235 lines
6.7 KiB
Plaintext
235 lines
6.7 KiB
Plaintext
#DESC Login - Local/remote login utilities
|
|
#
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
# Macroised by Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: login
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the local_login_t domain
|
|
# and the remote_login_t domain.
|
|
#
|
|
|
|
# $1 is the name of the domain (local or remote)
|
|
define(`login_domain', `
|
|
type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
|
|
role system_r types $1_login_t;
|
|
|
|
dontaudit $1_login_t shadow_t:file { getattr read };
|
|
|
|
general_domain_access($1_login_t);
|
|
|
|
# Read system information files in /proc.
|
|
r_dir_file($1_login_t, proc_t)
|
|
|
|
base_file_read_access($1_login_t)
|
|
|
|
# Read directories and files with the readable_t type.
|
|
# This type is a general type for "world"-readable files.
|
|
allow $1_login_t readable_t:dir r_dir_perms;
|
|
allow $1_login_t readable_t:notdevfile_class_set r_file_perms;
|
|
|
|
# Read /var, /var/spool
|
|
allow $1_login_t { var_t var_spool_t }:dir search;
|
|
|
|
# for when /var/mail is a sym-link
|
|
allow $1_login_t var_t:lnk_file read;
|
|
|
|
# Read /etc.
|
|
r_dir_file($1_login_t, etc_t)
|
|
allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
|
|
|
|
read_locale($1_login_t)
|
|
|
|
# for SSP/ProPolice
|
|
allow $1_login_t urandom_device_t:chr_file { getattr read };
|
|
|
|
# Read executable types.
|
|
allow $1_login_t exec_type:{ file lnk_file } r_file_perms;
|
|
|
|
# Read /dev directories and any symbolic links.
|
|
allow $1_login_t device_t:dir r_dir_perms;
|
|
allow $1_login_t device_t:lnk_file r_file_perms;
|
|
|
|
uses_shlib($1_login_t);
|
|
|
|
tmp_domain($1_login)
|
|
|
|
ifdef(`pam.te', `
|
|
can_exec($1_login_t, pam_exec_t)
|
|
')
|
|
|
|
ifdef(`pamconsole.te', `
|
|
rw_dir_create_file($1_login_t, pam_var_console_t)
|
|
domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
|
|
')
|
|
|
|
ifdef(`alsa.te', `
|
|
domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
|
|
')
|
|
|
|
# Use capabilities
|
|
allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
|
|
allow $1_login_t self:process setrlimit;
|
|
dontaudit $1_login_t sysfs_t:dir search;
|
|
|
|
# Set exec context.
|
|
can_setexec($1_login_t)
|
|
|
|
allow $1_login_t autofs_t:dir { search read getattr };
|
|
allow $1_login_t mnt_t:dir r_dir_perms;
|
|
|
|
if (use_nfs_home_dirs) {
|
|
r_dir_file($1_login_t, nfs_t)
|
|
}
|
|
|
|
if (use_samba_home_dirs) {
|
|
r_dir_file($1_login_t, cifs_t)
|
|
}
|
|
|
|
# Login can polyinstantiate
|
|
polyinstantiater($1_login_t)
|
|
|
|
# FIXME: what is this for?
|
|
ifdef(`xdm.te', `
|
|
allow xdm_t $1_login_t:process signull;
|
|
')
|
|
|
|
ifdef(`crack.te', `
|
|
allow $1_login_t crack_db_t:file r_file_perms;
|
|
')
|
|
|
|
# Permit login to search the user home directories.
|
|
allow $1_login_t home_root_t:dir search;
|
|
allow $1_login_t home_dir_type:dir search;
|
|
|
|
# Write to /var/run/utmp.
|
|
allow $1_login_t var_run_t:dir search;
|
|
allow $1_login_t initrc_var_run_t:file rw_file_perms;
|
|
|
|
# Write to /var/log/wtmp.
|
|
allow $1_login_t var_log_t:dir search;
|
|
allow $1_login_t wtmp_t:file rw_file_perms;
|
|
|
|
# Write to /var/log/lastlog.
|
|
allow $1_login_t lastlog_t:file rw_file_perms;
|
|
|
|
# Write to /var/log/btmp
|
|
allow $1_login_t faillog_t:file { lock append read write };
|
|
|
|
# Search for mail spool file.
|
|
allow $1_login_t mail_spool_t:dir r_dir_perms;
|
|
allow $1_login_t mail_spool_t:file getattr;
|
|
allow $1_login_t mail_spool_t:lnk_file read;
|
|
|
|
# Get security policy decisions.
|
|
can_getsecurity($1_login_t)
|
|
|
|
# allow read access to default_contexts in /etc/security
|
|
allow $1_login_t default_context_t:file r_file_perms;
|
|
allow $1_login_t default_context_t:dir search;
|
|
r_dir_file($1_login_t, selinux_config_t)
|
|
|
|
allow $1_login_t mouse_device_t:chr_file { getattr setattr };
|
|
|
|
ifdef(`targeted_policy',`
|
|
unconfined_domain($1_login_t)
|
|
domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
|
|
')
|
|
|
|
')dnl end login_domain macro
|
|
#################################
|
|
#
|
|
# Rules for the local_login_t domain.
|
|
#
|
|
# local_login_t is the domain of a login process
|
|
# spawned by getty.
|
|
#
|
|
# remote_login_t is the domain of a login process
|
|
# spawned by rlogind.
|
|
#
|
|
# login_exec_t is the type of the login program
|
|
#
|
|
type login_exec_t, file_type, sysadmfile, exec_type;
|
|
|
|
login_domain(local)
|
|
|
|
# But also permit other user domains to be entered by login.
|
|
login_spawn_domain(local_login, userdomain)
|
|
|
|
# Do not audit denied attempts to access devices.
|
|
dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
|
|
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
|
|
dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
|
|
dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
|
|
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
|
|
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
|
|
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
|
|
dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
|
|
dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
|
|
|
|
# Do not audit denied attempts to access /mnt.
|
|
dontaudit local_login_t mnt_t:dir r_dir_perms;
|
|
|
|
|
|
# Create lock file.
|
|
lock_domain(local_login)
|
|
|
|
# Read and write ttys.
|
|
allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
|
|
allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
|
|
|
|
# Relabel ttys.
|
|
allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
|
|
allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
|
|
|
|
ifdef(`gpm.te',
|
|
`allow local_login_t gpmctl_t:sock_file { getattr setattr };')
|
|
|
|
# Allow setting of attributes on sound devices.
|
|
allow local_login_t sound_device_t:chr_file { getattr setattr };
|
|
|
|
# Allow setting of attributes on power management devices.
|
|
allow local_login_t power_device_t:chr_file { getattr setattr };
|
|
dontaudit local_login_t init_t:fd use;
|
|
|
|
#################################
|
|
#
|
|
# Rules for the remote_login_t domain.
|
|
#
|
|
|
|
login_domain(remote)
|
|
|
|
# Only permit unprivileged user domains to be entered via rlogin,
|
|
# since very weak authentication is used.
|
|
login_spawn_domain(remote_login, unpriv_userdomain)
|
|
|
|
allow remote_login_t userpty_type:chr_file { setattr write };
|
|
|
|
# Use the pty created by rlogind.
|
|
ifdef(`rlogind.te', `
|
|
can_access_pty(remote_login_t, rlogind)
|
|
# Relabel ptys created by rlogind.
|
|
allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
|
|
')
|
|
|
|
# Use the pty created by telnetd.
|
|
ifdef(`telnetd.te', `
|
|
can_access_pty(remote_login_t, telnetd)
|
|
# Relabel ptys created by telnetd.
|
|
allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
|
|
')
|
|
|
|
allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
|
|
allow remote_login_t fs_t:filesystem { getattr };
|
|
|
|
# Allow remote login to resolve host names (passed in via the -h switch)
|
|
can_resolve(remote_login_t)
|
|
|
|
ifdef(`use_mcs', `
|
|
ifdef(`getty.te', `
|
|
range_transition getty_t login_exec_t s0 - s0:c0.c255;
|
|
')
|
|
')
|