policy_module(authlogin,1.2.1) ######################################## # # Declarations # attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; type chkpwd_exec_t; files_type(chkpwd_exec_t) type faillog_t; logging_log_file(faillog_t) type lastlog_t; logging_log_file(lastlog_t) # real declaration moved to mls until # range_transition works in loadable modules gen_require(` type login_exec_t; ') files_type(login_exec_t) type pam_console_t; type pam_console_exec_t; init_system_domain(pam_console_t,pam_console_exec_t) role system_r types pam_console_t; type pam_t; domain_type(pam_t) role system_r types pam_t; type pam_exec_t; domain_entry_file(pam_t,pam_exec_t) type pam_tmp_t; files_tmp_file(pam_tmp_t) type pam_var_console_t; files_type(pam_var_console_t) type pam_var_run_t; files_pid_file(pam_var_run_t) type shadow_t; files_security_file(shadow_t) neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; authlogin_common_auth_domain_template(system) role system_r types system_chkpwd_t; type utempter_t; domain_type(utempter_t) type utempter_exec_t; domain_entry_file(utempter_t,utempter_exec_t) # # var_auth_t is the type of /var/lib/auth, usually # used for auth data in pam_able # type var_auth_t; files_type(var_auth_t) type wtmp_t; logging_log_file(wtmp_t) ######################################## # # PAM local policy # allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; dontaudit pam_t self:capability sys_tty_config; allow pam_t self:fd use; allow pam_t self:fifo_file rw_file_perms; allow pam_t self:unix_dgram_socket create_socket_perms; allow pam_t self:unix_stream_socket rw_stream_socket_perms; allow pam_t self:unix_dgram_socket sendto; allow pam_t self:unix_stream_socket connectto; allow pam_t self:shm create_shm_perms; allow pam_t self:sem create_sem_perms; allow pam_t self:msgq create_msgq_perms; allow pam_t self:msg { send receive }; allow pam_t pam_var_run_t:dir { search getattr read write remove_name }; allow pam_t pam_var_run_t:file { getattr read unlink }; allow pam_t pam_tmp_t:dir create_dir_perms; allow pam_t pam_tmp_t:file create_file_perms; files_filetrans_tmp(pam_t, pam_tmp_t, { file dir }) kernel_read_system_state(pam_t) fs_search_auto_mountpoints(pam_t) term_use_all_user_ttys(pam_t) term_use_all_user_ptys(pam_t) init_dontaudit_rw_utmp(pam_t) files_read_etc_files(pam_t) files_list_pids(pam_t) libs_use_ld_so(pam_t) libs_use_shared_libs(pam_t) logging_send_syslog_msg(pam_t) userdom_use_unpriv_users_fd(pam_t) optional_policy(`locallogin',` locallogin_use_fd(pam_t) ') optional_policy(`nis',` nis_use_ypbind(pam_t) ') optional_policy(`nscd',` nscd_socket_use(pam_t) ') ######################################## # # PAM console local policy # allow pam_console_t self:capability { chown fowner fsetid }; dontaudit pam_console_t self:capability sys_tty_config; allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; # for /var/run/console.lock checking allow pam_console_t pam_var_console_t:dir r_dir_perms;; allow pam_console_t pam_var_console_t:file r_file_perms; dontaudit pam_console_t pam_var_console_t:file write; allow pam_console_t pam_var_console_t:lnk_file { getattr read }; kernel_read_kernel_sysctls(pam_console_t) kernel_use_fd(pam_console_t) # Read /proc/meminfo kernel_read_system_state(pam_console_t) dev_read_sysfs(pam_console_t) dev_getattr_apm_bios_dev(pam_console_t) dev_setattr_apm_bios_dev(pam_console_t) dev_getattr_framebuffer_dev(pam_console_t) dev_setattr_framebuffer_dev(pam_console_t) dev_getattr_misc_dev(pam_console_t) dev_setattr_misc_dev(pam_console_t) dev_getattr_mouse_dev(pam_console_t) dev_setattr_mouse_dev(pam_console_t) dev_getattr_power_mgmt_dev(pam_console_t) dev_setattr_power_mgmt_dev(pam_console_t) dev_getattr_scanner_dev(pam_console_t) dev_setattr_scanner_dev(pam_console_t) dev_getattr_sound_dev(pam_console_t) dev_setattr_sound_dev(pam_console_t) dev_getattr_video_dev(pam_console_t) dev_setattr_video_dev(pam_console_t) dev_getattr_xserver_misc_dev(pam_console_t) dev_setattr_xserver_misc_dev(pam_console_t) fs_search_auto_mountpoints(pam_console_t) storage_getattr_fixed_disk_dev(pam_console_t) storage_setattr_fixed_disk_dev(pam_console_t) storage_getattr_removable_dev(pam_console_t) storage_setattr_removable_dev(pam_console_t) storage_getattr_scsi_generic_dev(pam_console_t) storage_setattr_scsi_generic_dev(pam_console_t) term_use_console(pam_console_t) term_setattr_console(pam_console_t) term_getattr_unallocated_ttys(pam_console_t) term_setattr_unallocated_ttys(pam_console_t) auth_use_nsswitch(pam_console_t) domain_use_interactive_fds(pam_console_t) files_read_etc_files(pam_console_t) files_search_pids(pam_console_t) files_list_mnt(pam_console_t) # read /etc/mtab files_read_etc_runtime_files(pam_console_t) init_use_fd(pam_console_t) init_use_script_ptys(pam_console_t) libs_use_ld_so(pam_console_t) libs_use_shared_libs(pam_console_t) logging_send_syslog_msg(pam_console_t) mls_file_read_up(pam_console_t) mls_file_write_down(pam_console_t) seutil_read_file_contexts(pam_console_t) userdom_dontaudit_use_unpriv_user_fds(pam_console_t) # cjp: with the old daemon_(base_)domain being broken up into # a daemon and system interface, this probably is not needed: ifdef(`direct_sysadm_daemon', ` userdom_dontaudit_use_sysadm_terms(pam_console_t) ') ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(pam_console_t) term_dontaudit_use_generic_ptys(pam_console_t) files_dontaudit_read_root_files(pam_console_t) ') optional_policy(`gpm',` gpm_getattr_gpmctl(pam_console_t) gpm_setattr_gpmctl(pam_console_t) ') optional_policy(`hotplug',` hotplug_use_fd(pam_console_t) hotplug_dontaudit_search_config(pam_console_t) ') optional_policy(`nscd',` nscd_socket_use(pam_console_t) ') optional_policy(`selinuxutil',` seutil_sigchld_newrole(pam_console_t) ') optional_policy(`udev',` udev_read_db(pam_console_t) ') ifdef(`TODO',` ifdef(`xdm.te', ` allow pam_console_t xdm_var_run_t:file { getattr read }; ') ') dnl endif TODO ######################################## # # System check password local policy # allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow system_chkpwd_t shadow_t:file { getattr read }; corecmd_search_sbin(system_chkpwd_t) domain_dontaudit_use_interactive_fds(system_chkpwd_t) term_dontaudit_use_unallocated_ttys(system_chkpwd_t) term_dontaudit_use_generic_ptys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) ######################################## # # Utempter local policy # allow utempter_t self:capability setgid; allow utempter_t self:unix_stream_socket create_stream_socket_perms; allow utempter_t wtmp_t:file rw_file_perms; dev_read_urand(utempter_t) term_getattr_all_user_ttys(utempter_t) term_getattr_all_user_ptys(utempter_t) term_dontaudit_use_all_user_ttys(utempter_t) term_dontaudit_use_all_user_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) init_rw_utmp(utempter_t) files_read_etc_files(utempter_t) domain_use_interactive_fds(utempter_t) libs_use_ld_so(utempter_t) libs_use_shared_libs(utempter_t) logging_search_logs(utempter_t) # Allow utemper to write to /tmp/.xses-* userdom_write_unpriv_users_tmp_files(utempter_t) optional_policy(`nscd',` nscd_socket_use(utempter_t) ') ifdef(`TODO',` optional_policy(`xdm',` can_pipe_xdm(utempter_t) ') ')