policy_module(authlogin,1.0) ######################################## # # Declarations # attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; type chkpwd_exec_t; files_file_type(chkpwd_exec_t) type faillog_t; logging_log_file(faillog_t) type lastlog_t; logging_log_file(lastlog_t) type login_exec_t; files_file_type(login_exec_t) type pam_console_t; type pam_console_exec_t; init_system_domain(pam_console_t,pam_console_exec_t) role system_r types pam_console_t; domain_entry_file(pam_console_t,pam_console_exec_t) type pam_t; #, nscd_client_domain; domain_type(pam_t) role system_r types pam_t; type pam_exec_t; domain_entry_file(pam_t,pam_exec_t) type pam_tmp_t; files_tmp_file(pam_tmp_t) type pam_var_console_t; #, nscd_client_domain files_file_type(pam_var_console_t) type pam_var_run_t; files_pid_file(pam_var_run_t) type shadow_t; files_file_type(shadow_t) neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; domain_type(system_chkpwd_t) domain_entry_file(system_chkpwd_t,chkpwd_exec_t) role system_r types system_chkpwd_t; type utempter_t; #, nscd_client_domain; domain_type(utempter_t) type utempter_exec_t; domain_entry_file(utempter_t,utempter_exec_t) type wtmp_t; logging_log_file(wtmp_t) ######################################## # # PAM local policy # allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; dontaudit pam_t self:capability sys_tty_config; allow pam_t self:fd use; allow pam_t self:fifo_file rw_file_perms; allow pam_t self:unix_dgram_socket create_socket_perms; allow pam_t self:unix_stream_socket rw_stream_socket_perms; allow pam_t self:unix_dgram_socket sendto; allow pam_t self:unix_stream_socket connectto; allow pam_t self:shm create_shm_perms; allow pam_t self:sem create_sem_perms; allow pam_t self:msgq create_msgq_perms; allow pam_t self:msg { send receive }; allow pam_t pam_var_run_t:dir { search getattr read write remove_name }; allow pam_t pam_var_run_t:file { getattr read unlink }; allow pam_t pam_tmp_t:dir create_dir_perms; allow pam_t pam_tmp_t:file create_file_perms; files_create_tmp_files(pam_t, pam_tmp_t, { file dir }) kernel_read_system_state(pam_t) term_use_all_user_ttys(pam_t) term_use_all_user_ptys(pam_t) init_dontaudit_rw_script_pid(pam_t) files_read_generic_etc_files(pam_t) files_list_pids(pam_t) libs_use_ld_so(pam_t) libs_use_shared_libs(pam_t) logging_send_syslog_msg(pam_t) userdom_use_unpriv_users_fd(pam_t) optional_policy(`locallogin.te',` locallogin_use_fd(pam_t) ') ifdef(`TODO',` can_ypbind(pam_t) ifdef(`automount.te', ` allow pam_t autofs_t:dir { search getattr }; ') ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') ') dnl endif TODO ######################################## # # PAM console local policy # allow pam_console_t self:capability { chown fowner fsetid }; dontaudit pam_console_t self:capability sys_tty_config; allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; # for /var/run/console.lock checking allow pam_console_t pam_var_console_t:dir r_dir_perms;; allow pam_console_t pam_var_console_t:file r_file_perms; allow pam_console_t pam_var_console_t:lnk_file r_file_perms; kernel_read_kernel_sysctl(pam_console_t) kernel_read_system_state(pam_console_t) kernel_read_hardware_state(pam_console_t) kernel_use_fd(pam_console_t) # Allow to set attributes on /dev entries storage_getattr_fixed_disk(pam_console_t) storage_setattr_fixed_disk(pam_console_t) storage_getattr_removable_device(pam_console_t) storage_setattr_removable_device(pam_console_t) term_use_console(pam_console_t) term_getattr_unallocated_ttys(pam_console_t) term_setattr_unallocated_ttys(pam_console_t) init_use_fd(pam_console_t) init_use_fd(pam_console_t) init_use_script_pty(pam_console_t) domain_use_wide_inherit_fd(pam_console_t) files_read_generic_etc_files(pam_console_t) files_search_pids(pam_console_t) files_list_mnt(pam_console_t) libs_use_ld_so(pam_console_t) libs_use_shared_libs(pam_console_t) logging_send_syslog_msg(pam_console_t) selinux_read_file_contexts(pam_console_t) userdom_dontaudit_use_unpriv_user_fd(pam_console_t) ifdef(`direct_sysadm_daemon', ` userdom_dontaudit_use_sysadm_terms(pam_console_t) ') ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(pam_console_t) terminal_ignore_use_general_pseudoterminal(pam_console_t) files_dontaudit_read_root_file(pam_console_t) ') optional_policy(`hotplug.te', ` hotplug_use_fd(pam_console_t) hotplug_dontaudit_search_config(pam_console_t) ') optional_policy(`selinux.te',` selinux_newrole_sigchld(pam_console_t) ') optional_policy(`udev.te', ` udev_read_db(pam_console_t) ') ifdef(`TODO',` optional_policy(`rhgb.te', ` allow pam_console_t rhgb_t:process sigchld; allow pam_console_t rhgb_t:fd use; allow pam_console_t rhgb_t:fifo_file { read write }; ') allow pam_console_t autofs_t:dir { search getattr }; allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr }; ifdef(`gpm.te', ` allow pam_console_t gpmctl_t:sock_file { getattr setattr }; ') ifdef(`xdm.te', ` allow pam_console_t xdm_var_run_t:file { getattr read }; ') ') dnl endif TODO ######################################## # # System check password local policy # allow system_chkpwd_t self:capability setuid; allow system_chkpwd_t self:process getattr; allow system_chkpwd_t shadow_t:file { getattr read }; # is_selinux_enabled kernel_read_system_state(system_chkpwd_t) fs_dontaudit_getattr_xattr_fs(system_chkpwd_t) term_use_unallocated_tty(system_chkpwd_t) files_read_generic_etc_files(system_chkpwd_t) # for nscd files_dontaudit_search_var(system_chkpwd_t) libs_use_ld_so(system_chkpwd_t) libs_use_shared_libs(system_chkpwd_t) logging_send_syslog_msg(system_chkpwd_t) miscfiles_read_localization(system_chkpwd_t) selinux_read_config(system_chkpwd_t) tunable_policy(`use_dns',` allow system_chkpwd_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_all_if(system_chkpwd_t) corenet_raw_sendrecv_all_if(system_chkpwd_t) corenet_udp_sendrecv_all_nodes(system_chkpwd_t) corenet_raw_sendrecv_all_nodes(system_chkpwd_t) corenet_udp_bind_all_nodes(system_chkpwd_t) corenet_udp_sendrecv_dns_port(system_chkpwd_t) sysnet_read_config(system_chkpwd_t) ') ifdef(`TODO',` can_ypbind(system_chkpwd_t) can_kerberos(system_chkpwd_t) can_ldap(system_chkpwd_t) dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms; ') dnl end TODO ######################################## # # Utempter local policy # allow utempter_t self:capability setgid; allow utempter_t self:unix_stream_socket create_stream_socket_perms; allow utempter_t wtmp_t:file rw_file_perms; term_getattr_all_user_ttys(utempter_t) term_getattr_all_user_ptys(utempter_t) term_dontaudit_use_all_user_ttys(utempter_t) term_dontaudit_use_all_user_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) init_rw_script_pid(utempter_t) files_read_generic_etc_files(utempter_t) domain_use_wide_inherit_fd(utempter_t) libs_use_ld_so(utempter_t) libs_use_shared_libs(utempter_t) logging_search_logs(utempter_t) ifdef(`TODO',` # Allow utemper to write to /tmp/.xses-* allow utempter_t user_tmpfile:file { getattr write append }; ifdef(`xdm.te', ` allow utempter_t xdm_t:fd use; allow utempter_t xdm_t:fifo_file { write getattr }; ') ') dnl endif TODO