rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity
c017ee17ab
selinux-policy/policy/modules/admin/su.if
Chris PeBenito c7dc1c7222 trunk: Allow unix_update to change the security attributes associate with files so 
that it can properly create the shadow file. Also allow it to read from
urandom so that it can add salt to the password hash.
2009-06-18 13:57:26 +00:00

329 lines
7.8 KiB
Plaintext
Raw Blame History

## <summary>Run shells with substitute user and group</summary>
#######################################
## <summary>
## Restricted su domain template.
## </summary>
## <desc>
## <p>
## This template creates a derived domain which is allowed
## to change the linux user id, to run shells as a different
## user.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`su_restricted_domain_template', `
gen_require(`
type su_exec_t;
')
type $1_su_t;
domain_entry_file($1_su_t, su_exec_t)
domain_type($1_su_t)
domain_interactive_fd($1_su_t)
role $3 types $1_su_t;
allow $2 $1_su_t:process signal;
allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_fifo_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
# Transition from the user domain to this domain.
domtrans_pattern($2, su_exec_t, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
allow $2 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
kernel_search_key($1_su_t)
kernel_link_key($1_su_t)
# for SSP
dev_read_urand($1_su_t)
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
files_dontaudit_getattr_tmp_dirs($1_su_t)
# for the rootok check
selinux_compute_access_vector($1_su_t)
auth_domtrans_chk_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
domain_use_interactive_fds($1_su_t)
init_dontaudit_use_fds($1_su_t)
init_dontaudit_use_script_ptys($1_su_t)
# Write to utmp.
init_rw_utmp($1_su_t)
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
auth_domtrans_upd_passwd($1_su_t)
optional_policy(`
locallogin_search_keys($1_su_t)
')
')
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
domain_subj_id_change_exemption($1_su_t)
domain_obj_id_change_exemption($1_su_t)
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_access_vector($1_su_t)
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
')
optional_policy(`
cron_read_pipes($1_su_t)
')
optional_policy(`
kerberos_use($1_su_t)
')
optional_policy(`
# used when the password has expired
usermanage_read_crack_db($1_su_t)
')
ifdef(`TODO',`
# Caused by su - init scripts
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
') dnl end TODO
')
#######################################
## <summary>
## The role template for the su module.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
template(`su_role_template',`
gen_require(`
attribute su_domain_type;
type su_exec_t;
bool secure_mode;
')
type $1_su_t, su_domain_type;
domain_entry_file($1_su_t,su_exec_t)
domain_type($1_su_t)
domain_interactive_fd($1_su_t)
ubac_constrained($1_su_t)
role $2 types $1_su_t;
allow $3 $1_su_t:process signal;
allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_fifo_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow $1_su_t self:key { search write };
# Transition from the user domain to this domain.
domtrans_pattern($3, su_exec_t, $1_su_t)
ps_process_pattern($3, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t, $3)
allow $3 $1_su_t:fd use;
allow $3 $1_su_t:fifo_file rw_file_perms;
allow $3 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
kernel_search_key($1_su_t)
kernel_link_key($1_su_t)
# for SSP
dev_read_urand($1_su_t)
fs_search_auto_mountpoints($1_su_t)
# needed for pam_rootok
selinux_compute_access_vector($1_su_t)
auth_domtrans_chk_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
corecmd_search_bin($1_su_t)
domain_use_interactive_fds($1_su_t)
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
files_dontaudit_getattr_tmp_dirs($1_su_t)
init_dontaudit_use_fds($1_su_t)
# Write to utmp.
init_rw_utmp($1_su_t)
mls_file_write_all_levels($1_su_t)
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
userdom_use_user_terminals($1_su_t)
userdom_search_user_home_dirs($1_su_t)
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
auth_domtrans_upd_passwd($1_su_t)
optional_policy(`
locallogin_search_keys($1_su_t)
')
')
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
domain_subj_id_change_exemption($1_su_t)
domain_obj_id_change_exemption($1_su_t)
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
# Relabel ttys and ptys.
term_relabel_all_user_ttys($1_su_t)
term_relabel_all_user_ptys($1_su_t)
# Close and re-open ttys and ptys to get the fd into the correct domain.
term_use_all_user_ttys($1_su_t)
term_use_all_user_ptys($1_su_t)
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
if(secure_mode) {
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
} else {
# Allow transitions to all user domains
userdom_spec_domtrans_all_users($1_su_t)
}
optional_policy(`
unconfined_domtrans($1_su_t)
unconfined_signal($1_su_t)
')
')
tunable_policy(`allow_polyinstantiation',`
fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs($1_su_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs($1_su_t)
')
optional_policy(`
cron_read_pipes($1_su_t)
')
optional_policy(`
kerberos_use($1_su_t)
')
optional_policy(`
# used when the password has expired
usermanage_read_crack_db($1_su_t)
')
# Modify .Xauthority file (via xauth program).
optional_policy(`
xserver_user_home_dir_filetrans_user_xauth($1_su_t)
xserver_domtrans_xauth($1_su_t)
')
')
#######################################
## <summary>
## Execute su in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`su_exec',`
gen_require(`
type su_exec_t;
')
can_exec($1, su_exec_t)
')
Reference in New Issue View Git Blame Copy Permalink