selinux-policy/refpolicy/policy/modules/system/authlogin.te
2005-06-08 13:12:00 +00:00

312 lines
9.1 KiB
Plaintext

policy_module(authlogin,1.0)
########################################
#
# Declarations
#
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
type chkpwd_exec_t;
files_make_file(chkpwd_exec_t)
type faillog_t;
logging_make_log_file(faillog_t)
type lastlog_t;
logging_make_log_file(lastlog_t)
type login_exec_t;
files_make_file(login_exec_t)
type pam_console_t;
type pam_console_exec_t;
init_make_system_domain(pam_console_t,pam_console_exec_t)
role system_r types pam_console_t;
domain_make_entrypoint_file(pam_console_t,pam_console_exec_t)
type pam_t; #, nscd_client_domain;
domain_make_domain(pam_t)
role system_r types pam_t;
type pam_exec_t;
domain_make_entrypoint_file(pam_t,pam_exec_t)
type pam_tmp_t;
files_make_temporary_file(pam_tmp_t)
type pam_var_console_t; #, nscd_client_domain
files_make_file(pam_var_console_t)
type pam_var_run_t;
files_make_daemon_runtime_file(pam_var_run_t)
type shadow_t;
files_make_file(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
domain_make_domain(system_chkpwd_t)
domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)
role system_r types system_chkpwd_t;
type utempter_t; #, nscd_client_domain;
domain_make_domain(utempter_t)
type utempter_exec_t;
domain_make_entrypoint_file(utempter_t,utempter_exec_t)
type wtmp_t;
logging_make_log_file(wtmp_t)
########################################
#
# PAM local policy
#
allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
dontaudit pam_t self:capability sys_tty_config;
allow pam_t self:fd use;
allow pam_t self:fifo_file { read getattr lock ioctl write append };
allow pam_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow pam_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow pam_t self:unix_dgram_socket sendto;
allow pam_t self:unix_stream_socket connectto;
allow pam_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
allow pam_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
allow pam_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
allow pam_t self:msg { send receive };
allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
allow pam_t pam_var_run_t:file { getattr read unlink };
allow pam_t pam_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow pam_t pam_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
kernel_read_system_state(pam_t)
terminal_use_all_private_physical_terminals(pam_t)
terminal_use_all_private_pseudoterminals(pam_t)
init_script_ignore_modify_runtime_data(pam_t)
files_read_general_system_config(pam_t)
files_read_runtime_data_directory(pam_t)
libraries_use_dynamic_loader(pam_t)
libraries_use_shared_libraries(pam_t)
logging_send_system_log_message(pam_t)
userdomain_use_all_unprivileged_users_file_descriptors(pam_t)
optional_policy(`locallogin.te',`
locallogin_use_file_descriptors(pam_t)
')
ifdef(`TODO',`
can_ypbind(pam_t)
ifdef(`automount.te', `
allow pam_t autofs_t:dir { search getattr };
')
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
') dnl endif TODO
########################################
#
# PAM console local policy
#
allow pam_console_t self:capability { chown fowner fsetid };
dontaudit pam_console_t self:capability sys_tty_config;
allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
# for /var/run/console.lock checking
allow pam_console_t pam_var_console_t:dir { getattr read search };
allow pam_console_t pam_var_console_t:file { read getattr };
allow pam_console_t pam_var_console_t:lnk_file { getattr read };
kernel_read_kernel_sysctl(pam_console_t)
kernel_read_system_state(pam_console_t)
kernel_read_hardware_state(pam_console_t)
kernel_use_file_descriptors(pam_console_t)
# Allow to set attributes on /dev entries
storage_get_fixed_disk_attributes(pam_console_t)
storage_set_fixed_disk_attributes(pam_console_t)
storage_get_removable_device_attributes(pam_console_t)
storage_set_removable_device_attributes(pam_console_t)
terminal_use_console(pam_console_t)
terminal_get_general_physical_terminal_attributes(pam_console_t)
terminal_set_general_physical_terminal_attributes(pam_console_t)
init_use_file_descriptors(pam_console_t)
init_use_file_descriptors(pam_console_t)
init_script_use_pseudoterminal(pam_console_t)
domain_use_widely_inheritable_file_descriptors(pam_console_t)
files_read_general_system_config(pam_console_t)
files_search_runtime_data_directory(pam_console_t)
files_read_mnt_dir(pam_console_t)
libraries_use_dynamic_loader(pam_console_t)
libraries_use_shared_libraries(pam_console_t)
logging_send_system_log_message(pam_console_t)
selinux_read_file_contexts(pam_console_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t)
ifdef(`direct_sysadm_daemon', `
userdomain_dontaudit_use_admin_terminals(pam_console_t)
')
ifdef(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(pam_console_t)
terminal_ignore_use_general_pseudoterminal(pam_console_t)
files_ignore_read_rootfs_file(pam_console_t)
')
optional_policy(`hotplug.te', `
hotplug_use_file_descriptors(pam_console_t)
hotplug_ignore_search_config_directory(pam_console_t)
')
optional_policy(`selinux.te',`
selinux_newrole_sigchld(pam_console_t)
')
optional_policy(`udev.te', `
udev_read_database(pam_console_t)
')
ifdef(`TODO',`
optional_policy(`rhgb.te', `
allow pam_console_t rhgb_t:process sigchld;
allow pam_console_t rhgb_t:fd use;
allow pam_console_t rhgb_t:fifo_file { read write };
')
allow pam_console_t autofs_t:dir { search getattr };
allow pam_console_t {
framebuf_device_t
v4l_device_t
apm_bios_t
sound_device_t
misc_device_t
scanner_device_t
mouse_device_t
power_device_t
removable_device_t
scsi_generic_device_t
}:chr_file { getattr setattr };
ifdef(`gpm.te', `
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
')
ifdef(`xdm.te', `
allow pam_console_t xdm_var_run_t:file { getattr read };
')
') dnl endif TODO
########################################
#
# System check password local policy
#
allow system_chkpwd_t self:capability setuid;
allow system_chkpwd_t self:process getattr;
allow system_chkpwd_t shadow_t:file { getattr read };
# is_selinux_enabled
kernel_read_system_state(system_chkpwd_t)
fs_ignore_get_persistent_fs_attributes(system_chkpwd_t)
terminal_use_general_physical_terminal(system_chkpwd_t)
files_read_general_system_config(system_chkpwd_t)
# for nscd
files_ignore_search_system_state_data_directory(system_chkpwd_t)
libraries_use_dynamic_loader(system_chkpwd_t)
libraries_use_shared_libraries(system_chkpwd_t)
logging_send_system_log_message(system_chkpwd_t)
miscfiles_read_localization(system_chkpwd_t)
selinux_read_config(system_chkpwd_t)
tunable_policy(`use_dns',`
allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t)
corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t)
corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t)
corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t)
corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t)
sysnetwork_read_network_config(system_chkpwd_t)
')
ifdef(`TODO',`
can_ypbind(system_chkpwd_t)
can_kerberos(system_chkpwd_t)
can_ldap(system_chkpwd_t)
dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
') dnl end TODO
########################################
#
# Utempter local policy
#
allow utempter_t self:capability setgid;
allow utempter_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow utempter_t wtmp_t:file { ioctl read getattr lock write append };
terminal_get_all_private_physical_terminal_attributes(utempter_t)
terminal_get_all_private_pseudoterminal_attributes(utempter_t)
terminal_ignore_use_all_private_physical_terminals(utempter_t)
terminal_ignore_use_all_private_pseudoterminals(utempter_t)
terminal_ignore_use_pseudoterminal_multiplexer(utempter_t)
init_script_modify_runtime_data(utempter_t)
files_read_general_system_config(utempter_t)
domain_use_widely_inheritable_file_descriptors(utempter_t)
libraries_use_dynamic_loader(utempter_t)
libraries_use_shared_libraries(utempter_t)
logging_search_system_log_directory(utempter_t)
ifdef(`TODO',`
# Allow utemper to write to /tmp/.xses-*
allow utempter_t user_tmpfile:file { getattr write append };
ifdef(`xdm.te', `
allow utempter_t xdm_t:fd use;
allow utempter_t xdm_t:fifo_file { write getattr };
')
') dnl endif TODO