rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

make common template

Browse Source
This commit is contained in:
Chris PeBenito 2005-12-08 17:42:08 +00:00
parent 44656a182b
commit 8ba1bd8502
2 changed files with 84 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
refpolicy/policy/modules/system/authlogin.if
View File

@ -1,5 +1,78 @@
## <summary>Common policy for authentication and user login.</summary> ## <summary>Common policy for authentication and user login.</summary>
#######################################
## <summary>
## Common template to create a domain for authentication.
## </summary>
## <desc>
## <p>
## This template creates a derived domain which is allowed
## to authenticate users by using PAM unix_chkpwd support.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
#
template(`authlogin_common_auth_domain_template',`
gen_require(`
attribute can_read_shadow_passwords;
type chkpwd_exec_t, shadow_t;
')
type $1_chkpwd_t, can_read_shadow_passwords;
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
allow $1_chkpwd_t self:process getattr;
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)
dev_read_rand($1_chkpwd_t)
dev_read_urand($1_chkpwd_t)
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
libs_use_ld_so($1_chkpwd_t)
libs_use_shared_libs($1_chkpwd_t)
files_read_etc_files($1_chkpwd_t)
# for nscd
files_dontaudit_search_var($1_chkpwd_t)
logging_send_syslog_msg($1_chkpwd_t)
miscfiles_read_certs($1_chkpwd_t)
miscfiles_read_localization($1_chkpwd_t)
seutil_read_config($1_chkpwd_t)
sysnet_dns_name_resolve($1_chkpwd_t)
sysnet_use_ldap($1_chkpwd_t)
optional_policy(`kerberos',`
kerberos_use($1_chkpwd_t)
')
optional_policy(`nis',`
nis_use_ypbind($1_chkpwd_t)
')
optional_policy(`nscd',`
nscd_use_socket($1_chkpwd_t)
')
optional_policy(`samba',`
samba_connect_winbind($1_chkpwd_t)
')
')
####################################### #######################################
## <summary> ## <summary>
## The per user domain template for the authlogin module. ## The per user domain template for the authlogin module.
@ -29,87 +102,33 @@
## </param> ## </param>
# #
template(`authlogin_per_userdomain_template',` template(`authlogin_per_userdomain_template',`
gen_require(` gen_require(`
attribute can_read_shadow_passwords; type system_chkpwd_t, shadow_t;
type chkpwd_exec_t, system_chkpwd_t, shadow_t;
') ')
type $1_chkpwd_t, can_read_shadow_passwords; authlogin_common_auth_domain_template($1)
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
role $3 types $1_chkpwd_t; role $3 types $1_chkpwd_t;
role $3 types system_chkpwd_t; role $3 types system_chkpwd_t;
allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
allow $1_chkpwd_t self:process getattr;
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
dontaudit $2 shadow_t:file { getattr read };
# Transition from the user domain to this domain. # Transition from the user domain to this domain.
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t) domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
allow $1_chkpwd_t $2:fd use; allow $1_chkpwd_t $2:fd use;
allow $2 $1_chkpwd_t:fd use; allow $2 $1_chkpwd_t:fd use;
allow $1_chkpwd_t $2:fifo_file rw_file_perms; allow $1_chkpwd_t $2:fifo_file rw_file_perms;
allow $1_chkpwd_t $2:process sigchld; allow $1_chkpwd_t $2:process sigchld;
dontaudit $2 shadow_t:file { getattr read };
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)
dev_read_rand($1_chkpwd_t)
dev_read_urand($1_chkpwd_t)
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
domain_use_wide_inherit_fd($1_chkpwd_t) domain_use_wide_inherit_fd($1_chkpwd_t)
libs_use_ld_so($1_chkpwd_t) seutil_use_newrole_fd($1_chkpwd_t)
libs_use_shared_libs($1_chkpwd_t)
files_read_etc_files($1_chkpwd_t)
# for nscd
files_dontaudit_search_var($1_chkpwd_t)
logging_send_syslog_msg($1_chkpwd_t)
miscfiles_read_certs($1_chkpwd_t)
miscfiles_read_localization($1_chkpwd_t)
seutil_read_config($1_chkpwd_t)
sysnet_dns_name_resolve($1_chkpwd_t)
sysnet_use_ldap($1_chkpwd_t)
# Write to the user domain tty. # Write to the user domain tty.
userdom_use_user_terminals($1,$1_chkpwd_t) userdom_use_user_terminals($1,$1_chkpwd_t)
# Inherit and use descriptors from gnome-pty-helper.
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
optional_policy(`kerberos',`
kerberos_use($1_chkpwd_t)
')
optional_policy(`nis',`
nis_use_ypbind($1_chkpwd_t)
')
optional_policy(`nscd',`
nscd_use_socket($1_chkpwd_t)
')
optional_policy(`samba',`
samba_connect_winbind($1_chkpwd_t)
')
optional_policy(`selinuxutil',`
seutil_use_newrole_fd($1_chkpwd_t)
')
') ')
######################################## ########################################

53
refpolicy/policy/modules/system/authlogin.te
View File

@ -1,5 +1,5 @@
policy_module(authlogin,1.0.2) policy_module(authlogin,1.0.3)
######################################## ########################################
# #
@ -53,9 +53,7 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
type system_chkpwd_t, can_read_shadow_passwords; authlogin_common_auth_domain_template(system)
domain_type(system_chkpwd_t)
domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
role system_r types system_chkpwd_t; role system_r types system_chkpwd_t;
type utempter_t; type utempter_t;
@ -263,62 +261,19 @@ ifdef(`xdm.te', `
# System check password local policy # System check password local policy
# #
allow system_chkpwd_t self:capability setuid;
allow system_chkpwd_t self:process getattr;
allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow system_chkpwd_t shadow_t:file { getattr read }; allow system_chkpwd_t shadow_t:file { getattr read };
# is_selinux_enabled
kernel_read_system_state(system_chkpwd_t)
dev_read_rand(system_chkpwd_t)
dev_read_urand(system_chkpwd_t)
fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
term_dontaudit_use_unallocated_tty(system_chkpwd_t)
term_dontaudit_use_generic_pty(system_chkpwd_t)
corecmd_search_sbin(system_chkpwd_t) corecmd_search_sbin(system_chkpwd_t)
domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t) domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)
files_read_etc_files(system_chkpwd_t) term_dontaudit_use_unallocated_tty(system_chkpwd_t)
# for nscd term_dontaudit_use_generic_pty(system_chkpwd_t)
files_dontaudit_search_var(system_chkpwd_t)
libs_use_ld_so(system_chkpwd_t)
libs_use_shared_libs(system_chkpwd_t)
logging_send_syslog_msg(system_chkpwd_t)
miscfiles_read_localization(system_chkpwd_t)
miscfiles_read_certs(system_chkpwd_t)
seutil_read_config(system_chkpwd_t)
sysnet_dns_name_resolve(system_chkpwd_t)
sysnet_use_ldap(system_chkpwd_t)
userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t) userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
optional_policy(`kerberos',`
kerberos_use(system_chkpwd_t)
')
optional_policy(`nis',`
nis_use_ypbind(system_chkpwd_t)
')
optional_policy(`nscd',`
nscd_use_socket(system_chkpwd_t)
')
optional_policy(`samba',`
samba_connect_winbind(system_chkpwd_t)
')
######################################## ########################################
# #
# Utempter local policy # Utempter local policy