228 lines
6.5 KiB
Plaintext
228 lines
6.5 KiB
Plaintext
|
#
|
||
|
# Macros for all admin domains.
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# admin_domain(domain_prefix)
|
||
|
#
|
||
|
# Define derived types and rules for an administrator domain.
|
||
|
#
|
||
|
# The type declaration and role authorization for the domain must be
|
||
|
# provided separately. Likewise, domain transitions into this domain
|
||
|
# must be specified separately. If the every_domain() rules are desired,
|
||
|
# then these rules must also be specified separately.
|
||
|
#
|
||
|
undefine(`admin_domain')
|
||
|
define(`admin_domain',`
|
||
|
# Type for home directory.
|
||
|
attribute $1_file_type;
|
||
|
type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
|
||
|
type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
|
||
|
|
||
|
# Type and access for pty devices.
|
||
|
can_create_pty($1, `, admin_tty_type')
|
||
|
|
||
|
# Transition manually for { lnk sock fifo }. The rest is in content macros.
|
||
|
tmp_domain_notrans($1, `, $1_file_type')
|
||
|
file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
|
||
|
allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
|
||
|
|
||
|
# Type for tty devices.
|
||
|
type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
|
||
|
|
||
|
# Inherit rules for ordinary users.
|
||
|
base_user_domain($1)
|
||
|
access_removable_media($1_t)
|
||
|
|
||
|
allow $1_t self:capability setuid;
|
||
|
|
||
|
ifdef(`su.te', `su_domain($1)')
|
||
|
ifdef(`userhelper.te', `userhelper_domain($1)')
|
||
|
ifdef(`sudo.te', `sudo_domain($1)')
|
||
|
|
||
|
# Let admin stat the shadow file.
|
||
|
allow $1_t shadow_t:file getattr;
|
||
|
|
||
|
ifdef(`crond.te', `
|
||
|
allow $1_crond_t var_log_t:file r_file_perms;
|
||
|
')
|
||
|
|
||
|
# Allow system log read
|
||
|
allow $1_t kernel_t:system syslog_read;
|
||
|
|
||
|
# Allow autrace
|
||
|
# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
|
||
|
|
||
|
# Use capabilities other than sys_module.
|
||
|
allow $1_t self:capability ~sys_module;
|
||
|
|
||
|
# Use system operations.
|
||
|
allow $1_t kernel_t:system *;
|
||
|
|
||
|
# Set password information for other users.
|
||
|
allow $1_t self:passwd { passwd chfn chsh };
|
||
|
|
||
|
# Skip authentication when pam_rootok is specified.
|
||
|
allow $1_t self:passwd rootok;
|
||
|
|
||
|
# Manipulate other user crontab.
|
||
|
allow $1_t self:passwd crontab;
|
||
|
can_getsecurity(sysadm_crontab_t)
|
||
|
|
||
|
# Change system parameters.
|
||
|
can_sysctl($1_t)
|
||
|
|
||
|
# Create and use all files that have the sysadmfile attribute.
|
||
|
allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
|
||
|
allow $1_t sysadmfile:lnk_file create_lnk_perms;
|
||
|
allow $1_t sysadmfile:dir create_dir_perms;
|
||
|
|
||
|
# for lsof
|
||
|
allow $1_t mtrr_device_t:file getattr;
|
||
|
allow $1_t fs_type:dir getattr;
|
||
|
|
||
|
# Access removable devices.
|
||
|
allow $1_t removable_device_t:devfile_class_set rw_file_perms;
|
||
|
|
||
|
# Communicate with the init process.
|
||
|
allow $1_t initctl_t:fifo_file rw_file_perms;
|
||
|
|
||
|
# Examine all processes.
|
||
|
can_ps($1_t, domain)
|
||
|
|
||
|
# allow renice
|
||
|
allow $1_t domain:process setsched;
|
||
|
|
||
|
# Send signals to all processes.
|
||
|
allow $1_t { domain unlabeled_t }:process signal_perms;
|
||
|
|
||
|
# Access all user terminals.
|
||
|
allow $1_t tty_device_t:chr_file rw_file_perms;
|
||
|
allow $1_t ttyfile:chr_file rw_file_perms;
|
||
|
allow $1_t ptyfile:chr_file rw_file_perms;
|
||
|
allow $1_t serial_device:chr_file setattr;
|
||
|
|
||
|
# allow setting up tunnels
|
||
|
allow $1_t tun_tap_device_t:chr_file rw_file_perms;
|
||
|
|
||
|
# run ls -l /dev
|
||
|
allow $1_t device_t:dir r_dir_perms;
|
||
|
allow $1_t { device_t device_type }:{ chr_file blk_file } getattr;
|
||
|
allow $1_t ptyfile:chr_file getattr;
|
||
|
|
||
|
# Run programs from staff home directories.
|
||
|
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
|
||
|
can_exec($1_t, staff_home_t)
|
||
|
|
||
|
# Run programs from /usr/src.
|
||
|
can_exec($1_t, src_t)
|
||
|
|
||
|
# Relabel all files.
|
||
|
# Actually this will not allow relabeling ALL files unless you change
|
||
|
# sysadmfile to file_type (and change the assertion in assert.te that
|
||
|
# only auth_write can relabel shadow_t)
|
||
|
allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
|
||
|
allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
|
||
|
|
||
|
ifdef(`startx.te', `
|
||
|
ifdef(`xserver.te', `
|
||
|
# Create files in /tmp/.X11-unix with our X servers derived
|
||
|
# tmp type rather than user_xserver_tmp_t.
|
||
|
file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
|
||
|
')dnl end xserver.te
|
||
|
')dnl end startx.te
|
||
|
|
||
|
ifdef(`xdm.te', `
|
||
|
ifdef(`xauth.te', `
|
||
|
if (xdm_sysadm_login) {
|
||
|
allow xdm_t $1_home_t:lnk_file read;
|
||
|
allow xdm_t $1_home_t:dir search;
|
||
|
}
|
||
|
can_pipe_xdm($1_t)
|
||
|
')dnl end ifdef xauth.te
|
||
|
')dnl end ifdef xdm.te
|
||
|
|
||
|
#
|
||
|
# A user who is authorized for sysadm_t may nonetheless have
|
||
|
# a home directory labeled with user_home_t if the user is expected
|
||
|
# to login in either user_t or sysadm_t. Hence, the derived domains
|
||
|
# for programs need to be able to access user_home_t.
|
||
|
#
|
||
|
|
||
|
# Allow our gph domain to write to .xsession-errors.
|
||
|
ifdef(`gnome-pty-helper.te', `
|
||
|
allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
|
||
|
allow $1_gph_t user_home_type:file create_file_perms;
|
||
|
')
|
||
|
|
||
|
# Allow our crontab domain to unlink a user cron spool file.
|
||
|
ifdef(`crontab.te',
|
||
|
`allow $1_crontab_t user_cron_spool_t:file unlink;')
|
||
|
|
||
|
# for the administrator to run TCP servers directly
|
||
|
can_tcp_connect($1_t, $1_t)
|
||
|
allow $1_t port_t:tcp_socket name_bind;
|
||
|
|
||
|
# Connect data port to ftpd.
|
||
|
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
|
||
|
|
||
|
# Connect second port to rshd.
|
||
|
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
|
||
|
|
||
|
#
|
||
|
# Allow sysadm to execute quota commands against filesystems and files.
|
||
|
#
|
||
|
allow $1_t fs_type:filesystem quotamod;
|
||
|
|
||
|
# Grant read and write access to /dev/console.
|
||
|
allow $1_t console_device_t:chr_file rw_file_perms;
|
||
|
|
||
|
# Allow MAKEDEV to work
|
||
|
allow $1_t device_t:dir rw_dir_perms;
|
||
|
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
|
||
|
allow $1_t device_t:lnk_file { create read };
|
||
|
|
||
|
# for lsof
|
||
|
allow $1_t domain:socket_class_set getattr;
|
||
|
allow $1_t eventpollfs_t:file getattr;
|
||
|
')
|
||
|
|
||
|
define(`security_manager_domain', `
|
||
|
|
||
|
typeattribute $1 secadmin;
|
||
|
# Allow administrator domains to set the enforcing flag.
|
||
|
can_setenforce($1)
|
||
|
|
||
|
# Allow administrator domains to set policy booleans.
|
||
|
can_setbool($1)
|
||
|
|
||
|
# Get security policy decisions.
|
||
|
can_getsecurity($1)
|
||
|
|
||
|
# Allow administrator domains to set security parameters
|
||
|
can_setsecparam($1)
|
||
|
|
||
|
# Run admin programs that require different permissions in their own domain.
|
||
|
# These rules were moved into the appropriate program domain file.
|
||
|
|
||
|
# added by mayerf@tresys.com
|
||
|
# The following rules are temporary until such time that a complete
|
||
|
# policy management infrastructure is in place so that an administrator
|
||
|
# cannot directly manipulate policy files with arbitrary programs.
|
||
|
#
|
||
|
allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
|
||
|
allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
|
||
|
allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
|
||
|
|
||
|
# Set an exec context, e.g. for runcon.
|
||
|
can_setexec($1)
|
||
|
|
||
|
# Set a context other than the default one for newly created files.
|
||
|
can_setfscreate($1)
|
||
|
|
||
|
allow $1 self:netlink_audit_socket nlmsg_readpriv;
|
||
|
|
||
|
')
|
||
|
|
||
|
|