#DESC Passwd - Password utilities # # Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser # X-Debian-Packages: passwd # ################################# # # Rules for the passwd_t domain. # define(`base_passwd_domain', ` type $1_t, domain, privlog, $2; # for SSP allow $1_t urandom_device_t:chr_file read; allow $1_t self:process setrlimit; general_domain_access($1_t); uses_shlib($1_t); # Inherit and use descriptors from login. allow $1_t privfd:fd use; ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') read_locale($1_t) allow $1_t fs_t:filesystem getattr; # allow checking if a shell is executable allow $1_t shell_exec_t:file execute; # Obtain contexts can_getsecurity($1_t) allow $1_t etc_t:file create_file_perms; # read /etc/mtab allow $1_t etc_runtime_t:file { getattr read }; # Allow etc_t symlinks for /etc/alternatives on Debian. allow $1_t etc_t:lnk_file read; # Use capabilities. allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; # Access terminals. allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms; allow $1_t devtty_t:chr_file rw_file_perms; dontaudit $1_t devpts_t:dir getattr; # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. dontaudit $1_t initrc_var_run_t:file { read write }; # user generally runs this from their home directory, so do not audit a search # on user home dir dontaudit $1_t { user_home_dir_type user_home_type }:dir search; # When the wrong current passwd is entered, passwd, for some reason, # attempts to access /proc and /dev, but handles failure appropriately. So # do not audit those denials. dontaudit $1_t { proc_t device_t }:dir { search read }; allow $1_t device_t:dir getattr; read_sysctl($1_t) ') ################################# # # Rules for the passwd_t domain. # define(`passwd_domain', ` base_passwd_domain($1, `auth_write, privowner') # Update /etc/shadow and /etc/passwd file_type_auto_trans($1_t, etc_t, shadow_t, file) allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; can_setfscreate($1_t) ') passwd_domain(passwd) passwd_domain(sysadm_passwd) base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner') can_setfscreate(chfn_t) # can exec /sbin/unix_chkpwd allow chfn_t { bin_t sbin_t }:dir search; # uses unix_chkpwd for checking passwords dontaudit chfn_t shadow_t:file read; allow chfn_t etc_t:dir rw_dir_perms; allow chfn_t etc_t:file create_file_perms; allow chfn_t proc_t:file { getattr read }; allow chfn_t self:file write; in_user_role(passwd_t) in_user_role(chfn_t) role sysadm_r types passwd_t; role sysadm_r types sysadm_passwd_t; role sysadm_r types chfn_t; role system_r types passwd_t; role system_r types chfn_t; type admin_passwd_exec_t, file_type, sysadmfile; type passwd_exec_t, file_type, sysadmfile, exec_type; type chfn_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t) domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t) domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t) dontaudit chfn_t var_t:dir search; ifdef(`crack.te', ` allow passwd_t var_t:dir search; dontaudit passwd_t var_run_t:dir search; allow passwd_t crack_db_t:dir r_dir_perms; allow passwd_t crack_db_t:file r_file_perms; ', ` dontaudit passwd_t var_t:dir search; ') # allow vipw to exec the editor allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search; allow sysadm_passwd_t bin_t:lnk_file read; can_exec(sysadm_passwd_t, { shell_exec_t bin_t }) r_dir_file(sysadm_passwd_t, usr_t) # allow vipw to create temporary files under /var/tmp/vi.recover allow sysadm_passwd_t var_t:dir search; tmp_domain(sysadm_passwd) # for vipw - vi looks in the root home directory for config dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search }; # for /etc/alternatives/vi allow sysadm_passwd_t etc_t:lnk_file read; # for nscd lookups dontaudit sysadm_passwd_t var_run_t:dir search; # for /proc/meminfo allow sysadm_passwd_t proc_t:file { getattr read }; dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search; dontaudit sysadm_passwd_t devpts_t:dir search; # make sure that getcon succeeds allow passwd_t userdomain:dir search; allow passwd_t userdomain:file { getattr read }; allow passwd_t userdomain:process getattr; allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ifdef(`targeted_policy', ` role system_r types sysadm_passwd_t; ')