2005-04-29 17:45:15 +00:00
|
|
|
#DESC Useradd - Manage system user accounts
|
|
|
|
#
|
|
|
|
# Authors: Chris Vance <cvance@tislabs.com> David Caplan <dac@tresys.com>
|
|
|
|
# Russell Coker <russell@coker.com.au>
|
|
|
|
# X-Debian-Packages: passwd
|
|
|
|
#
|
|
|
|
|
|
|
|
#################################
|
|
|
|
#
|
|
|
|
# Rules for the useradd_t and groupadd_t domains.
|
|
|
|
#
|
|
|
|
# useradd_t is the domain of the useradd/userdel programs.
|
|
|
|
# groupadd_t is for adding groups (can not create home dirs)
|
|
|
|
#
|
|
|
|
define(`user_group_add_program', `
|
|
|
|
type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain;
|
|
|
|
role sysadm_r types $1_t;
|
|
|
|
role system_r types $1_t;
|
|
|
|
|
|
|
|
general_domain_access($1_t)
|
|
|
|
uses_shlib($1_t)
|
|
|
|
|
|
|
|
type $1_exec_t, file_type, sysadmfile, exec_type;
|
|
|
|
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
|
|
|
|
domain_auto_trans(initrc_t, $1_exec_t, $1_t)
|
|
|
|
|
|
|
|
# Use capabilities.
|
|
|
|
allow $1_t self:capability { dac_override chown kill };
|
|
|
|
|
|
|
|
# Allow access to context for shadow file
|
|
|
|
can_getsecurity($1_t)
|
|
|
|
|
|
|
|
# Inherit and use descriptors from login.
|
|
|
|
allow $1_t { init_t privfd }:fd use;
|
|
|
|
|
|
|
|
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
|
|
|
allow $1_t { bin_t sbin_t }:dir r_dir_perms;
|
|
|
|
can_exec($1_t, { bin_t sbin_t })
|
|
|
|
|
|
|
|
# Update /etc/shadow and /etc/passwd
|
|
|
|
file_type_auto_trans($1_t, etc_t, shadow_t, file)
|
|
|
|
allow $1_t etc_t:file create_file_perms;
|
|
|
|
|
|
|
|
# some apps ask for these accesses, but seems to work regardless
|
|
|
|
dontaudit $1_t var_run_t:dir search;
|
|
|
|
r_dir_file($1_t, selinux_config_t)
|
|
|
|
|
|
|
|
# Set fscreate context.
|
|
|
|
can_setfscreate($1_t)
|
|
|
|
|
|
|
|
allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
|
|
|
|
|
|
|
read_locale($1_t)
|
|
|
|
|
|
|
|
# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
|
|
|
|
# but will operate without them.
|
|
|
|
dontaudit $1_t { device_t var_t var_log_t }:dir search;
|
|
|
|
allow useradd_t lastlog_t:file { read write };
|
|
|
|
|
|
|
|
# For userdel and groupadd
|
|
|
|
allow $1_t fs_t:filesystem getattr;
|
|
|
|
|
|
|
|
# Access terminals.
|
|
|
|
allow $1_t ttyfile:chr_file rw_file_perms;
|
|
|
|
allow $1_t ptyfile:chr_file rw_file_perms;
|
|
|
|
ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
|
|
|
|
|
|
|
|
# for when /root is the cwd
|
|
|
|
dontaudit $1_t sysadm_home_dir_t:dir search;
|
|
|
|
')
|
|
|
|
user_group_add_program(useradd)
|
|
|
|
|
|
|
|
# for getting the number of groups
|
|
|
|
read_sysctl(useradd_t)
|
|
|
|
|
|
|
|
# Add/remove user home directories
|
|
|
|
file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
|
|
|
|
file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
|
|
|
|
|
|
|
|
# create/delete mail spool file in /var/mail
|
|
|
|
allow useradd_t var_spool_t:dir search;
|
|
|
|
allow useradd_t mail_spool_t:dir { search write add_name remove_name };
|
|
|
|
allow useradd_t mail_spool_t:file create_file_perms;
|
|
|
|
# /var/mail is a link to /var/spool/mail
|
|
|
|
allow useradd_t mail_spool_t:lnk_file read;
|
|
|
|
|
|
|
|
allow useradd_t self:capability { fowner fsetid setuid sys_resource };
|
|
|
|
can_exec(useradd_t, shell_exec_t)
|
|
|
|
|
|
|
|
# /usr/bin/userdel locks the user being deleted, allow write access to utmp
|
|
|
|
allow useradd_t initrc_var_run_t:file { read write lock };
|
|
|
|
|
|
|
|
user_group_add_program(groupadd)
|
|
|
|
|
|
|
|
dontaudit groupadd_t self:capability fsetid;
|
|
|
|
|
|
|
|
allow groupadd_t self:capability { setuid sys_resource };
|
|
|
|
allow groupadd_t self:process setrlimit;
|
|
|
|
allow groupadd_t initrc_var_run_t:file r_file_perms;
|
|
|
|
dontaudit groupadd_t initrc_var_run_t:file write;
|
2005-09-15 15:34:31 +00:00
|
|
|
|
|
|
|
allow useradd_t default_context_t:dir search;
|
|
|
|
allow useradd_t file_context_t:dir search;
|
|
|
|
allow useradd_t file_context_t:file { getattr read };
|
2005-09-16 13:36:26 +00:00
|
|
|
allow useradd_t var_lib_t:dir search;
|