dd14d0d892
permission is checked when using shared libs to execute code in them, which is not the same as just reading the shared libs.
405 lines
12 KiB
Plaintext
405 lines
12 KiB
Plaintext
# Copyright (C) 2005 Tresys Technology, LLC
|
|
|
|
#######################################
|
|
#
|
|
# Per user domain template for this module
|
|
#
|
|
# authlogin_per_userdomain_template(userdomain_prefix)
|
|
#
|
|
define(`authlogin_per_userdomain_template',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
|
|
domain_make_domain($1_chkpwd_t)
|
|
domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
|
|
role $1_r types $1_chkpwd_t;
|
|
role $1_r types system_chkpwd_t;
|
|
|
|
allow $1_chkpwd_t self:capability setuid;
|
|
allow $1_chkpwd_t self:process getattr;
|
|
|
|
files_read_general_system_config_directory($1_chkpwd_t)
|
|
allow $1_chkpwd_t shadow_t:file { getattr read };
|
|
|
|
# is_selinux_enabled
|
|
kernel_read_system_state($1_chkpwd_t)
|
|
|
|
filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
|
|
|
|
domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
|
|
|
|
libraries_use_dynamic_loader($1_chkpwd_t)
|
|
libraries_use_shared_libraries($1_chkpwd_t)
|
|
|
|
files_read_general_system_config($1_chkpwd_t)
|
|
# for nscd
|
|
files_ignore_search_system_state_data_directory($1_chkpwd_t)
|
|
|
|
logging_send_system_log_message($1_chkpwd_t)
|
|
|
|
miscfiles_read_localization($1_chkpwd_t)
|
|
|
|
selinux_read_config($1_chkpwd_t)
|
|
|
|
#can_ypbind($1_chkpwd_t)
|
|
#can_kerberos($1_chkpwd_t)
|
|
#can_ldap($1_chkpwd_t)
|
|
|
|
# Transition from the user domain to this domain.
|
|
allow $1_t chkpwd_exec_t:file { getattr read execute };
|
|
allow $1_t $1_chkpwd_t:process transition;
|
|
type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
|
|
|
|
# Write to the user domain tty.
|
|
#userdomain_use_$1_terminal($1_chkpwd_t)
|
|
#userdomain_use_$1_pty($1_chkpwd_t)
|
|
|
|
# Inherit and use descriptors from gnome-pty-helper.
|
|
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
|
|
|
|
tunable_policy(`use_dns',`
|
|
allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
|
corenetwork_network_udp_on_all_interfaces($1_chkpwd_t)
|
|
corenetwork_network_raw_on_all_interfaces($1_chkpwd_t)
|
|
corenetwork_network_udp_on_all_nodes($1_chkpwd_t)
|
|
corenetwork_network_raw_on_all_nodes($1_chkpwd_t)
|
|
corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
|
|
corenetwork_network_udp_on_dns_port($1_chkpwd_t)
|
|
sysnetwork_read_network_config($1_chkpwd_t)
|
|
')
|
|
|
|
optional_policy(`selinux.te',`
|
|
selinux_newrole_use_file_descriptors($1_chkpwd_t)
|
|
')
|
|
|
|
') dnl end authlogin_per_userdomain_template
|
|
|
|
define(`authlogin_per_userdomain_template_depend',`
|
|
attribute can_read_shadow_passwords;
|
|
type chkpwd_exec_t, system_chkpwd_t, shadow_t;
|
|
class file { getattr read execute };
|
|
class process { getattr transition };
|
|
class capability setuid;
|
|
class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
|
class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_make_login_program_entrypoint(domain)
|
|
#
|
|
define(`authlogin_make_login_program_entrypoint',`
|
|
requires_block_template(`$0'_depend)
|
|
domain_make_entrypoint_file($1,login_exec_t)
|
|
')
|
|
|
|
define(`authlogin_make_login_program_entrypoint_depend',`
|
|
type login_exec_t;
|
|
domain_make_entrypoint_file_depend
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_check_password_transition(domain)
|
|
#
|
|
define(`authlogin_check_password_transition',`
|
|
requires_block_template(`$0'_depend)
|
|
allow $1 chkpwd_exec_t:file { getattr read execute };
|
|
allow $1 system_chkpwd_t:process transition;
|
|
type_transition $1 chkpwd_exec_t:process system_chkpwd_t;
|
|
|
|
dontaudit $1 shadow_t:file { getattr read };
|
|
#allow $1_t sbin_t:dir search;
|
|
#can_ypbind($1_t)
|
|
#can_kerberos($1_t)
|
|
#can_ldap($1_t)
|
|
|
|
tunable_policy(`use_dns',`
|
|
allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
|
corenetwork_network_udp_on_all_interfaces($1)
|
|
corenetwork_network_raw_on_all_interfaces($1)
|
|
corenetwork_network_udp_on_all_nodes($1)
|
|
corenetwork_network_raw_on_all_nodes($1)
|
|
corenetwork_bind_udp_on_all_nodes($1)
|
|
corenetwork_network_udp_on_dns_port($1)
|
|
sysnetwork_read_network_config($1)
|
|
') dnl end use_dns
|
|
|
|
') dnl end check_password_transition
|
|
|
|
define(`authlogin_check_password_transition_depend',`
|
|
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
|
class file { getattr read execute };
|
|
class process transition;
|
|
class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_read_shadow_passwords(domain)
|
|
#
|
|
define(`authlogin_read_shadow_passwords',`
|
|
requires_block_template(`$0'_depend)
|
|
files_read_general_system_config_directory($1)
|
|
allow $1 shadow_t:file { getattr read };
|
|
typeattribute $1 can_read_shadow_passwords;
|
|
')
|
|
|
|
define(`authlogin_read_shadow_passwords_depend',`
|
|
attribute can_read_shadow_passwords;
|
|
type shadow_t;
|
|
class file { getattr read };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_ignore_read_shadow_passwords(domain)
|
|
#
|
|
define(`authlogin_ignore_read_shadow_passwords',`
|
|
requires_block_template(`$0'_depend)
|
|
dontaudit $1 shadow_t:file { getattr read };
|
|
')
|
|
|
|
define(`authlogin_ignore_read_shadow_passwords_depend',`
|
|
type shadow_t;
|
|
class file { getattr read };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_modify_shadow_passwords(domain)
|
|
#
|
|
define(`authlogin_modify_shadow_passwords',`
|
|
requires_block_template(`$0'_depend)
|
|
files_read_general_system_config_directory($1)
|
|
allow $1 shadow_t:file { getattr read write };
|
|
typeattribute $1 can_read_shadow_passwords;
|
|
typeattribute $1 can_write_shadow_passwords;
|
|
')
|
|
|
|
define(`authlogin_modify_shadow_passwords_depend',`
|
|
attribute can_read_shadow_passwords;
|
|
attribute can_write_shadow_passwords;
|
|
type shadow_t;
|
|
class file { getattr read write };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_manage_shadow_passwords(domain)
|
|
#
|
|
define(`authlogin_manage_shadow_passwords',`
|
|
requires_block_template(`$0'_depend)
|
|
files_create_private_config($1,shadow_t,file)
|
|
allow $1 shadow_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
typeattribute $1 can_read_shadow_passwords;
|
|
typeattribute $1 can_write_shadow_passwords;
|
|
')
|
|
|
|
define(`authlogin_manage_shadow_passwords_depend',`
|
|
attribute can_read_shadow_passwords;
|
|
attribute can_write_shadow_passwords;
|
|
type shadow_t;
|
|
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_relabel_to_shadow_passwords(domain)
|
|
#
|
|
define(`authlogin_relabel_to_shadow_passwords',`
|
|
requires_block_template(`$0'_depend)
|
|
files_search_general_system_config_directory($1)
|
|
allow $1 shadow_t:file relabelto;
|
|
typeattribute $1 can_relabelto_shadow_passwords;
|
|
')
|
|
|
|
define(`authlogin_relabel_to_shadow_passwords_depend',`
|
|
attribute can_relabelto_shadow_passwords;
|
|
type shadow_t;
|
|
class file relabelto;
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_modify_last_login_log(domain)
|
|
#
|
|
define(`authlogin_modify_last_login_log',`
|
|
requires_block_template(`$0'_depend)
|
|
logging_search_system_log_directory($1)
|
|
allow $1 lastlog_t:file { getattr read write setattr };
|
|
')
|
|
|
|
define(`authlogin_modify_last_login_log_depend',`
|
|
type lastlog_t;
|
|
class file { getattr read write setattr };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_pam_transition(domain)
|
|
#
|
|
define(`authlogin_pam_transition',`
|
|
requires_block_template(`$0'_depend)
|
|
allow $1 pam_exec_t:file { getattr read execute };
|
|
allow $1 pam_t:process transition;
|
|
type_transition $1 pam_exec_t:file pam_t;
|
|
dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
|
|
')
|
|
|
|
define(`authlogin_pam_transition_depend',`
|
|
type pam_t, pam_exec_t;
|
|
class file { getattr read execute };
|
|
class process { transition noatsecure siginh rlimitinh };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_pam_execute(domain)
|
|
#
|
|
define(`authlogin_pam_execute',`
|
|
requires_block_template(`$0'_depend)
|
|
allow $1 pam_exec_t:file { getattr read execute execute_no_trans };
|
|
')
|
|
|
|
define(`authlogin_pam_execute_depend',`
|
|
type pam_exec_t;
|
|
class file { getattr read execute execute_no_trans };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_pam_read_runtime_data(domain)
|
|
#
|
|
define(`authlogin_pam_read_runtime_data',`
|
|
requires_block_template(`$0'_depend)
|
|
files_search_system_state_data_directory($1)
|
|
files_search_runtime_data_directory($1)
|
|
allow $1 pam_var_run_t:dir { getattr search read };
|
|
allow $1 pam_var_run_t:file { getattr read };
|
|
')
|
|
|
|
define(`authlogin_pam_read_runtime_data_depend',`
|
|
type pam_var_run_t;
|
|
class dir { getattr search read };
|
|
class file { getattr read };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_pam_remove_runtime_data(domain)
|
|
#
|
|
define(`authlogin_pam_remove_runtime_data',`
|
|
requires_block_template(`$0'_depend)
|
|
files_search_system_state_data_directory($1)
|
|
files_search_runtime_data_directory($1)
|
|
allow $1 pam_var_run_t:dir { getattr search read write remove_name };
|
|
allow $1 pam_var_run_t:file { getattr unlink };
|
|
')
|
|
|
|
define(`authlogin_pam_remove_runtime_data_depend',`
|
|
type pam_var_run_t;
|
|
class dir { getattr search read write remove_name };
|
|
class file { getattr unlink };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_pam_console_transition(domain)
|
|
#
|
|
define(`authlogin_pam_console_transition',`
|
|
requires_block_template(`$0'_depend)
|
|
allow $1 pam_console_exec_t:file { getattr read execute };
|
|
allow $1 pam_console_t:process transition;
|
|
type_transition $1 pam_console_exec_t:file pam_console_t;
|
|
dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
|
|
')
|
|
|
|
define(`authlogin_pam_console_transition_depend',`
|
|
type pam_console_t, pam_console_exec_t;
|
|
class file { getattr read execute };
|
|
class process { transition noatsecure siginh rlimitinh };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_pam_console_read_runtime_data(domain)
|
|
#
|
|
define(`authlogin_pam_console_read_runtime_data',`
|
|
requires_block_template(`$0'_depend)
|
|
files_search_system_state_data_directory($1)
|
|
files_search_runtime_data_directory($1)
|
|
allow $1 pam_var_console_t:dir { getattr search read };
|
|
allow $1 pam_var_console_t:file { getattr read };
|
|
')
|
|
|
|
define(`authlogin_pam_console_read_runtime_data_depend',`
|
|
type pam_var_console_t;
|
|
class dir { getattr search read };
|
|
class file { getattr read };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_pam_console_manage_runtime_data(domain)
|
|
#
|
|
define(`authlogin_pam_console_manage_runtime_data',`
|
|
requires_block_template(`$0'_depend)
|
|
files_search_system_state_data_directory($1)
|
|
files_search_runtime_data_directory($1)
|
|
allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write };
|
|
allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename };
|
|
')
|
|
|
|
define(`authlogin_pam_console_manage_runtime_data_depend',`
|
|
type pam_var_console_t;
|
|
class dir { read getattr lock search ioctl add_name remove_name write };
|
|
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
class lnk_file { create read getattr setattr link unlink rename };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_read_login_records(domain)
|
|
#
|
|
define(`authlogin_read_login_records',`
|
|
requires_block_template(`$0'_depend)
|
|
logging_search_system_log_directory($1)
|
|
allow $1 wtmp_t:file { getattr read };
|
|
')
|
|
|
|
define(`authlogin_read_login_records_depend',`
|
|
type wtmp_t;
|
|
class file { getattr read };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_ignore_write_login_records(domain)
|
|
#
|
|
define(`authlogin_ignore_write_login_records',`
|
|
requires_block_template(`$0'_depend)
|
|
dontaudit $1 wtmp_t:file write;
|
|
')
|
|
|
|
define(`authlogin_read_login_records_depend',`
|
|
type wtmp_t;
|
|
class file write;
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# authlogin_modify_login_records(domain)
|
|
#
|
|
define(`authlogin_modify_login_records',`
|
|
requires_block_template(`$0'_depend)
|
|
logging_search_system_log_directory($1)
|
|
allow $1 wtmp_t:file { getattr read write setattr };
|
|
')
|
|
|
|
define(`authlogin_modify_login_records_depend',`
|
|
type wtmp_t;
|
|
class file { getattr read write setattr };
|
|
')
|