1_t);`
			`uses_shlib($1_t);`

			`# Inherit and use descriptors from login.`
			`allow $1_t privfd:fd use;`
			ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')

			`read_locale($1_t)`

			`allow $1_t fs_t:filesystem getattr;`

			`# allow checking if a shell is executable`
			`allow $1_t shell_exec_t:file execute;`

			`# Obtain contexts`
			`can_getsecurity($1_t)`

			`allow $1_t etc_t:file create_file_perms;`

			`# read /etc/mtab`
			`allow $1_t etc_runtime_t:file { getattr read };`

			`# Allow etc_t symlinks for /etc/alternatives on Debian.`
			`allow $1_t etc_t:lnk_file read;`

			`# Use capabilities.`
			`allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource };`

			`# Access terminals.`
			`allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;`
			`allow $1_t devtty_t:chr_file rw_file_perms;`

			`dontaudit $1_t devpts_t:dir getattr;`

			`# /usr/bin/passwd asks for w access to utmp, but it will operate`
			`# correctly without it. Do not audit write denials to utmp.`
			`dontaudit $1_t initrc_var_run_t:file { read write };`

			`# user generally runs this from their home directory, so do not audit a search`
			`# on user home dir`
			`dontaudit $1_t { user_home_dir_type user_home_type }:dir search;`

			`# When the wrong current passwd is entered, passwd, for some reason,`
			`# attempts to access /proc and /dev, but handles failure appropriately. So`
			`# do not audit those denials.`
			`dontaudit $1_t { proc_t device_t }:dir { search read };`

			`allow $1_t device_t:dir getattr;`
			`read_sysctl($1_t)`
			`')`

			`#################################`
			`#`
			`# Rules for the passwd_t domain.`
			`#`
			define(`passwd_domain', `
			base_passwd_domain($1, `auth_write, privowner')
			`# Update /etc/shadow and /etc/passwd`
			`file_type_auto_trans($1_t, etc_t, shadow_t, file)`
			`allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };`
			`can_setfscreate($1_t)`
			`')`

			`passwd_domain(passwd)`
			`passwd_domain(sysadm_passwd)`
			base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner')
			`can_setfscreate(chfn_t)`

			`# can exec /sbin/unix_chkpwd`
			`allow chfn_t { bin_t sbin_t }:dir search;`

			`# uses unix_chkpwd for checking passwords`
			`dontaudit chfn_t shadow_t:file read;`
			`allow chfn_t etc_t:dir rw_dir_perms;`
			`allow chfn_t etc_t:file create_file_perms;`
			`allow chfn_t proc_t:file { getattr read };`
			`allow chfn_t self:file write;`

			`in_user_role(passwd_t)`
			`in_user_role(chfn_t)`
			`role sysadm_r types passwd_t;`
			`role sysadm_r types sysadm_passwd_t;`
			`role sysadm_r types chfn_t;`
			`role system_r types passwd_t;`
			`role system_r types chfn_t;`

			`type admin_passwd_exec_t, file_type, sysadmfile;`
			`type passwd_exec_t, file_type, sysadmfile, exec_type;`
			`type chfn_exec_t, file_type, sysadmfile, exec_type;`

			domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
			domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
			`domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)`

			`dontaudit chfn_t var_t:dir search;`

			ifdef(`crack.te', `
			`allow passwd_t var_t:dir search;`
			`dontaudit passwd_t var_run_t:dir search;`
			`allow passwd_t crack_db_t:dir r_dir_perms;`
			`allow passwd_t crack_db_t:file r_file_perms;`
			', `
			`dontaudit passwd_t var_t:dir search;`
			`')`

			`# allow vipw to exec the editor`
			`allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search;`
			`allow sysadm_passwd_t bin_t:lnk_file read;`
			`can_exec(sysadm_passwd_t, { shell_exec_t bin_t })`
			`r_dir_file(sysadm_passwd_t, usr_t)`

			`# allow vipw to create temporary files under /var/tmp/vi.recover`
			`allow sysadm_passwd_t var_t:dir search;`
			`tmp_domain(sysadm_passwd)`
			`# for vipw - vi looks in the root home directory for config`
			`dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };`
			`# for /etc/alternatives/vi`
			`allow sysadm_passwd_t etc_t:lnk_file read;`

			`# for nscd lookups`
			`dontaudit sysadm_passwd_t var_run_t:dir search;`

			`# for /proc/meminfo`
			`allow sysadm_passwd_t proc_t:file { getattr read };`

			`dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search;`
			`dontaudit sysadm_passwd_t devpts_t:dir search;`

			`# make sure that getcon succeeds`
			`allow passwd_t userdomain:dir search;`
			`allow passwd_t userdomain:file { getattr read };`
			`allow passwd_t userdomain:process getattr;`

			`allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };`

			ifdef(`targeted_policy', `
			`role system_r types sysadm_passwd_t;`
			`')`