policy_module(authlogin,1.0) ######################################## # # Declarations # attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; type chkpwd_exec_t; files_type(chkpwd_exec_t) type faillog_t; logging_log_file(faillog_t) type lastlog_t; logging_log_file(lastlog_t) type login_exec_t; files_type(login_exec_t) type pam_console_t; #, mlsfileread type pam_console_exec_t; init_system_domain(pam_console_t,pam_console_exec_t) role system_r types pam_console_t; domain_entry_file(pam_console_t,pam_console_exec_t) type pam_t; domain_type(pam_t) role system_r types pam_t; type pam_exec_t; domain_entry_file(pam_t,pam_exec_t) type pam_tmp_t; files_tmp_file(pam_tmp_t) type pam_var_console_t; files_type(pam_var_console_t) type pam_var_run_t; files_pid_file(pam_var_run_t) type shadow_t; files_type(shadow_t) neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; type system_chkpwd_t, can_read_shadow_passwords; domain_type(system_chkpwd_t) domain_entry_file(system_chkpwd_t,chkpwd_exec_t) role system_r types system_chkpwd_t; type utempter_t; domain_type(utempter_t) type utempter_exec_t; domain_entry_file(utempter_t,utempter_exec_t) type wtmp_t; logging_log_file(wtmp_t) ######################################## # # PAM local policy # allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; dontaudit pam_t self:capability sys_tty_config; allow pam_t self:fd use; allow pam_t self:fifo_file rw_file_perms; allow pam_t self:unix_dgram_socket create_socket_perms; allow pam_t self:unix_stream_socket rw_stream_socket_perms; allow pam_t self:unix_dgram_socket sendto; allow pam_t self:unix_stream_socket connectto; allow pam_t self:shm create_shm_perms; allow pam_t self:sem create_sem_perms; allow pam_t self:msgq create_msgq_perms; allow pam_t self:msg { send receive }; allow pam_t pam_var_run_t:dir { search getattr read write remove_name }; allow pam_t pam_var_run_t:file { getattr read unlink }; allow pam_t pam_tmp_t:dir create_dir_perms; allow pam_t pam_tmp_t:file create_file_perms; files_create_tmp_files(pam_t, pam_tmp_t, { file dir }) kernel_read_system_state(pam_t) fs_search_auto_mountpoints(pam_t) term_use_all_user_ttys(pam_t) term_use_all_user_ptys(pam_t) init_dontaudit_rw_script_pid(pam_t) files_read_etc_files(pam_t) files_list_pids(pam_t) libs_use_ld_so(pam_t) libs_use_shared_libs(pam_t) logging_send_syslog_msg(pam_t) userdom_use_unpriv_users_fd(pam_t) optional_policy(`locallogin.te',` locallogin_use_fd(pam_t) ') optional_policy(`nis.te',` nis_use_ypbind(pam_t) ') optional_policy(`nscd.te',` nscd_use_socket(pam_t) ') ifdef(`TODO',` ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') ') dnl endif TODO ######################################## # # PAM console local policy # allow pam_console_t self:capability { chown fowner fsetid }; dontaudit pam_console_t self:capability sys_tty_config; allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; # for /var/run/console.lock checking allow pam_console_t pam_var_console_t:dir r_dir_perms;; allow pam_console_t pam_var_console_t:file r_file_perms; allow pam_console_t pam_var_console_t:lnk_file r_file_perms; kernel_read_kernel_sysctl(pam_console_t) kernel_use_fd(pam_console_t) # Read /proc/meminfo kernel_read_system_state(pam_console_t) dev_read_sysfs(pam_console_t) dev_getattr_apm_bios(pam_console_t) dev_setattr_apm_bios(pam_console_t) dev_getattr_framebuffer(pam_console_t) dev_setattr_framebuffer(pam_console_t) dev_getattr_misc(pam_console_t) dev_setattr_misc(pam_console_t) dev_getattr_mouse(pam_console_t) dev_setattr_mouse(pam_console_t) dev_getattr_power_management(pam_console_t) dev_setattr_power_management(pam_console_t) dev_getattr_scanner(pam_console_t) dev_setattr_scanner(pam_console_t) dev_getattr_snd_dev(pam_console_t) dev_setattr_snd_dev(pam_console_t) dev_getattr_video_dev(pam_console_t) dev_setattr_video_dev(pam_console_t) fs_search_auto_mountpoints(pam_console_t) storage_getattr_fixed_disk(pam_console_t) storage_setattr_fixed_disk(pam_console_t) storage_getattr_removable_device(pam_console_t) storage_setattr_removable_device(pam_console_t) storage_getattr_scsi_generic(pam_console_t) storage_setattr_scsi_generic(pam_console_t) term_use_console(pam_console_t) term_setattr_console(pam_console_t) term_getattr_unallocated_ttys(pam_console_t) term_setattr_unallocated_ttys(pam_console_t) domain_use_wide_inherit_fd(pam_console_t) files_read_etc_files(pam_console_t) files_search_pids(pam_console_t) files_list_mnt(pam_console_t) # read /etc/mtab files_read_etc_runtime_files(pam_console_t) init_use_fd(pam_console_t) init_use_script_pty(pam_console_t) libs_use_ld_so(pam_console_t) libs_use_shared_libs(pam_console_t) logging_send_syslog_msg(pam_console_t) seutil_read_file_contexts(pam_console_t) userdom_dontaudit_use_unpriv_user_fd(pam_console_t) # cjp: with the old daemon_(base_)domain being broken up into # a daemon and system interface, this probably is not needed: ifdef(`direct_sysadm_daemon', ` userdom_dontaudit_use_sysadm_terms(pam_console_t) ') ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(pam_console_t) term_dontaudit_use_generic_pty(pam_console_t) files_dontaudit_read_root_file(pam_console_t) ') optional_policy(`gpm.te',` gpm_getattr_gpmctl(pam_console_t) gpm_setattr_gpmctl(pam_console_t) ') optional_policy(`hotplug.te', ` hotplug_use_fd(pam_console_t) hotplug_dontaudit_search_config(pam_console_t) ') optional_policy(`nscd.te',` nscd_use_socket(pam_console_t) ') optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(pam_console_t) ') optional_policy(`udev.te', ` udev_read_db(pam_console_t) ') ifdef(`TODO',` optional_policy(`rhgb.te', ` rhgb_domain(pam_console_t) ') ifdef(`xdm.te', ` allow pam_console_t xdm_var_run_t:file { getattr read }; ') ') dnl endif TODO ######################################## # # System check password local policy # allow system_chkpwd_t self:capability setuid; allow system_chkpwd_t self:process getattr; allow system_chkpwd_t shadow_t:file { getattr read }; # is_selinux_enabled kernel_read_system_state(system_chkpwd_t) fs_dontaudit_getattr_xattr_fs(system_chkpwd_t) term_use_unallocated_tty(system_chkpwd_t) files_read_etc_files(system_chkpwd_t) # for nscd files_dontaudit_search_var(system_chkpwd_t) libs_use_ld_so(system_chkpwd_t) libs_use_shared_libs(system_chkpwd_t) logging_send_syslog_msg(system_chkpwd_t) miscfiles_read_localization(system_chkpwd_t) seutil_read_config(system_chkpwd_t) userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t) tunable_policy(`use_dns',` allow system_chkpwd_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_all_if(system_chkpwd_t) corenet_raw_sendrecv_all_if(system_chkpwd_t) corenet_udp_sendrecv_all_nodes(system_chkpwd_t) corenet_raw_sendrecv_all_nodes(system_chkpwd_t) corenet_udp_bind_all_nodes(system_chkpwd_t) corenet_udp_sendrecv_dns_port(system_chkpwd_t) sysnet_read_config(system_chkpwd_t) ') optional_policy(`kerberos.te',` kerberos_use(system_chkpwd_t) ') optional_policy(`ldap.te',` allow system_chkpwd_t self:tcp_socket create_socket_perms; corenet_tcp_sendrecv_all_if(system_chkpwd_t) corenet_raw_sendrecv_all_if(system_chkpwd_t) corenet_tcp_sendrecv_all_nodes(system_chkpwd_t) corenet_raw_sendrecv_all_nodes(system_chkpwd_t) corenet_tcp_sendrecv_ldap_port(system_chkpwd_t) corenet_tcp_bind_all_nodes(system_chkpwd_t) sysnet_read_config(system_chkpwd_t) ') optional_policy(`nis.te',` nis_use_ypbind(system_chkpwd_t) ') optional_policy(`nscd.te',` nscd_use_socket(system_chkpwd_t) ') ######################################## # # Utempter local policy # allow utempter_t self:capability setgid; allow utempter_t self:unix_stream_socket create_stream_socket_perms; allow utempter_t wtmp_t:file rw_file_perms; term_getattr_all_user_ttys(utempter_t) term_getattr_all_user_ptys(utempter_t) term_dontaudit_use_all_user_ttys(utempter_t) term_dontaudit_use_all_user_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) init_rw_script_pid(utempter_t) files_read_etc_files(utempter_t) domain_use_wide_inherit_fd(utempter_t) libs_use_ld_so(utempter_t) libs_use_shared_libs(utempter_t) logging_search_logs(utempter_t) # Allow utemper to write to /tmp/.xses-* userdom_write_unpriv_user_tmp(utempter_t) optional_policy(`nscd.te',` nscd_use_socket(utempter_t) ') ifdef(`TODO',` optional_policy(`xdm.te',` can_pipe_xdm(utempter_t) ') ')