selinux-policy/targeted/macros/program/chkpwd_macros.te
2005-11-07 20:09:28 +00:00

70 lines
1.7 KiB
Plaintext

#
# Macros for chkpwd domains.
#
#
# chkpwd_domain(domain_prefix)
#
# Define a derived domain for the *_chkpwd program when executed
# by a user domain.
#
# The type declaration for the executable type for this program is
# provided separately in domains/program/su.te.
#
undefine(`chkpwd_domain')
ifdef(`chkpwd.te', `
define(`chkpwd_domain',`
# Derived domain based on the calling user domain and the program.
type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
role $1_r types $1_chkpwd_t;
# is_selinux_enabled
allow $1_chkpwd_t proc_t:file read;
can_getcon($1_chkpwd_t)
authentication_domain($1_chkpwd_t)
ifelse($1, system, `
domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
authentication_domain(auth_chkpwd)
', `
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
# Write to the user domain tty.
access_terminal($1_chkpwd_t, $1)
allow $1_chkpwd_t privfd:fd use;
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
# Inherit and use descriptors from newrole.
ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;')
')
uses_shlib($1_chkpwd_t)
allow $1_chkpwd_t etc_t:file { getattr read };
allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
read_locale($1_chkpwd_t)
# Use capabilities.
allow $1_chkpwd_t self:capability setuid;
r_dir_file($1_chkpwd_t, selinux_config_t)
# for nscd
ifdef(`nscd.te', `', `
dontaudit $1_chkpwd_t var_t:dir search;
')
dontaudit $1_chkpwd_t fs_t:filesystem getattr;
')
', `
define(`chkpwd_domain',`')
')