312 lines
8.4 KiB
Plaintext
312 lines
8.4 KiB
Plaintext
|
|
policy_module(authlogin,1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute can_read_shadow_passwords;
|
|
attribute can_write_shadow_passwords;
|
|
attribute can_relabelto_shadow_passwords;
|
|
|
|
type chkpwd_exec_t;
|
|
files_make_file(chkpwd_exec_t)
|
|
|
|
type faillog_t;
|
|
logging_make_log_file(faillog_t)
|
|
|
|
type lastlog_t;
|
|
logging_make_log_file(lastlog_t)
|
|
|
|
type login_exec_t;
|
|
files_make_file(login_exec_t)
|
|
|
|
type pam_console_t;
|
|
type pam_console_exec_t;
|
|
init_make_system_domain(pam_console_t,pam_console_exec_t)
|
|
role system_r types pam_console_t;
|
|
|
|
domain_make_entrypoint_file(pam_console_t,pam_console_exec_t)
|
|
|
|
type pam_t; #, nscd_client_domain;
|
|
domain_make_domain(pam_t)
|
|
role system_r types pam_t;
|
|
|
|
type pam_exec_t;
|
|
domain_make_entrypoint_file(pam_t,pam_exec_t)
|
|
|
|
type pam_tmp_t;
|
|
files_make_temporary_file(pam_tmp_t)
|
|
|
|
type pam_var_console_t; #, nscd_client_domain
|
|
files_make_file(pam_var_console_t)
|
|
|
|
type pam_var_run_t;
|
|
files_make_daemon_runtime_file(pam_var_run_t)
|
|
|
|
type shadow_t;
|
|
files_make_file(shadow_t)
|
|
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
|
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
|
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
|
|
|
type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
|
|
domain_make_domain(system_chkpwd_t)
|
|
domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)
|
|
role system_r types system_chkpwd_t;
|
|
|
|
type utempter_t; #, nscd_client_domain;
|
|
domain_make_domain(utempter_t)
|
|
|
|
type utempter_exec_t;
|
|
domain_make_entrypoint_file(utempter_t,utempter_exec_t)
|
|
|
|
type wtmp_t;
|
|
logging_make_log_file(wtmp_t)
|
|
|
|
########################################
|
|
#
|
|
# PAM local policy
|
|
#
|
|
|
|
allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
|
dontaudit pam_t self:capability sys_tty_config;
|
|
|
|
allow pam_t self:fd use;
|
|
allow pam_t self:fifo_file rw_file_perms;
|
|
allow pam_t self:unix_dgram_socket create_socket_perms;
|
|
allow pam_t self:unix_stream_socket rw_stream_socket_perms;
|
|
allow pam_t self:unix_dgram_socket sendto;
|
|
allow pam_t self:unix_stream_socket connectto;
|
|
allow pam_t self:shm create_shm_perms;
|
|
allow pam_t self:sem create_sem_perms;
|
|
allow pam_t self:msgq create_msgq_perms;
|
|
allow pam_t self:msg { send receive };
|
|
|
|
allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
|
|
allow pam_t pam_var_run_t:file { getattr read unlink };
|
|
|
|
allow pam_t pam_tmp_t:dir create_dir_perms;
|
|
allow pam_t pam_tmp_t:file create_file_perms;
|
|
files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
|
|
|
|
kernel_read_system_state(pam_t)
|
|
|
|
terminal_use_all_private_physical_terminals(pam_t)
|
|
terminal_use_all_private_pseudoterminals(pam_t)
|
|
|
|
init_script_ignore_modify_runtime_data(pam_t)
|
|
|
|
files_read_general_system_config(pam_t)
|
|
files_read_runtime_data_directory(pam_t)
|
|
|
|
libraries_use_dynamic_loader(pam_t)
|
|
libraries_use_shared_libraries(pam_t)
|
|
|
|
logging_send_system_log_message(pam_t)
|
|
|
|
userdomain_use_all_unprivileged_users_file_descriptors(pam_t)
|
|
|
|
optional_policy(`locallogin.te',`
|
|
locallogin_use_file_descriptors(pam_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
can_ypbind(pam_t)
|
|
ifdef(`automount.te', `
|
|
allow pam_t autofs_t:dir { search getattr };
|
|
')
|
|
|
|
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
|
|
') dnl endif TODO
|
|
|
|
########################################
|
|
#
|
|
# PAM console local policy
|
|
#
|
|
|
|
allow pam_console_t self:capability { chown fowner fsetid };
|
|
dontaudit pam_console_t self:capability sys_tty_config;
|
|
|
|
allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
|
|
|
|
# for /var/run/console.lock checking
|
|
allow pam_console_t pam_var_console_t:dir r_dir_perms;;
|
|
allow pam_console_t pam_var_console_t:file r_file_perms;
|
|
allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
|
|
|
|
kernel_read_kernel_sysctl(pam_console_t)
|
|
kernel_read_system_state(pam_console_t)
|
|
kernel_read_hardware_state(pam_console_t)
|
|
kernel_use_file_descriptors(pam_console_t)
|
|
|
|
# Allow to set attributes on /dev entries
|
|
storage_get_fixed_disk_attributes(pam_console_t)
|
|
storage_set_fixed_disk_attributes(pam_console_t)
|
|
storage_get_removable_device_attributes(pam_console_t)
|
|
storage_set_removable_device_attributes(pam_console_t)
|
|
|
|
terminal_use_console(pam_console_t)
|
|
terminal_get_general_physical_terminal_attributes(pam_console_t)
|
|
terminal_set_general_physical_terminal_attributes(pam_console_t)
|
|
|
|
init_use_file_descriptors(pam_console_t)
|
|
init_use_file_descriptors(pam_console_t)
|
|
init_script_use_pseudoterminal(pam_console_t)
|
|
|
|
domain_use_widely_inheritable_file_descriptors(pam_console_t)
|
|
|
|
files_read_general_system_config(pam_console_t)
|
|
files_search_runtime_data_directory(pam_console_t)
|
|
files_read_mnt_dir(pam_console_t)
|
|
|
|
libraries_use_dynamic_loader(pam_console_t)
|
|
libraries_use_shared_libraries(pam_console_t)
|
|
|
|
logging_send_system_log_message(pam_console_t)
|
|
|
|
selinux_read_file_contexts(pam_console_t)
|
|
|
|
userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t)
|
|
|
|
ifdef(`direct_sysadm_daemon', `
|
|
userdomain_dontaudit_use_admin_terminals(pam_console_t)
|
|
')
|
|
|
|
ifdef(`targeted_policy', `
|
|
terminal_ignore_use_general_physical_terminal(pam_console_t)
|
|
terminal_ignore_use_general_pseudoterminal(pam_console_t)
|
|
files_ignore_read_rootfs_file(pam_console_t)
|
|
')
|
|
|
|
optional_policy(`hotplug.te', `
|
|
hotplug_use_file_descriptors(pam_console_t)
|
|
hotplug_ignore_search_config_directory(pam_console_t)
|
|
')
|
|
|
|
optional_policy(`selinux.te',`
|
|
selinux_newrole_sigchld(pam_console_t)
|
|
')
|
|
|
|
optional_policy(`udev.te', `
|
|
udev_read_database(pam_console_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
optional_policy(`rhgb.te', `
|
|
allow pam_console_t rhgb_t:process sigchld;
|
|
allow pam_console_t rhgb_t:fd use;
|
|
allow pam_console_t rhgb_t:fifo_file { read write };
|
|
')
|
|
allow pam_console_t autofs_t:dir { search getattr };
|
|
|
|
allow pam_console_t {
|
|
framebuf_device_t
|
|
v4l_device_t
|
|
apm_bios_t
|
|
sound_device_t
|
|
misc_device_t
|
|
scanner_device_t
|
|
mouse_device_t
|
|
power_device_t
|
|
removable_device_t
|
|
scsi_generic_device_t
|
|
}:chr_file { getattr setattr };
|
|
|
|
ifdef(`gpm.te', `
|
|
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
|
|
')
|
|
|
|
ifdef(`xdm.te', `
|
|
allow pam_console_t xdm_var_run_t:file { getattr read };
|
|
')
|
|
') dnl endif TODO
|
|
|
|
########################################
|
|
#
|
|
# System check password local policy
|
|
#
|
|
|
|
allow system_chkpwd_t self:capability setuid;
|
|
allow system_chkpwd_t self:process getattr;
|
|
|
|
allow system_chkpwd_t shadow_t:file { getattr read };
|
|
|
|
# is_selinux_enabled
|
|
kernel_read_system_state(system_chkpwd_t)
|
|
|
|
fs_ignore_get_persistent_fs_attributes(system_chkpwd_t)
|
|
|
|
terminal_use_general_physical_terminal(system_chkpwd_t)
|
|
|
|
files_read_general_system_config(system_chkpwd_t)
|
|
# for nscd
|
|
files_ignore_search_system_state_data_directory(system_chkpwd_t)
|
|
|
|
libraries_use_dynamic_loader(system_chkpwd_t)
|
|
libraries_use_shared_libraries(system_chkpwd_t)
|
|
|
|
logging_send_system_log_message(system_chkpwd_t)
|
|
|
|
miscfiles_read_localization(system_chkpwd_t)
|
|
|
|
selinux_read_config(system_chkpwd_t)
|
|
|
|
tunable_policy(`use_dns',`
|
|
allow system_chkpwd_t self:udp_socket create_socket_perms;
|
|
corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t)
|
|
corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t)
|
|
corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t)
|
|
corenetwork_sendrecv_raw_on_all_nodes(system_chkpwd_t)
|
|
corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
|
|
corenetwork_sendrecv_udp_on_dns_port(system_chkpwd_t)
|
|
sysnetwork_read_network_config(system_chkpwd_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
can_ypbind(system_chkpwd_t)
|
|
can_kerberos(system_chkpwd_t)
|
|
can_ldap(system_chkpwd_t)
|
|
|
|
dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
|
|
') dnl end TODO
|
|
|
|
########################################
|
|
#
|
|
# Utempter local policy
|
|
#
|
|
|
|
allow utempter_t self:capability setgid;
|
|
allow utempter_t self:unix_stream_socket rw_stream_socket_perms;
|
|
|
|
allow utempter_t wtmp_t:file rw_file_perms;
|
|
|
|
terminal_get_all_private_physical_terminal_attributes(utempter_t)
|
|
terminal_get_all_private_pseudoterminal_attributes(utempter_t)
|
|
terminal_ignore_use_all_private_physical_terminals(utempter_t)
|
|
terminal_ignore_use_all_private_pseudoterminals(utempter_t)
|
|
terminal_ignore_use_pseudoterminal_multiplexer(utempter_t)
|
|
|
|
init_script_modify_runtime_data(utempter_t)
|
|
|
|
files_read_general_system_config(utempter_t)
|
|
|
|
domain_use_widely_inheritable_file_descriptors(utempter_t)
|
|
|
|
libraries_use_dynamic_loader(utempter_t)
|
|
libraries_use_shared_libraries(utempter_t)
|
|
|
|
logging_search_system_log_directory(utempter_t)
|
|
|
|
ifdef(`TODO',`
|
|
# Allow utemper to write to /tmp/.xses-*
|
|
allow utempter_t user_tmpfile:file { getattr write append };
|
|
|
|
ifdef(`xdm.te', `
|
|
allow utempter_t xdm_t:fd use;
|
|
allow utempter_t xdm_t:fifo_file { write getattr };
|
|
')
|
|
|
|
') dnl endif TODO
|