add su
This commit is contained in:
parent
9465452eec
commit
9489149ec0
@ -8,6 +8,7 @@
|
||||
* Added policies:
|
||||
acct
|
||||
mysql
|
||||
su
|
||||
tmpreaper
|
||||
updfstab
|
||||
|
||||
|
@ -59,20 +59,6 @@ files = base
|
||||
#
|
||||
domain = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: consoletype
|
||||
#
|
||||
# Determine of the console connected to the controlling terminal.
|
||||
#
|
||||
consoletype = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: netutils
|
||||
#
|
||||
# Network analysis utilities
|
||||
#
|
||||
netutils = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: usermanage
|
||||
#
|
||||
@ -101,6 +87,48 @@ dmesg = base
|
||||
#
|
||||
logrotate = off
|
||||
|
||||
# Layer: admin
|
||||
# Module: consoletype
|
||||
#
|
||||
# Determine of the console connected to the controlling terminal.
|
||||
#
|
||||
consoletype = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: netutils
|
||||
#
|
||||
# Network analysis utilities
|
||||
#
|
||||
netutils = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: acct
|
||||
#
|
||||
# Berkeley process accounting
|
||||
#
|
||||
acct = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: tmpreaper
|
||||
#
|
||||
# Manage temporary directory sizes and file ages
|
||||
#
|
||||
tmpreaper = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: updfstab
|
||||
#
|
||||
# Red Hat utility to change /etc/fstab.
|
||||
#
|
||||
updfstab = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: su
|
||||
#
|
||||
# Run shells with substitute user and group
|
||||
#
|
||||
su = off
|
||||
|
||||
# Layer: apps
|
||||
# Module: gpg
|
||||
#
|
||||
@ -136,20 +164,6 @@ storage = base
|
||||
#
|
||||
terminal = base
|
||||
|
||||
# Layer: services
|
||||
# Module: cron
|
||||
#
|
||||
# Periodic execution of scheduled commands.
|
||||
#
|
||||
cron = base
|
||||
|
||||
# Layer: services
|
||||
# Module: ssh
|
||||
#
|
||||
# Secure shell client and server policy.
|
||||
#
|
||||
ssh = off
|
||||
|
||||
# Layer: services
|
||||
# Module: remotelogin
|
||||
#
|
||||
@ -157,6 +171,20 @@ ssh = off
|
||||
#
|
||||
remotelogin = base
|
||||
|
||||
# Layer: services
|
||||
# Module: nscd
|
||||
#
|
||||
# Name service cache daemon
|
||||
#
|
||||
nscd = base
|
||||
|
||||
# Layer: services
|
||||
# Module: nis
|
||||
#
|
||||
# Policy for NIS (YP) servers and clients
|
||||
#
|
||||
nis = base
|
||||
|
||||
# Layer: services
|
||||
# Module: sendmail
|
||||
#
|
||||
@ -165,18 +193,18 @@ remotelogin = base
|
||||
sendmail = off
|
||||
|
||||
# Layer: services
|
||||
# Module: mta
|
||||
# Module: ssh
|
||||
#
|
||||
# Policy common to all email tranfer agents.
|
||||
# Secure shell client and server policy.
|
||||
#
|
||||
mta = base
|
||||
ssh = off
|
||||
|
||||
# Layer: services
|
||||
# Module: nis
|
||||
# Module: cron
|
||||
#
|
||||
# Policy for NIS (YP) servers and clients
|
||||
# Periodic execution of scheduled commands.
|
||||
#
|
||||
nis = base
|
||||
cron = base
|
||||
|
||||
# Layer: services
|
||||
# Module: inetd
|
||||
@ -193,11 +221,32 @@ inetd = base
|
||||
kerberos = base
|
||||
|
||||
# Layer: services
|
||||
# Module: nscd
|
||||
# Module: mta
|
||||
#
|
||||
# Name service cache daemon
|
||||
# Policy common to all email tranfer agents.
|
||||
#
|
||||
nscd = base
|
||||
mta = base
|
||||
|
||||
# Layer: services
|
||||
# Module: mysql
|
||||
#
|
||||
# Policy for MySQL
|
||||
#
|
||||
mysql = base
|
||||
|
||||
# Layer: system
|
||||
# Module: unconfined
|
||||
#
|
||||
# The unconfined domain.
|
||||
#
|
||||
unconfined = base
|
||||
|
||||
# Layer: system
|
||||
# Module: authlogin
|
||||
#
|
||||
# Common policy for authentication and user login.
|
||||
#
|
||||
authlogin = base
|
||||
|
||||
# Layer: system
|
||||
# Module: selinuxutil
|
||||
@ -221,11 +270,11 @@ getty = base
|
||||
mount = base
|
||||
|
||||
# Layer: system
|
||||
# Module: logging
|
||||
# Module: ipsec
|
||||
#
|
||||
# Policy for the kernel message logger and system logging daemon.
|
||||
# TCP/IP encryption
|
||||
#
|
||||
logging = base
|
||||
ipsec = base
|
||||
|
||||
# Layer: system
|
||||
# Module: locallogin
|
||||
@ -234,6 +283,13 @@ logging = base
|
||||
#
|
||||
locallogin = base
|
||||
|
||||
# Layer: system
|
||||
# Module: logging
|
||||
#
|
||||
# Policy for the kernel message logger and system logging daemon.
|
||||
#
|
||||
logging = base
|
||||
|
||||
# Layer: system
|
||||
# Module: sysnetwork
|
||||
#
|
||||
@ -241,6 +297,20 @@ locallogin = base
|
||||
#
|
||||
sysnetwork = base
|
||||
|
||||
# Layer: system
|
||||
# Module: fstools
|
||||
#
|
||||
# Tools for filesystem management, such as mkfs and fsck.
|
||||
#
|
||||
fstools = base
|
||||
|
||||
# Layer: system
|
||||
# Module: pcmcia
|
||||
#
|
||||
# PCMCIA card management services
|
||||
#
|
||||
pcmcia = base
|
||||
|
||||
# Layer: system
|
||||
# Module: iptables
|
||||
#
|
||||
@ -255,13 +325,6 @@ iptables = base
|
||||
#
|
||||
userdomain = base
|
||||
|
||||
# Layer: system
|
||||
# Module: clock
|
||||
#
|
||||
# Policy for reading and setting the hardware clock.
|
||||
#
|
||||
clock = base
|
||||
|
||||
# Layer: system
|
||||
# Module: corecommands
|
||||
#
|
||||
@ -278,6 +341,13 @@ corecommands = base
|
||||
#
|
||||
hotplug = base
|
||||
|
||||
# Layer: system
|
||||
# Module: clock
|
||||
#
|
||||
# Policy for reading and setting the hardware clock.
|
||||
#
|
||||
clock = base
|
||||
|
||||
# Layer: system
|
||||
# Module: lvm
|
||||
#
|
||||
@ -292,13 +362,6 @@ lvm = base
|
||||
#
|
||||
modutils = base
|
||||
|
||||
# Layer: system
|
||||
# Module: udev
|
||||
#
|
||||
# Policy for udev.
|
||||
#
|
||||
udev = base
|
||||
|
||||
# Layer: system
|
||||
# Module: init
|
||||
#
|
||||
@ -306,6 +369,13 @@ udev = base
|
||||
#
|
||||
init = base
|
||||
|
||||
# Layer: system
|
||||
# Module: udev
|
||||
#
|
||||
# Policy for udev.
|
||||
#
|
||||
udev = base
|
||||
|
||||
# Layer: system
|
||||
# Module: hostname
|
||||
#
|
||||
@ -314,11 +384,11 @@ init = base
|
||||
hostname = base
|
||||
|
||||
# Layer: system
|
||||
# Module: authlogin
|
||||
# Module: raid
|
||||
#
|
||||
# Common policy for authentication and user login.
|
||||
# RAID array management tools
|
||||
#
|
||||
authlogin = base
|
||||
raid = base
|
||||
|
||||
# Layer: system
|
||||
# Module: libraries
|
||||
@ -327,20 +397,6 @@ authlogin = base
|
||||
#
|
||||
libraries = base
|
||||
|
||||
# Layer: system
|
||||
# Module: ipsec
|
||||
#
|
||||
# TCP/IP encryption
|
||||
#
|
||||
ipsec = base
|
||||
|
||||
# Layer: system
|
||||
# Module: unconfined
|
||||
#
|
||||
# The unconfined domain.
|
||||
#
|
||||
unconfined = base
|
||||
|
||||
# Layer: system
|
||||
# Module: miscfiles
|
||||
#
|
||||
@ -348,24 +404,3 @@ unconfined = base
|
||||
#
|
||||
miscfiles = base
|
||||
|
||||
# Layer: system
|
||||
# Module: fstools
|
||||
#
|
||||
# Tools for filesystem management, such as mkfs and fsck.
|
||||
#
|
||||
fstools = base
|
||||
|
||||
# Layer: system
|
||||
# Module: pcmcia
|
||||
#
|
||||
# PCMCIA card management services
|
||||
#
|
||||
pcmcia = base
|
||||
|
||||
# Layer: system
|
||||
# Module: raid
|
||||
#
|
||||
# RAID array management tools
|
||||
#
|
||||
raid = base
|
||||
|
||||
|
2
refpolicy/policy/modules/admin/su.fc
Normal file
2
refpolicy/policy/modules/admin/su.fc
Normal file
@ -0,0 +1,2 @@
|
||||
|
||||
/bin/su -- context_template(system_u:object_r:su_exec_t,s0)
|
149
refpolicy/policy/modules/admin/su.if
Normal file
149
refpolicy/policy/modules/admin/su.if
Normal file
@ -0,0 +1,149 @@
|
||||
## <summary>Run shells with substitute user and group</summary>
|
||||
|
||||
template(`su_per_userdomain_template',`
|
||||
|
||||
type $1_su_t;
|
||||
domain_entry_file($1_su_t,su_exec_t)
|
||||
domain_type($1_su_t)
|
||||
domain_role_change_exempt($1_su_t)
|
||||
domain_subj_id_change_exempt($1_su_t)
|
||||
domain_obj_id_change_exempt($1_su_t)
|
||||
domain_wide_inherit_fd($1_su_t)
|
||||
role $1_r types $1_su_t;
|
||||
|
||||
allow $1_t $1_su_t:process signal;
|
||||
|
||||
allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
|
||||
dontaudit $1_su_t self:capability sys_tty_config;
|
||||
allow $1_su_t self:process { setexec setsched setrlimit };
|
||||
allow $1_su_t self:fifo_file rw_file_perms;
|
||||
|
||||
# Transition from the user domain to this domain.
|
||||
domain_auto_trans($1_t, su_exec_t, $1_su_t)
|
||||
allow $1_t $1_su_t:fd use;
|
||||
allow $1_su_t $1_t:fd use;
|
||||
allow $1_su_t $1_t:fifo_file rw_file_perms;
|
||||
allow $1_su_t $1_t:process sigchld;
|
||||
|
||||
# By default, revert to the calling domain when a shell is executed.
|
||||
corecmd_shell_domtrans($1_su_t,$1_t)
|
||||
allow $1_t $1_su_t:fd use;
|
||||
allow $1_su_t $1_t:fd use;
|
||||
allow $1_su_t $1_t:fifo_file rw_file_perms;
|
||||
allow $1_su_t $1_t:process sigchld;
|
||||
|
||||
kernel_read_system_state($1_su_t)
|
||||
kernel_read_kernel_sysctl($1_su_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand($1_su_t)
|
||||
|
||||
fs_search_auto_mountpoints($1_su_t)
|
||||
|
||||
selinux_get_fs_mount($1_su_t)
|
||||
selinux_validate_context($1_su_t)
|
||||
selinux_compute_access_vector($1_su_t)
|
||||
selinux_compute_create_context($1_su_t)
|
||||
selinux_compute_relabel_context($1_su_t)
|
||||
selinux_compute_user_contexts($1_su_t)
|
||||
|
||||
# Relabel ttys and ptys.
|
||||
term_relabel_all_user_ttys($1_su_t)
|
||||
term_relabel_all_user_ptys($1_su_t)
|
||||
# Close and re-open ttys and ptys to get the fd into the correct domain.
|
||||
term_use_all_user_ttys($1_su_t)
|
||||
term_use_all_user_ptys($1_su_t)
|
||||
|
||||
auth_dontaudit_read_shadow($1_su_t)
|
||||
|
||||
domain_wide_inherit_fd($1_su_t)
|
||||
|
||||
files_read_etc_files($1_su_t)
|
||||
files_search_var_lib($1_su_t)
|
||||
|
||||
init_dontaudit_use_fd($1_su_t)
|
||||
# Write to utmp.
|
||||
init_rw_script_pid($1_su_t)
|
||||
|
||||
libs_use_ld_so($1_su_t)
|
||||
libs_use_shared_libs($1_su_t)
|
||||
|
||||
logging_send_syslog_msg($1_su_t)
|
||||
|
||||
miscfiles_read_localization($1_su_t)
|
||||
|
||||
seutil_read_config($1_su_t)
|
||||
seutil_read_default_contexts($1_su_t)
|
||||
|
||||
if(secure_mode)
|
||||
{
|
||||
# Only allow transitions to unprivileged user domains.
|
||||
userdom_spec_domtrans_unpriv_users($1_su_t)
|
||||
} else {
|
||||
# Allow transitions to all user domains
|
||||
userdom_spec_domtrans_all_users($1_su_t)
|
||||
}
|
||||
|
||||
if (use_nfs_home_dirs) {
|
||||
fs_search_nfs($1_su_t)
|
||||
}
|
||||
|
||||
if (use_samba_home_dirs) {
|
||||
fs_search_cifs($1_su_t)
|
||||
}
|
||||
|
||||
optional_policy(`crond.te',`
|
||||
cron_read_pipe($1_su_t)
|
||||
')
|
||||
|
||||
optional_policy(`kerberos.te',`
|
||||
kerberos_use($1_su_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind($1_su_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket($1_su_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
domain_auto_trans($1_su_t, chkpwd_exec_t, $1_chkpwd_t)
|
||||
|
||||
# Caused by su - init scripts
|
||||
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
|
||||
|
||||
# Inherit and use descriptors from gnome-pty-helper.
|
||||
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
|
||||
|
||||
# Write to the user domain tty.
|
||||
access_terminal($1_su_t, $1)
|
||||
|
||||
allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
|
||||
allow $1_su_t $1_home_t:file create_file_perms;
|
||||
|
||||
ifdef(`user_canbe_sysadm', `
|
||||
allow $1_su_t home_dir_type:dir { search write };
|
||||
', `
|
||||
dontaudit $1_su_t home_dir_type:dir { search write };
|
||||
')
|
||||
|
||||
# Modify .Xauthority file (via xauth program).
|
||||
ifdef(`xauth.te', `
|
||||
file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
|
||||
file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
|
||||
file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
|
||||
domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
|
||||
')
|
||||
|
||||
ifdef(`cyrus.te', `
|
||||
allow $1_su_t cyrus_var_lib_t:dir search;
|
||||
')
|
||||
ifdef(`ssh.te', `
|
||||
# Access sshd cookie files.
|
||||
allow $1_su_t sshd_tmp_t:file rw_file_perms;
|
||||
file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
')
|
12
refpolicy/policy/modules/admin/su.te
Normal file
12
refpolicy/policy/modules/admin/su.te
Normal file
@ -0,0 +1,12 @@
|
||||
|
||||
policy_module(su,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type su_exec_t;
|
||||
files_type(su_exec_t)
|
||||
|
||||
# Remaining policy in the per-user domain template
|
@ -401,6 +401,23 @@ interface(`fs_getattr_cifs',`
|
||||
allow $1 cifs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search directories on a CIFS or SMB filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain reading the files.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_search_cifs',`
|
||||
gen_require(`
|
||||
type cifs_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 cifs_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files on a CIFS or SMB filesystem.
|
||||
@ -871,6 +888,23 @@ interface(`fs_getattr_nfs',`
|
||||
allow $1 nfs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search directories on a NFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the domain reading the files.
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_search_nfs',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 nfs_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files on a NFS filesystem.
|
||||
|
Loading…
Reference in New Issue
Block a user