diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 16d9bc01..9bb704bf 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -10,7 +10,7 @@ policy_module(usermanage,1.0) type admin_passwd_exec_t; files_make_file(admin_passwd_exec_t) -type chfn_t; #, auth_chkpwd +type chfn_t; kernel_make_object_identity_change_constraint_exception(chfn_t) domain_make_domain(chfn_t) role system_r types chfn_t; @@ -36,7 +36,7 @@ kernel_make_object_identity_change_constraint_exception(groupadd_t) domain_make_system_domain(groupadd_t,groupadd_exec_t) role system_r types groupadd_t; -type passwd_t; #,auth_write; +type passwd_t; kernel_make_object_identity_change_constraint_exception(passwd_t) domain_make_domain(passwd_t) role system_r types passwd_t; @@ -44,7 +44,7 @@ role system_r types passwd_t; type passwd_exec_t; domain_make_entrypoint_file(passwd_t,passwd_exec_t) -type sysadm_passwd_t; #, auth_write +type sysadm_passwd_t; kernel_make_object_identity_change_constraint_exception(sysadm_passwd_t) domain_make_domain(sysadm_passwd_t) domain_make_entrypoint_file(sysadm_passwd_t,admin_passwd_exec_t) @@ -110,6 +110,7 @@ miscfiles_read_localization(chfn_t) logging_send_system_log_message(chfn_t) +authlogin_check_password_transition(chfn_t) authlogin_ignore_read_shadow_passwords(chfn_t) ifdef(`TODO',` @@ -327,11 +328,12 @@ logging_send_system_log_message(passwd_t) miscfiles_read_localization(passwd_t) +authlogin_manage_shadow_passwords(passwd_t) + ifdef(`TODO',` role sysadm_r types passwd_t; # Update /etc/shadow and /etc/passwd -file_type_auto_trans(passwd_t, etc_t, shadow_t, file) allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; allow passwd_t unpriv_userdomain:fd use; @@ -432,6 +434,8 @@ miscfiles_read_localization(sysadm_passwd_t) logging_send_system_log_message(sysadm_passwd_t) +authlogin_manage_shadow_passwords(sysadm_passwd_t) + ifdef(`TODO',` role sysadm_r types sysadm_passwd_t; domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t) @@ -453,7 +457,6 @@ allow sysadm_passwd_t shell_exec_t:file execute; dontaudit sysadm_passwd_t { user_home_dir_type user_home_type }:dir search; # Update /etc/shadow and /etc/passwd -file_type_auto_trans(sysadm_passwd_t, etc_t, shadow_t, file) allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; # for vipw - vi looks in the root home directory for config diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index b686794f..cd0054fc 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -7,7 +7,7 @@ policy_module(authlogin,1.0) # Declarations # -type remote_login_t; #, privlog, auth_chkpwd, nscd_client_domain; +type remote_login_t; #, nscd_client_domain; kernel_make_object_identity_change_constraint_exception(remote_login_t) kernel_make_process_identity_change_constraint_exception(remote_login_t) kernel_make_role_change_constraint_exception(remote_login_t) @@ -68,9 +68,12 @@ files_read_general_application_resources(remote_login_t) libraries_use_dynamic_loader(remote_login_t) libraries_read_shared_libraries(remote_login_t) +logging_send_system_log_message(remote_login_t) + selinux_read_config(remote_login_t) selinux_read_default_contexts(remote_login_t) +authlogin_check_password_transition(remote_login_t) authlogin_ignore_read_shadow_passwords(remote_login_t) authlogin_modify_login_records(remote_login_t) authlogin_modify_last_login_log(remote_login_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 02d31b0b..f92ae163 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -175,6 +175,41 @@ type shadow_t; class file { getattr read write }; ') +####################################### +# +# authlogin_manage_shadow_passwords(domain) +# +define(`authlogin_manage_shadow_passwords',` +requires_block_template(`$0'_depend) +files_create_private_config($1,shadow_t,file) +allow $1 shadow_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +typeattribute $1 can_read_shadow_passwords; +typeattribute $1 can_write_shadow_passwords; +') + +define(`authlogin_manage_shadow_passwords_depend',` +attribute can_read_shadow_passwords; +attribute can_write_shadow_passwords; +type shadow_t; +class file { create ioctl read getattr lock write setattr append link unlink rename }; +') + +####################################### +# +# authlogin_relabel_to_shadow_passwords(domain) +# +define(`authlogin_relabel_to_shadow_passwords',` +requires_block_template(`$0'_depend) +allow $1 shadow_t:file relabelto; +typeattribute $1 can_relabelto_shadow_passwords; +') + +define(`authlogin_relabel_to_shadow_passwords_depend',` +attribute can_relabelto_shadow_passwords; +type shadow_t; +class file relabelto; +') + ####################################### # # authlogin_modify_last_login_log(domain) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index fc9b5406..2ed9474b 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -45,8 +45,10 @@ type shadow_t; files_make_file(shadow_t) attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; +attribute can_relabelto_shadow_passwords; neverallow ~can_read_shadow_passwords shadow_t:file read; -neverallow ~can_write_shadow_passwords shadow_t:file write; +neverallow ~can_write_shadow_passwords shadow_t:file { create write }; +neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; type utempter_t; #, nscd_client_domain; domain_make_domain(utempter_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 153ecc94..704134c0 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -7,7 +7,7 @@ policy_module(locallogin,1.0) # Declarations # -type local_login_t; #, auth_chkpwd, nscd_client_domain; +type local_login_t; #, nscd_client_domain; kernel_make_object_identity_change_constraint_exception(local_login_t) kernel_make_process_identity_change_constraint_exception(local_login_t) kernel_make_role_change_constraint_exception(local_login_t) @@ -83,6 +83,7 @@ logging_send_system_log_message(local_login_t) selinux_read_config(local_login_t) selinux_read_default_contexts(local_login_t) +authlogin_check_password_transition(local_login_t) authlogin_ignore_read_shadow_passwords(local_login_t) authlogin_modify_login_records(local_login_t) authlogin_modify_last_login_log(local_login_t) diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 1a7c0083..3bc10930 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -38,10 +38,11 @@ role system_r types load_policy_t; type load_policy_exec_t; domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) -type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; +type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; kernel_make_role_change_constraint_exception(newrole_t) kernel_make_object_identity_change_constraint_exception(newrole_t) domain_make_domain(newrole_t) +domain_make_file_descriptors_widely_inheritable(newrole_t) type newrole_exec_t; domain_make_entrypoint_file(newrole_t,newrole_exec_t) @@ -63,13 +64,11 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append }; type policy_src_t; files_make_file(policy_src_t) -type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context; -kernel_make_object_identity_change_constraint_exception(restorecon_t) -domain_make_domain(restorecon_t) -role system_r types restorecon_t; - +type restorecon_t, can_relabelto_binary_policy; type restorecon_exec_t; -domain_make_entrypoint_file(restorecon_t,restorecon_exec_t) +kernel_make_object_identity_change_constraint_exception(restorecon_t) +domain_make_system_domain(restorecon_t,restorecon_exec_t) +role system_r types restorecon_t; # # selinux_config_t is the type applied to @@ -78,7 +77,7 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t) type selinux_config_t; files_make_file(selinux_config_t) -type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context; +type setfiles_t, can_relabelto_binary_policy; kernel_make_object_identity_change_constraint_exception(setfiles_t) domain_make_domain(setfiles_t) role system_r types setfiles_t; @@ -97,6 +96,10 @@ allow checkpolicy_t self:capability dac_override; allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write }; allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +# allow test policies to be created in src directories +allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name }; +type_transition checkpolicy_t policy_src_t:file policy_config_t; + # only allow read of policy source files allow checkpolicy_t policy_src_t:dir { getattr search read }; allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read }; @@ -118,9 +121,8 @@ libraries_read_shared_libraries(checkpolicy_t) ifdef(`TODO',` role sysadm_r types checkpolicy_t; domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) - -# allow test policies to be created in src directories -file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) +allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr }; +allow checkpolicy_t sysadm_tmp_t:file { getattr write }; # directory search permissions for path to source and binary policy files allow checkpolicy_t etc_t:dir search; @@ -128,11 +130,6 @@ allow checkpolicy_t etc_t:dir search; # Read the devpts root directory. ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') -# Other access -allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr }; - -allow checkpolicy_t sysadm_tmp_t:file { getattr write } ; - # Allow users to execute checkpolicy without a domain transition # so it can be used without privilege to write real binary policy file can_exec(unpriv_userdomain, checkpolicy_exec_t) @@ -180,16 +177,13 @@ miscfiles_read_localization(load_policy_t) ifdef(`TODO',` role sysadm_r types load_policy_t; domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) +allow load_policy_t sysadm_tmp_t:file { getattr write }; +allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr }; # directory search permissions for path to binary policy files allow load_policy_t etc_t:dir search; -# Other access -allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr }; - allow load_policy_t userdomain:fd use; - -allow load_policy_t sysadm_tmp_t:file { getattr write } ; ') dnl endif TODO ######################################## @@ -227,7 +221,8 @@ devices_get_pseudorandom_data(newrole_t) filesystem_get_persistent_filesystem_attributes(newrole_t) -terminal_list_pseudoterminals(newrole_t) +terminal_use_all_users_physical_terminals(newrole_t) +terminal_use_all_users_pseudoterminals(newrole_t) terminal_use_controlling_terminal(newrole_t) # Write to utmp. @@ -240,8 +235,12 @@ files_read_general_system_config(newrole_t) libraries_use_dynamic_loader(newrole_t) libraries_read_shared_libraries(newrole_t) +logging_send_system_log_message(newrole_t) + miscfiles_read_localization(newrole_t) +authlogin_check_password_transition(newrole_t) + ifdef(`TODO',` in_user_role(newrole_t) role sysadm_r types newrole_t; @@ -261,7 +260,6 @@ allow newrole_t sbin_t:dir r_dir_perms; # Execute shells allow newrole_t bin_t:dir r_dir_perms; allow newrole_t bin_t:lnk_file read; -allow newrole_t shell_exec_t:file r_file_perms; # Allow newrole_t to transition to user domains. bool secure_mode false; @@ -276,14 +274,9 @@ if(!secure_mode) allow newrole_t var_t:dir r_dir_perms; allow newrole_t var_t:notdevfile_class_set r_file_perms; -# Read /dev directories and any symbolic links. -allow newrole_t device_t:dir r_dir_perms; - # Relabel terminals. allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; -# Access terminals. -allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') # for some PAM modules and for cwd @@ -340,11 +333,11 @@ files_read_all_directories(restorecon_t) kernel_relabel_unlabeled_object(restorecon_t) devices_manage_all_devices_labels(restorecon_t) files_manage_all_files_labels(restorecon_t) +# this is to satisfy the assertion: +authlogin_relabel_to_shadow_passwords(restorecon_t) ifdef(`TODO',` allow restorecon_t admin_tty_type:chr_file { read write ioctl }; - -domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t) domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) role sysadm_r types restorecon_t; allow restorecon_t userdomain:fd use; @@ -410,6 +403,8 @@ files_read_all_directories(setfiles_t) kernel_relabel_unlabeled_object(setfiles_t) devices_manage_all_devices_labels(setfiles_t) files_manage_all_files_labels(setfiles_t) +# this is to satisfy the assertion: +authlogin_relabel_to_shadow_passwords(setfiles_t) ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 1a7c0083..3bc10930 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -38,10 +38,11 @@ role system_r types load_policy_t; type load_policy_exec_t; domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) -type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; +type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; kernel_make_role_change_constraint_exception(newrole_t) kernel_make_object_identity_change_constraint_exception(newrole_t) domain_make_domain(newrole_t) +domain_make_file_descriptors_widely_inheritable(newrole_t) type newrole_exec_t; domain_make_entrypoint_file(newrole_t,newrole_exec_t) @@ -63,13 +64,11 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append }; type policy_src_t; files_make_file(policy_src_t) -type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context; -kernel_make_object_identity_change_constraint_exception(restorecon_t) -domain_make_domain(restorecon_t) -role system_r types restorecon_t; - +type restorecon_t, can_relabelto_binary_policy; type restorecon_exec_t; -domain_make_entrypoint_file(restorecon_t,restorecon_exec_t) +kernel_make_object_identity_change_constraint_exception(restorecon_t) +domain_make_system_domain(restorecon_t,restorecon_exec_t) +role system_r types restorecon_t; # # selinux_config_t is the type applied to @@ -78,7 +77,7 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t) type selinux_config_t; files_make_file(selinux_config_t) -type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context; +type setfiles_t, can_relabelto_binary_policy; kernel_make_object_identity_change_constraint_exception(setfiles_t) domain_make_domain(setfiles_t) role system_r types setfiles_t; @@ -97,6 +96,10 @@ allow checkpolicy_t self:capability dac_override; allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write }; allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename }; +# allow test policies to be created in src directories +allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name }; +type_transition checkpolicy_t policy_src_t:file policy_config_t; + # only allow read of policy source files allow checkpolicy_t policy_src_t:dir { getattr search read }; allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read }; @@ -118,9 +121,8 @@ libraries_read_shared_libraries(checkpolicy_t) ifdef(`TODO',` role sysadm_r types checkpolicy_t; domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t) - -# allow test policies to be created in src directories -file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file) +allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr }; +allow checkpolicy_t sysadm_tmp_t:file { getattr write }; # directory search permissions for path to source and binary policy files allow checkpolicy_t etc_t:dir search; @@ -128,11 +130,6 @@ allow checkpolicy_t etc_t:dir search; # Read the devpts root directory. ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;') -# Other access -allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr }; - -allow checkpolicy_t sysadm_tmp_t:file { getattr write } ; - # Allow users to execute checkpolicy without a domain transition # so it can be used without privilege to write real binary policy file can_exec(unpriv_userdomain, checkpolicy_exec_t) @@ -180,16 +177,13 @@ miscfiles_read_localization(load_policy_t) ifdef(`TODO',` role sysadm_r types load_policy_t; domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t) +allow load_policy_t sysadm_tmp_t:file { getattr write }; +allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr }; # directory search permissions for path to binary policy files allow load_policy_t etc_t:dir search; -# Other access -allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr }; - allow load_policy_t userdomain:fd use; - -allow load_policy_t sysadm_tmp_t:file { getattr write } ; ') dnl endif TODO ######################################## @@ -227,7 +221,8 @@ devices_get_pseudorandom_data(newrole_t) filesystem_get_persistent_filesystem_attributes(newrole_t) -terminal_list_pseudoterminals(newrole_t) +terminal_use_all_users_physical_terminals(newrole_t) +terminal_use_all_users_pseudoterminals(newrole_t) terminal_use_controlling_terminal(newrole_t) # Write to utmp. @@ -240,8 +235,12 @@ files_read_general_system_config(newrole_t) libraries_use_dynamic_loader(newrole_t) libraries_read_shared_libraries(newrole_t) +logging_send_system_log_message(newrole_t) + miscfiles_read_localization(newrole_t) +authlogin_check_password_transition(newrole_t) + ifdef(`TODO',` in_user_role(newrole_t) role sysadm_r types newrole_t; @@ -261,7 +260,6 @@ allow newrole_t sbin_t:dir r_dir_perms; # Execute shells allow newrole_t bin_t:dir r_dir_perms; allow newrole_t bin_t:lnk_file read; -allow newrole_t shell_exec_t:file r_file_perms; # Allow newrole_t to transition to user domains. bool secure_mode false; @@ -276,14 +274,9 @@ if(!secure_mode) allow newrole_t var_t:dir r_dir_perms; allow newrole_t var_t:notdevfile_class_set r_file_perms; -# Read /dev directories and any symbolic links. -allow newrole_t device_t:dir r_dir_perms; - # Relabel terminals. allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; -# Access terminals. -allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') # for some PAM modules and for cwd @@ -340,11 +333,11 @@ files_read_all_directories(restorecon_t) kernel_relabel_unlabeled_object(restorecon_t) devices_manage_all_devices_labels(restorecon_t) files_manage_all_files_labels(restorecon_t) +# this is to satisfy the assertion: +authlogin_relabel_to_shadow_passwords(restorecon_t) ifdef(`TODO',` allow restorecon_t admin_tty_type:chr_file { read write ioctl }; - -domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t) domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t) role sysadm_r types restorecon_t; allow restorecon_t userdomain:fd use; @@ -410,6 +403,8 @@ files_read_all_directories(setfiles_t) kernel_relabel_unlabeled_object(setfiles_t) devices_manage_all_devices_labels(setfiles_t) files_manage_all_files_labels(setfiles_t) +# this is to satisfy the assertion: +authlogin_relabel_to_shadow_passwords(setfiles_t) ifdef(`TODO',`