# # Macros for chkpwd domains. # # # chkpwd_domain(domain_prefix) # # Define a derived domain for the *_chkpwd program when executed # by a user domain. # # The type declaration for the executable type for this program is # provided separately in domains/program/su.te. # undefine(`chkpwd_domain') ifdef(`chkpwd.te', ` define(`chkpwd_domain',` # Derived domain based on the calling user domain and the program. type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth; # is_selinux_enabled allow $1_chkpwd_t proc_t:file read; can_getcon($1_chkpwd_t) can_ypbind($1_chkpwd_t) can_kerberos($1_chkpwd_t) can_ldap($1_chkpwd_t) can_resolve($1_chkpwd_t) # Transition from the user domain to this domain. ifelse($1, system, ` domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t) role system_r types system_chkpwd_t; dontaudit auth_chkpwd shadow_t:file { getattr read }; allow auth_chkpwd sbin_t:dir search; dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms; can_ypbind(auth_chkpwd) can_kerberos(auth_chkpwd) can_ldap(auth_chkpwd) can_resolve(auth_chkpwd) ', ` domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t) allow $1_t sbin_t:dir search; # The user role is authorized for this domain. role $1_r types $1_chkpwd_t; # Write to the user domain tty. access_terminal($1_chkpwd_t, $1) allow $1_chkpwd_t privfd:fd use; # Inherit and use descriptors from gnome-pty-helper. ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') # Inherit and use descriptors from newrole. ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;') ') uses_shlib($1_chkpwd_t) allow $1_chkpwd_t etc_t:file { getattr read }; allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms; allow $1_chkpwd_t self:unix_stream_socket create_socket_perms; read_locale($1_chkpwd_t) # Use capabilities. allow $1_chkpwd_t self:capability setuid; r_dir_file($1_chkpwd_t, selinux_config_t) # for nscd ifdef(`nscd.te', `', ` dontaudit $1_chkpwd_t var_t:dir search; ') dontaudit $1_chkpwd_t fs_t:filesystem getattr; ') ', ` define(`chkpwd_domain',`') ')