clean up authentication attributes
This commit is contained in:
Chris PeBenito
parent
96b0000f1b
commit
a1f94a3441
@ -10,7 +10,7 @@ policy_module(usermanage,1.0)
|
|||||||
type admin_passwd_exec_t;
|
type admin_passwd_exec_t;
|
||||||
files_make_file(admin_passwd_exec_t)
|
files_make_file(admin_passwd_exec_t)
|
||||||
|
|
||||||
type chfn_t; #, auth_chkpwd
|
type chfn_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(chfn_t)
|
kernel_make_object_identity_change_constraint_exception(chfn_t)
|
||||||
domain_make_domain(chfn_t)
|
domain_make_domain(chfn_t)
|
||||||
role system_r types chfn_t;
|
role system_r types chfn_t;
|
||||||
@ -36,7 +36,7 @@ kernel_make_object_identity_change_constraint_exception(groupadd_t)
|
|||||||
domain_make_system_domain(groupadd_t,groupadd_exec_t)
|
domain_make_system_domain(groupadd_t,groupadd_exec_t)
|
||||||
role system_r types groupadd_t;
|
role system_r types groupadd_t;
|
||||||
|
|
||||||
type passwd_t; #,auth_write;
|
type passwd_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(passwd_t)
|
kernel_make_object_identity_change_constraint_exception(passwd_t)
|
||||||
domain_make_domain(passwd_t)
|
domain_make_domain(passwd_t)
|
||||||
role system_r types passwd_t;
|
role system_r types passwd_t;
|
||||||
@ -44,7 +44,7 @@ role system_r types passwd_t;
|
|||||||
type passwd_exec_t;
|
type passwd_exec_t;
|
||||||
domain_make_entrypoint_file(passwd_t,passwd_exec_t)
|
domain_make_entrypoint_file(passwd_t,passwd_exec_t)
|
||||||
|
|
||||||
type sysadm_passwd_t; #, auth_write
|
type sysadm_passwd_t;
|
||||||
kernel_make_object_identity_change_constraint_exception(sysadm_passwd_t)
|
kernel_make_object_identity_change_constraint_exception(sysadm_passwd_t)
|
||||||
domain_make_domain(sysadm_passwd_t)
|
domain_make_domain(sysadm_passwd_t)
|
||||||
domain_make_entrypoint_file(sysadm_passwd_t,admin_passwd_exec_t)
|
domain_make_entrypoint_file(sysadm_passwd_t,admin_passwd_exec_t)
|
||||||
@ -110,6 +110,7 @@ miscfiles_read_localization(chfn_t)
|
|||||||
|
|
||||||
logging_send_system_log_message(chfn_t)
|
logging_send_system_log_message(chfn_t)
|
||||||
|
|
||||||
|
authlogin_check_password_transition(chfn_t)
|
||||||
authlogin_ignore_read_shadow_passwords(chfn_t)
|
authlogin_ignore_read_shadow_passwords(chfn_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
@ -327,11 +328,12 @@ logging_send_system_log_message(passwd_t)
|
|||||||
|
|
||||||
miscfiles_read_localization(passwd_t)
|
miscfiles_read_localization(passwd_t)
|
||||||
|
|
||||||
|
authlogin_manage_shadow_passwords(passwd_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
role sysadm_r types passwd_t;
|
role sysadm_r types passwd_t;
|
||||||
|
|
||||||
# Update /etc/shadow and /etc/passwd
|
# Update /etc/shadow and /etc/passwd
|
||||||
file_type_auto_trans(passwd_t, etc_t, shadow_t, file)
|
|
||||||
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||||
|
|
||||||
allow passwd_t unpriv_userdomain:fd use;
|
allow passwd_t unpriv_userdomain:fd use;
|
||||||
@ -432,6 +434,8 @@ miscfiles_read_localization(sysadm_passwd_t)
|
|||||||
|
|
||||||
logging_send_system_log_message(sysadm_passwd_t)
|
logging_send_system_log_message(sysadm_passwd_t)
|
||||||
|
|
||||||
|
authlogin_manage_shadow_passwords(sysadm_passwd_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
role sysadm_r types sysadm_passwd_t;
|
role sysadm_r types sysadm_passwd_t;
|
||||||
domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
|
domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
|
||||||
@ -453,7 +457,6 @@ allow sysadm_passwd_t shell_exec_t:file execute;
|
|||||||
dontaudit sysadm_passwd_t { user_home_dir_type user_home_type }:dir search;
|
dontaudit sysadm_passwd_t { user_home_dir_type user_home_type }:dir search;
|
||||||
|
|
||||||
# Update /etc/shadow and /etc/passwd
|
# Update /etc/shadow and /etc/passwd
|
||||||
file_type_auto_trans(sysadm_passwd_t, etc_t, shadow_t, file)
|
|
||||||
allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||||
|
|
||||||
# for vipw - vi looks in the root home directory for config
|
# for vipw - vi looks in the root home directory for config
|
||||||
|
|||||||
@ -7,7 +7,7 @@ policy_module(authlogin,1.0)
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
type remote_login_t; #, privlog, auth_chkpwd, nscd_client_domain;
|
type remote_login_t; #, nscd_client_domain;
|
||||||
kernel_make_object_identity_change_constraint_exception(remote_login_t)
|
kernel_make_object_identity_change_constraint_exception(remote_login_t)
|
||||||
kernel_make_process_identity_change_constraint_exception(remote_login_t)
|
kernel_make_process_identity_change_constraint_exception(remote_login_t)
|
||||||
kernel_make_role_change_constraint_exception(remote_login_t)
|
kernel_make_role_change_constraint_exception(remote_login_t)
|
||||||
@ -68,9 +68,12 @@ files_read_general_application_resources(remote_login_t)
|
|||||||
libraries_use_dynamic_loader(remote_login_t)
|
libraries_use_dynamic_loader(remote_login_t)
|
||||||
libraries_read_shared_libraries(remote_login_t)
|
libraries_read_shared_libraries(remote_login_t)
|
||||||
|
|
||||||
|
logging_send_system_log_message(remote_login_t)
|
||||||
|
|
||||||
selinux_read_config(remote_login_t)
|
selinux_read_config(remote_login_t)
|
||||||
selinux_read_default_contexts(remote_login_t)
|
selinux_read_default_contexts(remote_login_t)
|
||||||
|
|
||||||
|
authlogin_check_password_transition(remote_login_t)
|
||||||
authlogin_ignore_read_shadow_passwords(remote_login_t)
|
authlogin_ignore_read_shadow_passwords(remote_login_t)
|
||||||
authlogin_modify_login_records(remote_login_t)
|
authlogin_modify_login_records(remote_login_t)
|
||||||
authlogin_modify_last_login_log(remote_login_t)
|
authlogin_modify_last_login_log(remote_login_t)
|
||||||
|
|||||||
@ -175,6 +175,41 @@ type shadow_t;
|
|||||||
class file { getattr read write };
|
class file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
#
|
||||||
|
# authlogin_manage_shadow_passwords(domain)
|
||||||
|
#
|
||||||
|
define(`authlogin_manage_shadow_passwords',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
files_create_private_config($1,shadow_t,file)
|
||||||
|
allow $1 shadow_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
typeattribute $1 can_read_shadow_passwords;
|
||||||
|
typeattribute $1 can_write_shadow_passwords;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`authlogin_manage_shadow_passwords_depend',`
|
||||||
|
attribute can_read_shadow_passwords;
|
||||||
|
attribute can_write_shadow_passwords;
|
||||||
|
type shadow_t;
|
||||||
|
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
#
|
||||||
|
# authlogin_relabel_to_shadow_passwords(domain)
|
||||||
|
#
|
||||||
|
define(`authlogin_relabel_to_shadow_passwords',`
|
||||||
|
requires_block_template(`$0'_depend)
|
||||||
|
allow $1 shadow_t:file relabelto;
|
||||||
|
typeattribute $1 can_relabelto_shadow_passwords;
|
||||||
|
')
|
||||||
|
|
||||||
|
define(`authlogin_relabel_to_shadow_passwords_depend',`
|
||||||
|
attribute can_relabelto_shadow_passwords;
|
||||||
|
type shadow_t;
|
||||||
|
class file relabelto;
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# authlogin_modify_last_login_log(domain)
|
# authlogin_modify_last_login_log(domain)
|
||||||
|
|||||||
@ -45,8 +45,10 @@ type shadow_t;
|
|||||||
files_make_file(shadow_t)
|
files_make_file(shadow_t)
|
||||||
attribute can_read_shadow_passwords;
|
attribute can_read_shadow_passwords;
|
||||||
attribute can_write_shadow_passwords;
|
attribute can_write_shadow_passwords;
|
||||||
|
attribute can_relabelto_shadow_passwords;
|
||||||
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
||||||
neverallow ~can_write_shadow_passwords shadow_t:file write;
|
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
||||||
|
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
||||||
|
|
||||||
type utempter_t; #, nscd_client_domain;
|
type utempter_t; #, nscd_client_domain;
|
||||||
domain_make_domain(utempter_t)
|
domain_make_domain(utempter_t)
|
||||||
|
|||||||
@ -7,7 +7,7 @@ policy_module(locallogin,1.0)
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
type local_login_t; #, auth_chkpwd, nscd_client_domain;
|
type local_login_t; #, nscd_client_domain;
|
||||||
kernel_make_object_identity_change_constraint_exception(local_login_t)
|
kernel_make_object_identity_change_constraint_exception(local_login_t)
|
||||||
kernel_make_process_identity_change_constraint_exception(local_login_t)
|
kernel_make_process_identity_change_constraint_exception(local_login_t)
|
||||||
kernel_make_role_change_constraint_exception(local_login_t)
|
kernel_make_role_change_constraint_exception(local_login_t)
|
||||||
@ -83,6 +83,7 @@ logging_send_system_log_message(local_login_t)
|
|||||||
selinux_read_config(local_login_t)
|
selinux_read_config(local_login_t)
|
||||||
selinux_read_default_contexts(local_login_t)
|
selinux_read_default_contexts(local_login_t)
|
||||||
|
|
||||||
|
authlogin_check_password_transition(local_login_t)
|
||||||
authlogin_ignore_read_shadow_passwords(local_login_t)
|
authlogin_ignore_read_shadow_passwords(local_login_t)
|
||||||
authlogin_modify_login_records(local_login_t)
|
authlogin_modify_login_records(local_login_t)
|
||||||
authlogin_modify_last_login_log(local_login_t)
|
authlogin_modify_last_login_log(local_login_t)
|
||||||
|
|||||||
@ -38,10 +38,11 @@ role system_r types load_policy_t;
|
|||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
|
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
|
||||||
|
|
||||||
type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
||||||
kernel_make_role_change_constraint_exception(newrole_t)
|
kernel_make_role_change_constraint_exception(newrole_t)
|
||||||
kernel_make_object_identity_change_constraint_exception(newrole_t)
|
kernel_make_object_identity_change_constraint_exception(newrole_t)
|
||||||
domain_make_domain(newrole_t)
|
domain_make_domain(newrole_t)
|
||||||
|
domain_make_file_descriptors_widely_inheritable(newrole_t)
|
||||||
|
|
||||||
type newrole_exec_t;
|
type newrole_exec_t;
|
||||||
domain_make_entrypoint_file(newrole_t,newrole_exec_t)
|
domain_make_entrypoint_file(newrole_t,newrole_exec_t)
|
||||||
@ -63,13 +64,11 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
|||||||
type policy_src_t;
|
type policy_src_t;
|
||||||
files_make_file(policy_src_t)
|
files_make_file(policy_src_t)
|
||||||
|
|
||||||
type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context;
|
type restorecon_t, can_relabelto_binary_policy;
|
||||||
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
|
||||||
domain_make_domain(restorecon_t)
|
|
||||||
role system_r types restorecon_t;
|
|
||||||
|
|
||||||
type restorecon_exec_t;
|
type restorecon_exec_t;
|
||||||
domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
|
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
||||||
|
domain_make_system_domain(restorecon_t,restorecon_exec_t)
|
||||||
|
role system_r types restorecon_t;
|
||||||
|
|
||||||
#
|
#
|
||||||
# selinux_config_t is the type applied to
|
# selinux_config_t is the type applied to
|
||||||
@ -78,7 +77,7 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
|
|||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
files_make_file(selinux_config_t)
|
files_make_file(selinux_config_t)
|
||||||
|
|
||||||
type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context;
|
type setfiles_t, can_relabelto_binary_policy;
|
||||||
kernel_make_object_identity_change_constraint_exception(setfiles_t)
|
kernel_make_object_identity_change_constraint_exception(setfiles_t)
|
||||||
domain_make_domain(setfiles_t)
|
domain_make_domain(setfiles_t)
|
||||||
role system_r types setfiles_t;
|
role system_r types setfiles_t;
|
||||||
@ -97,6 +96,10 @@ allow checkpolicy_t self:capability dac_override;
|
|||||||
allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
|
allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
|
||||||
|
# allow test policies to be created in src directories
|
||||||
|
allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
|
||||||
|
type_transition checkpolicy_t policy_src_t:file policy_config_t;
|
||||||
|
|
||||||
# only allow read of policy source files
|
# only allow read of policy source files
|
||||||
allow checkpolicy_t policy_src_t:dir { getattr search read };
|
allow checkpolicy_t policy_src_t:dir { getattr search read };
|
||||||
allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
|
allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
|
||||||
@ -118,9 +121,8 @@ libraries_read_shared_libraries(checkpolicy_t)
|
|||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
role sysadm_r types checkpolicy_t;
|
role sysadm_r types checkpolicy_t;
|
||||||
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
|
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
|
||||||
|
allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
|
||||||
# allow test policies to be created in src directories
|
allow checkpolicy_t sysadm_tmp_t:file { getattr write };
|
||||||
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
|
|
||||||
|
|
||||||
# directory search permissions for path to source and binary policy files
|
# directory search permissions for path to source and binary policy files
|
||||||
allow checkpolicy_t etc_t:dir search;
|
allow checkpolicy_t etc_t:dir search;
|
||||||
@ -128,11 +130,6 @@ allow checkpolicy_t etc_t:dir search;
|
|||||||
# Read the devpts root directory.
|
# Read the devpts root directory.
|
||||||
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
|
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
|
||||||
|
|
||||||
# Other access
|
|
||||||
allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
|
|
||||||
|
|
||||||
allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
|
|
||||||
|
|
||||||
# Allow users to execute checkpolicy without a domain transition
|
# Allow users to execute checkpolicy without a domain transition
|
||||||
# so it can be used without privilege to write real binary policy file
|
# so it can be used without privilege to write real binary policy file
|
||||||
can_exec(unpriv_userdomain, checkpolicy_exec_t)
|
can_exec(unpriv_userdomain, checkpolicy_exec_t)
|
||||||
@ -180,16 +177,13 @@ miscfiles_read_localization(load_policy_t)
|
|||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
role sysadm_r types load_policy_t;
|
role sysadm_r types load_policy_t;
|
||||||
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
|
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
|
||||||
|
allow load_policy_t sysadm_tmp_t:file { getattr write };
|
||||||
|
allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
|
||||||
|
|
||||||
# directory search permissions for path to binary policy files
|
# directory search permissions for path to binary policy files
|
||||||
allow load_policy_t etc_t:dir search;
|
allow load_policy_t etc_t:dir search;
|
||||||
|
|
||||||
# Other access
|
|
||||||
allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
|
|
||||||
|
|
||||||
allow load_policy_t userdomain:fd use;
|
allow load_policy_t userdomain:fd use;
|
||||||
|
|
||||||
allow load_policy_t sysadm_tmp_t:file { getattr write } ;
|
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -227,7 +221,8 @@ devices_get_pseudorandom_data(newrole_t)
|
|||||||
|
|
||||||
filesystem_get_persistent_filesystem_attributes(newrole_t)
|
filesystem_get_persistent_filesystem_attributes(newrole_t)
|
||||||
|
|
||||||
terminal_list_pseudoterminals(newrole_t)
|
terminal_use_all_users_physical_terminals(newrole_t)
|
||||||
|
terminal_use_all_users_pseudoterminals(newrole_t)
|
||||||
terminal_use_controlling_terminal(newrole_t)
|
terminal_use_controlling_terminal(newrole_t)
|
||||||
|
|
||||||
# Write to utmp.
|
# Write to utmp.
|
||||||
@ -240,8 +235,12 @@ files_read_general_system_config(newrole_t)
|
|||||||
libraries_use_dynamic_loader(newrole_t)
|
libraries_use_dynamic_loader(newrole_t)
|
||||||
libraries_read_shared_libraries(newrole_t)
|
libraries_read_shared_libraries(newrole_t)
|
||||||
|
|
||||||
|
logging_send_system_log_message(newrole_t)
|
||||||
|
|
||||||
miscfiles_read_localization(newrole_t)
|
miscfiles_read_localization(newrole_t)
|
||||||
|
|
||||||
|
authlogin_check_password_transition(newrole_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
in_user_role(newrole_t)
|
in_user_role(newrole_t)
|
||||||
role sysadm_r types newrole_t;
|
role sysadm_r types newrole_t;
|
||||||
@ -261,7 +260,6 @@ allow newrole_t sbin_t:dir r_dir_perms;
|
|||||||
# Execute shells
|
# Execute shells
|
||||||
allow newrole_t bin_t:dir r_dir_perms;
|
allow newrole_t bin_t:dir r_dir_perms;
|
||||||
allow newrole_t bin_t:lnk_file read;
|
allow newrole_t bin_t:lnk_file read;
|
||||||
allow newrole_t shell_exec_t:file r_file_perms;
|
|
||||||
|
|
||||||
# Allow newrole_t to transition to user domains.
|
# Allow newrole_t to transition to user domains.
|
||||||
bool secure_mode false;
|
bool secure_mode false;
|
||||||
@ -276,14 +274,9 @@ if(!secure_mode)
|
|||||||
allow newrole_t var_t:dir r_dir_perms;
|
allow newrole_t var_t:dir r_dir_perms;
|
||||||
allow newrole_t var_t:notdevfile_class_set r_file_perms;
|
allow newrole_t var_t:notdevfile_class_set r_file_perms;
|
||||||
|
|
||||||
# Read /dev directories and any symbolic links.
|
|
||||||
allow newrole_t device_t:dir r_dir_perms;
|
|
||||||
|
|
||||||
# Relabel terminals.
|
# Relabel terminals.
|
||||||
allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
|
allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
|
||||||
|
|
||||||
# Access terminals.
|
|
||||||
allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms;
|
|
||||||
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
|
||||||
|
|
||||||
# for some PAM modules and for cwd
|
# for some PAM modules and for cwd
|
||||||
@ -340,11 +333,11 @@ files_read_all_directories(restorecon_t)
|
|||||||
kernel_relabel_unlabeled_object(restorecon_t)
|
kernel_relabel_unlabeled_object(restorecon_t)
|
||||||
devices_manage_all_devices_labels(restorecon_t)
|
devices_manage_all_devices_labels(restorecon_t)
|
||||||
files_manage_all_files_labels(restorecon_t)
|
files_manage_all_files_labels(restorecon_t)
|
||||||
|
# this is to satisfy the assertion:
|
||||||
|
authlogin_relabel_to_shadow_passwords(restorecon_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
|
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
|
||||||
|
|
||||||
domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t)
|
|
||||||
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
|
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
|
||||||
role sysadm_r types restorecon_t;
|
role sysadm_r types restorecon_t;
|
||||||
allow restorecon_t userdomain:fd use;
|
allow restorecon_t userdomain:fd use;
|
||||||
@ -410,6 +403,8 @@ files_read_all_directories(setfiles_t)
|
|||||||
kernel_relabel_unlabeled_object(setfiles_t)
|
kernel_relabel_unlabeled_object(setfiles_t)
|
||||||
devices_manage_all_devices_labels(setfiles_t)
|
devices_manage_all_devices_labels(setfiles_t)
|
||||||
files_manage_all_files_labels(setfiles_t)
|
files_manage_all_files_labels(setfiles_t)
|
||||||
|
# this is to satisfy the assertion:
|
||||||
|
authlogin_relabel_to_shadow_passwords(setfiles_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
|
|||||||
@ -38,10 +38,11 @@ role system_r types load_policy_t;
|
|||||||
type load_policy_exec_t;
|
type load_policy_exec_t;
|
||||||
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
|
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
|
||||||
|
|
||||||
type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
|
||||||
kernel_make_role_change_constraint_exception(newrole_t)
|
kernel_make_role_change_constraint_exception(newrole_t)
|
||||||
kernel_make_object_identity_change_constraint_exception(newrole_t)
|
kernel_make_object_identity_change_constraint_exception(newrole_t)
|
||||||
domain_make_domain(newrole_t)
|
domain_make_domain(newrole_t)
|
||||||
|
domain_make_file_descriptors_widely_inheritable(newrole_t)
|
||||||
|
|
||||||
type newrole_exec_t;
|
type newrole_exec_t;
|
||||||
domain_make_entrypoint_file(newrole_t,newrole_exec_t)
|
domain_make_entrypoint_file(newrole_t,newrole_exec_t)
|
||||||
@ -63,13 +64,11 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
|||||||
type policy_src_t;
|
type policy_src_t;
|
||||||
files_make_file(policy_src_t)
|
files_make_file(policy_src_t)
|
||||||
|
|
||||||
type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context;
|
type restorecon_t, can_relabelto_binary_policy;
|
||||||
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
|
||||||
domain_make_domain(restorecon_t)
|
|
||||||
role system_r types restorecon_t;
|
|
||||||
|
|
||||||
type restorecon_exec_t;
|
type restorecon_exec_t;
|
||||||
domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
|
kernel_make_object_identity_change_constraint_exception(restorecon_t)
|
||||||
|
domain_make_system_domain(restorecon_t,restorecon_exec_t)
|
||||||
|
role system_r types restorecon_t;
|
||||||
|
|
||||||
#
|
#
|
||||||
# selinux_config_t is the type applied to
|
# selinux_config_t is the type applied to
|
||||||
@ -78,7 +77,7 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
|
|||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
files_make_file(selinux_config_t)
|
files_make_file(selinux_config_t)
|
||||||
|
|
||||||
type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context;
|
type setfiles_t, can_relabelto_binary_policy;
|
||||||
kernel_make_object_identity_change_constraint_exception(setfiles_t)
|
kernel_make_object_identity_change_constraint_exception(setfiles_t)
|
||||||
domain_make_domain(setfiles_t)
|
domain_make_domain(setfiles_t)
|
||||||
role system_r types setfiles_t;
|
role system_r types setfiles_t;
|
||||||
@ -97,6 +96,10 @@ allow checkpolicy_t self:capability dac_override;
|
|||||||
allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
|
allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||||
allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||||
|
|
||||||
|
# allow test policies to be created in src directories
|
||||||
|
allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
|
||||||
|
type_transition checkpolicy_t policy_src_t:file policy_config_t;
|
||||||
|
|
||||||
# only allow read of policy source files
|
# only allow read of policy source files
|
||||||
allow checkpolicy_t policy_src_t:dir { getattr search read };
|
allow checkpolicy_t policy_src_t:dir { getattr search read };
|
||||||
allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
|
allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
|
||||||
@ -118,9 +121,8 @@ libraries_read_shared_libraries(checkpolicy_t)
|
|||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
role sysadm_r types checkpolicy_t;
|
role sysadm_r types checkpolicy_t;
|
||||||
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
|
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
|
||||||
|
allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
|
||||||
# allow test policies to be created in src directories
|
allow checkpolicy_t sysadm_tmp_t:file { getattr write };
|
||||||
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
|
|
||||||
|
|
||||||
# directory search permissions for path to source and binary policy files
|
# directory search permissions for path to source and binary policy files
|
||||||
allow checkpolicy_t etc_t:dir search;
|
allow checkpolicy_t etc_t:dir search;
|
||||||
@ -128,11 +130,6 @@ allow checkpolicy_t etc_t:dir search;
|
|||||||
# Read the devpts root directory.
|
# Read the devpts root directory.
|
||||||
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
|
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
|
||||||
|
|
||||||
# Other access
|
|
||||||
allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
|
|
||||||
|
|
||||||
allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
|
|
||||||
|
|
||||||
# Allow users to execute checkpolicy without a domain transition
|
# Allow users to execute checkpolicy without a domain transition
|
||||||
# so it can be used without privilege to write real binary policy file
|
# so it can be used without privilege to write real binary policy file
|
||||||
can_exec(unpriv_userdomain, checkpolicy_exec_t)
|
can_exec(unpriv_userdomain, checkpolicy_exec_t)
|
||||||
@ -180,16 +177,13 @@ miscfiles_read_localization(load_policy_t)
|
|||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
role sysadm_r types load_policy_t;
|
role sysadm_r types load_policy_t;
|
||||||
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
|
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
|
||||||
|
allow load_policy_t sysadm_tmp_t:file { getattr write };
|
||||||
|
allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
|
||||||
|
|
||||||
# directory search permissions for path to binary policy files
|
# directory search permissions for path to binary policy files
|
||||||
allow load_policy_t etc_t:dir search;
|
allow load_policy_t etc_t:dir search;
|
||||||
|
|
||||||
# Other access
|
|
||||||
allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
|
|
||||||
|
|
||||||
allow load_policy_t userdomain:fd use;
|
allow load_policy_t userdomain:fd use;
|
||||||
|
|
||||||
allow load_policy_t sysadm_tmp_t:file { getattr write } ;
|
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -227,7 +221,8 @@ devices_get_pseudorandom_data(newrole_t)
|
|||||||
|
|
||||||
filesystem_get_persistent_filesystem_attributes(newrole_t)
|
filesystem_get_persistent_filesystem_attributes(newrole_t)
|
||||||
|
|
||||||
terminal_list_pseudoterminals(newrole_t)
|
terminal_use_all_users_physical_terminals(newrole_t)
|
||||||
|
terminal_use_all_users_pseudoterminals(newrole_t)
|
||||||
terminal_use_controlling_terminal(newrole_t)
|
terminal_use_controlling_terminal(newrole_t)
|
||||||
|
|
||||||
# Write to utmp.
|
# Write to utmp.
|
||||||
@ -240,8 +235,12 @@ files_read_general_system_config(newrole_t)
|
|||||||
libraries_use_dynamic_loader(newrole_t)
|
libraries_use_dynamic_loader(newrole_t)
|
||||||
libraries_read_shared_libraries(newrole_t)
|
libraries_read_shared_libraries(newrole_t)
|
||||||
|
|
||||||
|
logging_send_system_log_message(newrole_t)
|
||||||
|
|
||||||
miscfiles_read_localization(newrole_t)
|
miscfiles_read_localization(newrole_t)
|
||||||
|
|
||||||
|
authlogin_check_password_transition(newrole_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
in_user_role(newrole_t)
|
in_user_role(newrole_t)
|
||||||
role sysadm_r types newrole_t;
|
role sysadm_r types newrole_t;
|
||||||
@ -261,7 +260,6 @@ allow newrole_t sbin_t:dir r_dir_perms;
|
|||||||
# Execute shells
|
# Execute shells
|
||||||
allow newrole_t bin_t:dir r_dir_perms;
|
allow newrole_t bin_t:dir r_dir_perms;
|
||||||
allow newrole_t bin_t:lnk_file read;
|
allow newrole_t bin_t:lnk_file read;
|
||||||
allow newrole_t shell_exec_t:file r_file_perms;
|
|
||||||
|
|
||||||
# Allow newrole_t to transition to user domains.
|
# Allow newrole_t to transition to user domains.
|
||||||
bool secure_mode false;
|
bool secure_mode false;
|
||||||
@ -276,14 +274,9 @@ if(!secure_mode)
|
|||||||
allow newrole_t var_t:dir r_dir_perms;
|
allow newrole_t var_t:dir r_dir_perms;
|
||||||
allow newrole_t var_t:notdevfile_class_set r_file_perms;
|
allow newrole_t var_t:notdevfile_class_set r_file_perms;
|
||||||
|
|
||||||
# Read /dev directories and any symbolic links.
|
|
||||||
allow newrole_t device_t:dir r_dir_perms;
|
|
||||||
|
|
||||||
# Relabel terminals.
|
# Relabel terminals.
|
||||||
allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
|
allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
|
||||||
|
|
||||||
# Access terminals.
|
|
||||||
allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms;
|
|
||||||
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
|
||||||
|
|
||||||
# for some PAM modules and for cwd
|
# for some PAM modules and for cwd
|
||||||
@ -340,11 +333,11 @@ files_read_all_directories(restorecon_t)
|
|||||||
kernel_relabel_unlabeled_object(restorecon_t)
|
kernel_relabel_unlabeled_object(restorecon_t)
|
||||||
devices_manage_all_devices_labels(restorecon_t)
|
devices_manage_all_devices_labels(restorecon_t)
|
||||||
files_manage_all_files_labels(restorecon_t)
|
files_manage_all_files_labels(restorecon_t)
|
||||||
|
# this is to satisfy the assertion:
|
||||||
|
authlogin_relabel_to_shadow_passwords(restorecon_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
|
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
|
||||||
|
|
||||||
domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t)
|
|
||||||
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
|
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
|
||||||
role sysadm_r types restorecon_t;
|
role sysadm_r types restorecon_t;
|
||||||
allow restorecon_t userdomain:fd use;
|
allow restorecon_t userdomain:fd use;
|
||||||
@ -410,6 +403,8 @@ files_read_all_directories(setfiles_t)
|
|||||||
kernel_relabel_unlabeled_object(setfiles_t)
|
kernel_relabel_unlabeled_object(setfiles_t)
|
||||||
devices_manage_all_devices_labels(setfiles_t)
|
devices_manage_all_devices_labels(setfiles_t)
|
||||||
files_manage_all_files_labels(setfiles_t)
|
files_manage_all_files_labels(setfiles_t)
|
||||||
|
# this is to satisfy the assertion:
|
||||||
|
authlogin_relabel_to_shadow_passwords(setfiles_t)
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user