add su

refpolicy/Changelog

@@ -8,6 +8,7 @@
 	* Added policies:
 		acct
 		mysql
+		su
 		tmpreaper
 		updfstab
 

refpolicy/policy/modules.conf.targeted_example

@@ -59,20 +59,6 @@ files = base
 # 
 domain = base
 
-# Layer: admin
-# Module: consoletype
-#
-# Determine of the console connected to the controlling terminal.
-# 
-consoletype = base
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = base
-
 # Layer: admin
 # Module: usermanage
 #
@@ -101,6 +87,48 @@ dmesg = base
 # 
 logrotate = off
 
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+# 
+consoletype = base
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+# 
+netutils = base
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+# 
+acct = base
+
+# Layer: admin
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+# 
+tmpreaper = base
+
+# Layer: admin
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+# 
+updfstab = base
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+# 
+su = off
+
 # Layer: apps
 # Module: gpg
 #
@@ -136,20 +164,6 @@ storage = base
 # 
 terminal = base
 
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-# 
-cron = base
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = off
-
 # Layer: services
 # Module: remotelogin
 #
@@ -157,6 +171,20 @@ ssh = off
 # 
 remotelogin = base
 
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+# 
+nscd = base
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+# 
+nis = base
+
 # Layer: services
 # Module: sendmail
 #
@@ -165,18 +193,18 @@ remotelogin = base
 sendmail = off
 
 # Layer: services
-# Module: mta
+# Module: ssh
 #
-# Policy common to all email tranfer agents.
+# Secure shell client and server policy.
 # 
-mta = base
+ssh = off
 
 # Layer: services
-# Module: nis
+# Module: cron
 #
-# Policy for NIS (YP) servers and clients
+# Periodic execution of scheduled commands.
 # 
-nis = base
+cron = base
 
 # Layer: services
 # Module: inetd
@@ -193,11 +221,32 @@ inetd = base
 kerberos = base
 
 # Layer: services
-# Module: nscd
+# Module: mta
 #
-# Name service cache daemon
+# Policy common to all email tranfer agents.
 # 
-nscd = base
+mta = base
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+# 
+mysql = base
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+# 
+unconfined = base
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = base
 
 # Layer: system
 # Module: selinuxutil
@@ -221,11 +270,11 @@ getty = base
 mount = base
 
 # Layer: system
-# Module: logging
+# Module: ipsec
 #
-# Policy for the kernel message logger and system logging daemon.
+# TCP/IP encryption
 # 
-logging = base
+ipsec = base
 
 # Layer: system
 # Module: locallogin
@@ -234,6 +283,13 @@ logging = base
 # 
 locallogin = base
 
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = base
+
 # Layer: system
 # Module: sysnetwork
 #
@@ -241,6 +297,20 @@ locallogin = base
 # 
 sysnetwork = base
 
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = base
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+# 
+pcmcia = base
+
 # Layer: system
 # Module: iptables
 #
@@ -255,13 +325,6 @@ iptables = base
 # 
 userdomain = base
 
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = base
-
 # Layer: system
 # Module: corecommands
 #
@@ -278,6 +341,13 @@ corecommands = base
 # 
 hotplug = base
 
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = base
+
 # Layer: system
 # Module: lvm
 #
@@ -292,13 +362,6 @@ lvm = base
 # 
 modutils = base
 
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = base
-
 # Layer: system
 # Module: init
 #
@@ -306,6 +369,13 @@ udev = base
 # 
 init = base
 
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+# 
+udev = base
+
 # Layer: system
 # Module: hostname
 #
@@ -314,11 +384,11 @@ init = base
 hostname = base
 
 # Layer: system
-# Module: authlogin
+# Module: raid
 #
-# Common policy for authentication and user login.
+# RAID array management tools
 # 
-authlogin = base
+raid = base
 
 # Layer: system
 # Module: libraries
@@ -327,20 +397,6 @@ authlogin = base
 # 
 libraries = base
 
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = base
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-# 
-unconfined = base
-
 # Layer: system
 # Module: miscfiles
 #
@@ -348,24 +404,3 @@ unconfined = base
 # 
 miscfiles = base
 
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = base
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-# 
-pcmcia = base
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-# 
-raid = base
-

refpolicy/policy/modules/admin/su.fc

@@ -0,0 +1,2 @@
+
+/bin/su			--	context_template(system_u:object_r:su_exec_t,s0)

refpolicy/policy/modules/admin/su.if

@@ -0,0 +1,149 @@
+## <summary>Run shells with substitute user and group</summary>
+
+template(`su_per_userdomain_template',`
+
+	type $1_su_t;
+	domain_entry_file($1_su_t,su_exec_t)
+	domain_type($1_su_t)
+	domain_role_change_exempt($1_su_t)
+	domain_subj_id_change_exempt($1_su_t)
+	domain_obj_id_change_exempt($1_su_t)
+	domain_wide_inherit_fd($1_su_t)
+	role $1_r types $1_su_t;
+
+	allow $1_t $1_su_t:process signal;
+
+	allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	dontaudit $1_su_t self:capability sys_tty_config;
+	allow $1_su_t self:process { setexec setsched setrlimit };
+	allow $1_su_t self:fifo_file rw_file_perms;
+
+	# Transition from the user domain to this domain.
+	domain_auto_trans($1_t, su_exec_t, $1_su_t)
+	allow $1_t $1_su_t:fd use;
+	allow $1_su_t $1_t:fd use;
+	allow $1_su_t $1_t:fifo_file rw_file_perms;
+	allow $1_su_t $1_t:process sigchld;
+
+	# By default, revert to the calling domain when a shell is executed.
+	corecmd_shell_domtrans($1_su_t,$1_t)
+	allow $1_t $1_su_t:fd use;
+	allow $1_su_t $1_t:fd use;
+	allow $1_su_t $1_t:fifo_file rw_file_perms;
+	allow $1_su_t $1_t:process sigchld;
+
+	kernel_read_system_state($1_su_t)
+	kernel_read_kernel_sysctl($1_su_t)
+
+	# for SSP
+	dev_read_urand($1_su_t)
+
+	fs_search_auto_mountpoints($1_su_t)
+
+	selinux_get_fs_mount($1_su_t)
+	selinux_validate_context($1_su_t)
+	selinux_compute_access_vector($1_su_t)
+	selinux_compute_create_context($1_su_t)
+	selinux_compute_relabel_context($1_su_t)
+	selinux_compute_user_contexts($1_su_t)
+
+	# Relabel ttys and ptys.
+	term_relabel_all_user_ttys($1_su_t)
+	term_relabel_all_user_ptys($1_su_t)
+	# Close and re-open ttys and ptys to get the fd into the correct domain.
+	term_use_all_user_ttys($1_su_t)
+	term_use_all_user_ptys($1_su_t)
+
+	auth_dontaudit_read_shadow($1_su_t)
+
+	domain_wide_inherit_fd($1_su_t)
+
+	files_read_etc_files($1_su_t)
+	files_search_var_lib($1_su_t)
+
+	init_dontaudit_use_fd($1_su_t)
+	# Write to utmp.
+	init_rw_script_pid($1_su_t)
+
+	libs_use_ld_so($1_su_t)
+	libs_use_shared_libs($1_su_t)
+
+	logging_send_syslog_msg($1_su_t)
+
+	miscfiles_read_localization($1_su_t)
+
+	seutil_read_config($1_su_t)
+	seutil_read_default_contexts($1_su_t)
+
+	if(secure_mode)
+	{
+		# Only allow transitions to unprivileged user domains.
+		userdom_spec_domtrans_unpriv_users($1_su_t)
+	} else {
+		# Allow transitions to all user domains
+		userdom_spec_domtrans_all_users($1_su_t)
+	}
+
+	if (use_nfs_home_dirs) {
+		fs_search_nfs($1_su_t)
+	}
+
+	if (use_samba_home_dirs) {
+		fs_search_cifs($1_su_t)
+	}
+
+	optional_policy(`crond.te',`
+		cron_read_pipe($1_su_t)
+	')
+
+	optional_policy(`kerberos.te',`
+		kerberos_use($1_su_t)
+	')
+
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1_su_t)
+	')
+
+	optional_policy(`nscd.te',`
+		nscd_use_socket($1_su_t)
+	')
+
+	ifdef(`TODO',`
+	domain_auto_trans($1_su_t, chkpwd_exec_t, $1_chkpwd_t)
+
+	# Caused by su - init scripts
+	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+
+	# Inherit and use descriptors from gnome-pty-helper.
+	ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
+
+	# Write to the user domain tty.
+	access_terminal($1_su_t, $1)
+
+	allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
+	allow $1_su_t $1_home_t:file create_file_perms;
+
+	ifdef(`user_canbe_sysadm', `
+	allow $1_su_t home_dir_type:dir { search write };
+	', `
+	dontaudit $1_su_t home_dir_type:dir { search write };
+	')
+
+	# Modify .Xauthority file (via xauth program).
+	ifdef(`xauth.te', `
+	file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+	file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+	file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+	domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
+	')
+
+	ifdef(`cyrus.te', `
+	allow $1_su_t cyrus_var_lib_t:dir search;
+	')
+	ifdef(`ssh.te', `
+	# Access sshd cookie files.
+	allow $1_su_t sshd_tmp_t:file rw_file_perms;
+	file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
+	')
+	') dnl end TODO
+')

refpolicy/policy/modules/admin/su.te

@@ -0,0 +1,12 @@
+
+policy_module(su,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type su_exec_t;
+files_type(su_exec_t)
+
+# Remaining policy in the per-user domain template

refpolicy/policy/modules/kernel/filesystem.if

@@ -401,6 +401,23 @@ interface(`fs_getattr_cifs',`
 	allow $1 cifs_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Search directories on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the files.
+## </param>
+#
+interface(`fs_search_cifs',`
+	gen_require(`
+		type cifs_t;
+		class dir search;
+	')
+
+	allow $1 cifs_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Read files on a CIFS or SMB filesystem.
@@ -871,6 +888,23 @@ interface(`fs_getattr_nfs',`
 	allow $1 nfs_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Search directories on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the files.
+## </param>
+#
+interface(`fs_search_nfs',`
+	gen_require(`
+		type nfs_t;
+		class dir search;
+	')
+
+	allow $1 nfs_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Read files on a NFS filesystem.