add sulogin

This commit is contained in:
Chris PeBenito 2005-05-09 15:38:06 +00:00
parent 15e3d8e8bc
commit 5d7e8ba6fb
2 changed files with 108 additions and 2 deletions

View File

@ -18,6 +18,20 @@ class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh }; class process { transition noatsecure siginh rlimitinh };
') ')
########################################
#
# init_get_process_group(domain)
#
define(`init_get_process_group',`
requires_block_template(`$0'_depend)
allow $1 init_t:process getpgid;
')
define(`init_get_process_group_depend',`
type init_t;
class process getpgid;
')
######################################## ########################################
# #
# init_get_control_channel_attributes(domain) # init_get_control_channel_attributes(domain)
@ -183,6 +197,20 @@ type initrc_devpts_t;
class chr_file { read write }; class chr_file { read write };
') ')
########################################
#
# init_script_get_process_group(domain)
#
define(`init_script_get_process_group',`
requires_block_template(`$0'_depend)
allow $1 initrc_t:process getpgid;
')
define(`init_script_get_process_group_depend',`
type initrc_t;
class process getpgid;
')
######################################## ########################################
# #
# init_script_read_runtime_data(domain) # init_script_read_runtime_data(domain)

View File

@ -9,16 +9,24 @@ policy_module(locallogin,1.0)
type local_login_t; #, privuser, privrole, auth_chkpwd, privowner, nscd_client_domain; type local_login_t; #, privuser, privrole, auth_chkpwd, privowner, nscd_client_domain;
domain_make_domain(local_login_t) domain_make_domain(local_login_t)
authlogin_make_login_program_entrypoint(local_login_t)
domain_make_file_descriptors_widely_inheritable(local_login_t) domain_make_file_descriptors_widely_inheritable(local_login_t)
authlogin_make_login_program_entrypoint(local_login_t)
role system_r types local_login_t; role system_r types local_login_t;
type local_login_tmp_t; type local_login_tmp_t;
files_make_file(local_login_tmp_t) files_make_file(local_login_tmp_t)
type sulogin_t;
type sulogin_exec_t;
domain_make_init_domain(sulogin_t,sulogin_exec_t)
domain_make_system_domain(sulogin_t,sulogin_exec_t)
domain_make_file_descriptors_widely_inheritable(sulogin_t)
role system_r types sulogin_t;
######################################## ########################################
# #
# Local policy # Local login local policy
# #
allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
@ -191,3 +199,73 @@ allow local_login_t power_device_t:chr_file { getattr setattr };
#r_dir_file(local_login_t, cifs_t) #r_dir_file(local_login_t, cifs_t)
#} #}
') dnl endif TODO ') dnl endif TODO
#################################
#
# Sulogin local policy
#
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file { read getattr lock ioctl write append };
allow sulogin_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow sulogin_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow sulogin_t self:unix_dgram_socket sendto;
allow sulogin_t self:unix_stream_socket connectto;
allow sulogin_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow sulogin_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow sulogin_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t)
init_script_get_process_group(sulogin_t)
files_read_general_system_config(sulogin_t)
libraries_use_dynamic_loader(sulogin_t)
libraries_read_shared_libraries(sulogin_t)
logging_send_system_log_message(sulogin_t)
selinux_read_config(sulogin_t)
selinux_read_default_contexts(sulogin_t)
authlogin_read_shadow_passwords(sulogin_t)
# suse and debian do not use pam with sulogin...
ifdef(`monolithic_policy',`
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
') dnl end monolithic_policy
tunable_policy(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
init_get_process_group(sulogin_t)
#domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
', `
allow sulogin_t self:process setexec;
kernel_get_selinuxfs_mount_point(sulogin_t)
kernel_validate_selinux_context(sulogin_t)
kernel_compute_selinux_av(sulogin_t)
kernel_compute_create(sulogin_t)
kernel_compute_relabel(sulogin_t)
kernel_compute_reachable_user_contexts(sulogin_t)
#domain_trans(sulogin_t, shell_exec_t, sysadm_t)
')
ifdef(`TODO',`
#, privrole, privowner, privuser;
allow sulogin_t unpriv_userdomain:fd use;
can_ypbind(sulogin_t)
ifdef(`automount.te', `
allow sulogin_t autofs_t:dir { search getattr };
')
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
# because file systems are not mounted
dontaudit sulogin_t file_t:dir search;
') dnl endif TODO