80 lines
2.0 KiB
Plaintext
80 lines
2.0 KiB
Plaintext
#
|
|
# Macros for chkpwd domains.
|
|
#
|
|
|
|
#
|
|
# chkpwd_domain(domain_prefix)
|
|
#
|
|
# Define a derived domain for the *_chkpwd program when executed
|
|
# by a user domain.
|
|
#
|
|
# The type declaration for the executable type for this program is
|
|
# provided separately in domains/program/su.te.
|
|
#
|
|
undefine(`chkpwd_domain')
|
|
ifdef(`chkpwd.te', `
|
|
define(`chkpwd_domain',`
|
|
# Derived domain based on the calling user domain and the program.
|
|
type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
|
|
|
|
# is_selinux_enabled
|
|
allow $1_chkpwd_t proc_t:file read;
|
|
can_getcon($1_chkpwd_t)
|
|
can_ypbind($1_chkpwd_t)
|
|
can_kerberos($1_chkpwd_t)
|
|
can_ldap($1_chkpwd_t)
|
|
can_resolve($1_chkpwd_t)
|
|
# Transition from the user domain to this domain.
|
|
ifelse($1, system, `
|
|
domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
|
|
role system_r types system_chkpwd_t;
|
|
dontaudit auth_chkpwd shadow_t:file { getattr read };
|
|
allow auth_chkpwd sbin_t:dir search;
|
|
dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
|
|
can_ypbind(auth_chkpwd)
|
|
can_kerberos(auth_chkpwd)
|
|
can_ldap(auth_chkpwd)
|
|
can_resolve(auth_chkpwd)
|
|
', `
|
|
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
|
|
allow $1_t sbin_t:dir search;
|
|
|
|
# The user role is authorized for this domain.
|
|
role $1_r types $1_chkpwd_t;
|
|
|
|
# Write to the user domain tty.
|
|
access_terminal($1_chkpwd_t, $1)
|
|
|
|
allow $1_chkpwd_t privfd:fd use;
|
|
|
|
# Inherit and use descriptors from gnome-pty-helper.
|
|
ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
|
|
|
|
# Inherit and use descriptors from newrole.
|
|
ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;')
|
|
')
|
|
|
|
uses_shlib($1_chkpwd_t)
|
|
allow $1_chkpwd_t etc_t:file { getattr read };
|
|
allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
|
|
allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
|
|
read_locale($1_chkpwd_t)
|
|
|
|
# Use capabilities.
|
|
allow $1_chkpwd_t self:capability setuid;
|
|
r_dir_file($1_chkpwd_t, selinux_config_t)
|
|
|
|
# for nscd
|
|
ifdef(`nscd.te', `', `
|
|
dontaudit $1_chkpwd_t var_t:dir search;
|
|
')
|
|
|
|
dontaudit $1_chkpwd_t fs_t:filesystem getattr;
|
|
')
|
|
|
|
', `
|
|
|
|
define(`chkpwd_domain',`')
|
|
|
|
')
|