make common template
This commit is contained in:
Chris PeBenito
parent
44656a182b
commit
8ba1bd8502
@ -1,5 +1,78 @@
|
||||
## <summary>Common policy for authentication and user login.</summary>
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Common template to create a domain for authentication.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates a derived domain which is allowed
|
||||
## to authenticate users by using PAM unix_chkpwd support.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </param>
|
||||
#
|
||||
template(`authlogin_common_auth_domain_template',`
|
||||
gen_require(`
|
||||
attribute can_read_shadow_passwords;
|
||||
type chkpwd_exec_t, shadow_t;
|
||||
')
|
||||
|
||||
type $1_chkpwd_t, can_read_shadow_passwords;
|
||||
domain_type($1_chkpwd_t)
|
||||
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
|
||||
|
||||
allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
|
||||
allow $1_chkpwd_t self:process getattr;
|
||||
|
||||
files_list_etc($1_chkpwd_t)
|
||||
allow $1_chkpwd_t shadow_t:file { getattr read };
|
||||
|
||||
# is_selinux_enabled
|
||||
kernel_read_system_state($1_chkpwd_t)
|
||||
|
||||
dev_read_rand($1_chkpwd_t)
|
||||
dev_read_urand($1_chkpwd_t)
|
||||
|
||||
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
|
||||
|
||||
libs_use_ld_so($1_chkpwd_t)
|
||||
libs_use_shared_libs($1_chkpwd_t)
|
||||
|
||||
files_read_etc_files($1_chkpwd_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_var($1_chkpwd_t)
|
||||
|
||||
logging_send_syslog_msg($1_chkpwd_t)
|
||||
|
||||
miscfiles_read_certs($1_chkpwd_t)
|
||||
miscfiles_read_localization($1_chkpwd_t)
|
||||
|
||||
seutil_read_config($1_chkpwd_t)
|
||||
|
||||
sysnet_dns_name_resolve($1_chkpwd_t)
|
||||
sysnet_use_ldap($1_chkpwd_t)
|
||||
|
||||
optional_policy(`kerberos',`
|
||||
kerberos_use($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis',`
|
||||
nis_use_ypbind($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd',`
|
||||
nscd_use_socket($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`samba',`
|
||||
samba_connect_winbind($1_chkpwd_t)
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The per user domain template for the authlogin module.
|
||||
@ -29,87 +102,33 @@
|
||||
## </param>
|
||||
#
|
||||
template(`authlogin_per_userdomain_template',`
|
||||
|
||||
gen_require(`
|
||||
attribute can_read_shadow_passwords;
|
||||
type chkpwd_exec_t, system_chkpwd_t, shadow_t;
|
||||
type system_chkpwd_t, shadow_t;
|
||||
')
|
||||
|
||||
type $1_chkpwd_t, can_read_shadow_passwords;
|
||||
domain_type($1_chkpwd_t)
|
||||
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
|
||||
authlogin_common_auth_domain_template($1)
|
||||
|
||||
role $3 types $1_chkpwd_t;
|
||||
role $3 types system_chkpwd_t;
|
||||
|
||||
allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
|
||||
allow $1_chkpwd_t self:process getattr;
|
||||
|
||||
files_list_etc($1_chkpwd_t)
|
||||
allow $1_chkpwd_t shadow_t:file { getattr read };
|
||||
|
||||
allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
|
||||
dontaudit $2 shadow_t:file { getattr read };
|
||||
|
||||
# Transition from the user domain to this domain.
|
||||
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
|
||||
|
||||
allow $1_chkpwd_t $2:fd use;
|
||||
allow $2 $1_chkpwd_t:fd use;
|
||||
allow $1_chkpwd_t $2:fifo_file rw_file_perms;
|
||||
allow $1_chkpwd_t $2:process sigchld;
|
||||
|
||||
dontaudit $2 shadow_t:file { getattr read };
|
||||
|
||||
# is_selinux_enabled
|
||||
kernel_read_system_state($1_chkpwd_t)
|
||||
|
||||
dev_read_rand($1_chkpwd_t)
|
||||
dev_read_urand($1_chkpwd_t)
|
||||
|
||||
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
|
||||
|
||||
domain_use_wide_inherit_fd($1_chkpwd_t)
|
||||
|
||||
libs_use_ld_so($1_chkpwd_t)
|
||||
libs_use_shared_libs($1_chkpwd_t)
|
||||
|
||||
files_read_etc_files($1_chkpwd_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_var($1_chkpwd_t)
|
||||
|
||||
logging_send_syslog_msg($1_chkpwd_t)
|
||||
|
||||
miscfiles_read_certs($1_chkpwd_t)
|
||||
miscfiles_read_localization($1_chkpwd_t)
|
||||
|
||||
seutil_read_config($1_chkpwd_t)
|
||||
|
||||
sysnet_dns_name_resolve($1_chkpwd_t)
|
||||
sysnet_use_ldap($1_chkpwd_t)
|
||||
seutil_use_newrole_fd($1_chkpwd_t)
|
||||
|
||||
# Write to the user domain tty.
|
||||
userdom_use_user_terminals($1,$1_chkpwd_t)
|
||||
|
||||
# Inherit and use descriptors from gnome-pty-helper.
|
||||
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
|
||||
|
||||
optional_policy(`kerberos',`
|
||||
kerberos_use($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis',`
|
||||
nis_use_ypbind($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd',`
|
||||
nscd_use_socket($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`samba',`
|
||||
samba_connect_winbind($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil',`
|
||||
seutil_use_newrole_fd($1_chkpwd_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(authlogin,1.0.2)
|
||||
policy_module(authlogin,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -53,9 +53,7 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
|
||||
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
||||
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
||||
|
||||
type system_chkpwd_t, can_read_shadow_passwords;
|
||||
domain_type(system_chkpwd_t)
|
||||
domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
|
||||
authlogin_common_auth_domain_template(system)
|
||||
role system_r types system_chkpwd_t;
|
||||
|
||||
type utempter_t;
|
||||
@ -263,62 +261,19 @@ ifdef(`xdm.te', `
|
||||
# System check password local policy
|
||||
#
|
||||
|
||||
allow system_chkpwd_t self:capability setuid;
|
||||
allow system_chkpwd_t self:process getattr;
|
||||
allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
|
||||
allow system_chkpwd_t shadow_t:file { getattr read };
|
||||
|
||||
# is_selinux_enabled
|
||||
kernel_read_system_state(system_chkpwd_t)
|
||||
|
||||
dev_read_rand(system_chkpwd_t)
|
||||
dev_read_urand(system_chkpwd_t)
|
||||
|
||||
fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
|
||||
|
||||
term_dontaudit_use_unallocated_tty(system_chkpwd_t)
|
||||
term_dontaudit_use_generic_pty(system_chkpwd_t)
|
||||
|
||||
corecmd_search_sbin(system_chkpwd_t)
|
||||
|
||||
domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)
|
||||
|
||||
files_read_etc_files(system_chkpwd_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_var(system_chkpwd_t)
|
||||
|
||||
libs_use_ld_so(system_chkpwd_t)
|
||||
libs_use_shared_libs(system_chkpwd_t)
|
||||
|
||||
logging_send_syslog_msg(system_chkpwd_t)
|
||||
|
||||
miscfiles_read_localization(system_chkpwd_t)
|
||||
miscfiles_read_certs(system_chkpwd_t)
|
||||
|
||||
seutil_read_config(system_chkpwd_t)
|
||||
|
||||
sysnet_dns_name_resolve(system_chkpwd_t)
|
||||
sysnet_use_ldap(system_chkpwd_t)
|
||||
term_dontaudit_use_unallocated_tty(system_chkpwd_t)
|
||||
term_dontaudit_use_generic_pty(system_chkpwd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
|
||||
|
||||
optional_policy(`kerberos',`
|
||||
kerberos_use(system_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis',`
|
||||
nis_use_ypbind(system_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd',`
|
||||
nscd_use_socket(system_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`samba',`
|
||||
samba_connect_winbind(system_chkpwd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Utempter local policy
|
||||
|
||||
Loading…
Reference in New Issue
Block a user