selinux-policy/strict/macros/program/chkpwd_macros.te
2005-04-29 17:45:15 +00:00

80 lines
2.0 KiB
Plaintext

#
# Macros for chkpwd domains.
#
#
# chkpwd_domain(domain_prefix)
#
# Define a derived domain for the *_chkpwd program when executed
# by a user domain.
#
# The type declaration for the executable type for this program is
# provided separately in domains/program/su.te.
#
undefine(`chkpwd_domain')
ifdef(`chkpwd.te', `
define(`chkpwd_domain',`
# Derived domain based on the calling user domain and the program.
type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
# is_selinux_enabled
allow $1_chkpwd_t proc_t:file read;
can_getcon($1_chkpwd_t)
can_ypbind($1_chkpwd_t)
can_kerberos($1_chkpwd_t)
can_ldap($1_chkpwd_t)
can_resolve($1_chkpwd_t)
# Transition from the user domain to this domain.
ifelse($1, system, `
domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
role system_r types system_chkpwd_t;
dontaudit auth_chkpwd shadow_t:file { getattr read };
allow auth_chkpwd sbin_t:dir search;
dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
can_ypbind(auth_chkpwd)
can_kerberos(auth_chkpwd)
can_ldap(auth_chkpwd)
can_resolve(auth_chkpwd)
', `
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
allow $1_t sbin_t:dir search;
# The user role is authorized for this domain.
role $1_r types $1_chkpwd_t;
# Write to the user domain tty.
access_terminal($1_chkpwd_t, $1)
allow $1_chkpwd_t privfd:fd use;
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
# Inherit and use descriptors from newrole.
ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;')
')
uses_shlib($1_chkpwd_t)
allow $1_chkpwd_t etc_t:file { getattr read };
allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
read_locale($1_chkpwd_t)
# Use capabilities.
allow $1_chkpwd_t self:capability setuid;
r_dir_file($1_chkpwd_t, selinux_config_t)
# for nscd
ifdef(`nscd.te', `', `
dontaudit $1_chkpwd_t var_t:dir search;
')
dontaudit $1_chkpwd_t fs_t:filesystem getattr;
')
', `
define(`chkpwd_domain',`')
')