# # Macros for su domains. # # # Authors: Stephen Smalley and Timothy Fraser # # # su_domain(domain_prefix) # # Define a derived domain for the su program when executed # by a user domain. # # The type declaration for the executable type for this program is # provided separately in domains/program/su.te. # undefine(`su_restricted_domain') undefine(`su_mini_domain') undefine(`su_domain') ifdef(`su.te', ` define(`su_restricted_domain', ` # Derived domain based on the calling user domain and the program. type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain; # for SSP allow $1_su_t urandom_device_t:chr_file { getattr read }; # Transition from the user domain to this domain. domain_auto_trans($1_t, su_exec_t, $1_su_t) allow $1_su_t sbin_t:dir search; domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t) uses_shlib($1_su_t) allow $1_su_t etc_t:file { getattr read }; read_locale($1_su_t) read_sysctl($1_su_t) allow $1_su_t self:unix_dgram_socket { connect create write }; allow $1_su_t self:unix_stream_socket create_stream_socket_perms; allow $1_su_t self:fifo_file rw_file_perms; allow $1_su_t proc_t:dir search; allow $1_su_t proc_t:lnk_file read; r_dir_file($1_su_t, self) allow $1_su_t proc_t:file read; allow $1_su_t self:process { setsched setrlimit }; allow $1_su_t device_t:dir search; allow $1_su_t self:process { fork sigchld }; can_ypbind($1_su_t) r_dir_file($1_su_t, selinux_config_t) dontaudit $1_su_t shadow_t:file { getattr read }; dontaudit $1_su_t home_root_t:dir search; dontaudit $1_su_t init_t:fd use; allow $1_su_t var_lib_t:dir search; allow $1_t $1_su_t:process signal; ifdef(`crond.te', ` allow $1_su_t crond_t:fifo_file read; ') # Use capabilities. allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; # # Caused by su - init scripts # dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; # By default, revert to the calling domain when a shell is executed. domain_auto_trans($1_su_t, shell_exec_t, $1_t) allow $1_su_t bin_t:dir search; allow $1_su_t bin_t:lnk_file read; # But also allow transitions to unprivileged user domains. domain_trans($1_su_t, shell_exec_t, unpriv_userdomain) can_setexec($1_su_t) # Get security decisions can_getsecurity($1_su_t) r_dir_file($1_su_t, default_context_t) allow $1_su_t privfd:fd use; # Write to utmp. allow $1_su_t { var_t var_run_t }:dir search; allow $1_su_t initrc_var_run_t:file rw_file_perms; can_kerberos($1_su_t) ') dnl end su_restricted_domain define(`su_mini_domain', ` su_restricted_domain($1,$1) if(!secure_mode) { # if we are not in secure mode then we can transition to sysadm_t domain_trans($1_su_t, shell_exec_t, sysadm_t) } # Relabel ttys and ptys. allow $1_su_t device_t:dir { getattr read search }; allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto }; # Close and re-open ttys and ptys to get the fd into the correct domain. allow $1_su_t { ttyfile ptyfile }:chr_file { read write }; ')dnl end su_mini_domain define(`su_domain', ` su_mini_domain($1) ifdef(`chkpwd.te', ` # Run chkpwd. can_exec($1_su_t, chkpwd_exec_t) ') # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') # The user role is authorized for this domain. role $1_r types $1_su_t; # Write to the user domain tty. access_terminal($1_su_t, $1) allow $1_su_t { home_root_t $1_home_dir_t }:dir search; allow $1_su_t $1_home_t:file create_file_perms; ifdef(`user_canbe_sysadm', ` allow $1_su_t home_dir_type:dir { search write }; ', ` dontaudit $1_su_t home_dir_type:dir { search write }; ') allow $1_su_t autofs_t:dir { search getattr }; if (use_nfs_home_dirs) { allow $1_su_t nfs_t:dir search; } if (use_samba_home_dirs) { allow $1_su_t cifs_t:dir search; } # Modify .Xauthority file (via xauth program). ifdef(`xauth.te', ` file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) ') ifdef(`cyrus.te', ` allow $1_su_t cyrus_var_lib_t:dir search; ') ifdef(`ssh.te', ` # Access sshd cookie files. allow $1_su_t sshd_tmp_t:dir rw_dir_perms; allow $1_su_t sshd_tmp_t:file rw_file_perms; file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) ') allow $1_su_t var_lib_t:dir search; dontaudit $1_su_t init_t:fd use; ')dnl end su_domain ', ` define(`su_domain',`') ')