selinux-policy/strict/domains/program/useradd.te

#DESC Useradd - Manage system user accounts
#
# Authors:  Chris Vance <cvance@tislabs.com>  David Caplan <dac@tresys.com>
#           Russell Coker <russell@coker.com.au>
# X-Debian-Packages: passwd
#

#################################
#
# Rules for the useradd_t and groupadd_t domains.
#
# useradd_t is the domain of the useradd/userdel programs.
# groupadd_t is for adding groups (can not create home dirs)
#
define(`user_group_add_program', `
type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain;
role sysadm_r types $1_t;
role system_r types $1_t;

general_domain_access($1_t)
uses_shlib($1_t)

type $1_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
domain_auto_trans(initrc_t, $1_exec_t, $1_t)

# Use capabilities.
allow $1_t self:capability { dac_override chown kill };

# Allow access to context for shadow file
can_getsecurity($1_t)

# Inherit and use descriptors from login.
allow $1_t { init_t privfd }:fd use;

# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
allow $1_t { bin_t sbin_t }:dir r_dir_perms;
can_exec($1_t, { bin_t sbin_t })

# Update /etc/shadow and /etc/passwd
file_type_auto_trans($1_t, etc_t, shadow_t, file)
allow $1_t etc_t:file create_file_perms;

# some apps ask for these accesses, but seems to work regardless
dontaudit $1_t var_run_t:dir search;
r_dir_file($1_t,  selinux_config_t)

# Set fscreate context.
can_setfscreate($1_t)

allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };

read_locale($1_t)

# useradd/userdel request read/write for /var/log/lastlog, and read of /dev, 
# but will operate without them.
dontaudit $1_t { device_t var_t var_log_t }:dir search;

# For userdel and groupadd
allow $1_t fs_t:filesystem getattr;

# Access terminals.
allow $1_t ttyfile:chr_file rw_file_perms;
allow $1_t ptyfile:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')

# for when /root is the cwd
dontaudit $1_t sysadm_home_dir_t:dir search;
nsswitch_domain($1_t)

allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
')
user_group_add_program(useradd)
allow useradd_t lastlog_t:file { getattr read write };

# for getting the number of groups
read_sysctl(useradd_t)

# Add/remove user home directories
file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)

# create/delete mail spool file in /var/mail
allow useradd_t var_spool_t:dir search;
allow useradd_t mail_spool_t:dir { search write add_name remove_name };
allow useradd_t mail_spool_t:file create_file_perms;
# /var/mail is a link to /var/spool/mail
allow useradd_t mail_spool_t:lnk_file read;

allow useradd_t self:capability { fowner fsetid setuid sys_resource };
can_exec(useradd_t, shell_exec_t)

# /usr/bin/userdel locks the user being deleted, allow write access to utmp
allow useradd_t initrc_var_run_t:file { read write lock };

user_group_add_program(groupadd)

dontaudit groupadd_t self:capability fsetid;

allow groupadd_t self:capability { setuid sys_resource };
allow groupadd_t self:process setrlimit;
allow groupadd_t initrc_var_run_t:file r_file_perms;
dontaudit groupadd_t initrc_var_run_t:file write;

allow useradd_t default_context_t:dir search;
allow useradd_t file_context_t:dir search;
allow useradd_t file_context_t:file { getattr read };
allow useradd_t var_lib_t:dir search;