dd14d0d892
permission is checked when using shared libs to execute code in them, which is not the same as just reading the shared libs.
277 lines
10 KiB
Plaintext
277 lines
10 KiB
Plaintext
# Copyright (C) 2005 Tresys Technology, LLC
|
|
|
|
policy_module(locallogin,1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type local_login_t; #, nscd_client_domain;
|
|
kernel_make_object_identity_change_constraint_exception(local_login_t)
|
|
kernel_make_process_identity_change_constraint_exception(local_login_t)
|
|
kernel_make_role_change_constraint_exception(local_login_t)
|
|
domain_make_domain(local_login_t)
|
|
domain_make_file_descriptors_widely_inheritable(local_login_t)
|
|
authlogin_make_login_program_entrypoint(local_login_t)
|
|
role system_r types local_login_t;
|
|
|
|
type local_login_tmp_t;
|
|
files_make_file(local_login_tmp_t)
|
|
|
|
type sulogin_t;
|
|
type sulogin_exec_t;
|
|
kernel_make_object_identity_change_constraint_exception(sulogin_t)
|
|
kernel_make_process_identity_change_constraint_exception(sulogin_t)
|
|
kernel_make_role_change_constraint_exception(sulogin_t)
|
|
init_make_init_domain(sulogin_t,sulogin_exec_t)
|
|
init_make_system_domain(sulogin_t,sulogin_exec_t)
|
|
domain_make_file_descriptors_widely_inheritable(sulogin_t)
|
|
|
|
role system_r types sulogin_t;
|
|
|
|
########################################
|
|
#
|
|
# Local login local policy
|
|
#
|
|
|
|
allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
|
|
allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
|
allow local_login_t self:process { setrlimit setexec };
|
|
allow local_login_t self:fd use;
|
|
allow local_login_t self:fifo_file { read getattr lock ioctl write append };
|
|
allow local_login_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
|
allow local_login_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
|
allow local_login_t self:unix_dgram_socket sendto;
|
|
allow local_login_t self:unix_stream_socket connectto;
|
|
allow local_login_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
|
allow local_login_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
|
allow local_login_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
|
allow local_login_t self:msg { send receive };
|
|
|
|
allow local_login_t local_login_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
|
allow local_login_t local_login_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir })
|
|
|
|
kernel_read_system_state(local_login_t)
|
|
kernel_read_kernel_sysctl(local_login_t)
|
|
kernel_get_selinuxfs_mount_point(local_login_t)
|
|
kernel_validate_selinux_context(local_login_t)
|
|
kernel_compute_selinux_av(local_login_t)
|
|
kernel_compute_create(local_login_t)
|
|
kernel_compute_relabel(local_login_t)
|
|
kernel_compute_reachable_user_contexts(local_login_t)
|
|
|
|
# for SSP/ProPolice
|
|
devices_get_pseudorandom_data(local_login_t)
|
|
|
|
terminal_use_all_private_physical_terminals(local_login_t)
|
|
terminal_use_general_physical_terminal(local_login_t)
|
|
|
|
init_script_modify_runtime_data(local_login_t)
|
|
init_ignore_use_file_descriptors(local_login_t)
|
|
|
|
domain_read_all_entrypoint_programs(local_login_t)
|
|
|
|
files_read_general_system_config(local_login_t)
|
|
files_read_runtime_system_config(local_login_t)
|
|
files_list_home_directories(local_login_t)
|
|
files_read_general_application_resources(local_login_t)
|
|
|
|
libraries_use_dynamic_loader(local_login_t)
|
|
libraries_use_shared_libraries(local_login_t)
|
|
|
|
logging_send_system_log_message(local_login_t)
|
|
|
|
selinux_read_config(local_login_t)
|
|
selinux_read_default_contexts(local_login_t)
|
|
|
|
authlogin_check_password_transition(local_login_t)
|
|
authlogin_ignore_read_shadow_passwords(local_login_t)
|
|
authlogin_modify_login_records(local_login_t)
|
|
authlogin_modify_last_login_log(local_login_t)
|
|
authlogin_pam_execute(local_login_t)
|
|
authlogin_pam_console_manage_runtime_data(local_login_t)
|
|
|
|
miscfiles_read_localization(local_login_t)
|
|
|
|
ifdef(`TODO',`
|
|
allow local_login_t unpriv_userdomain:fd use;
|
|
can_ypbind(local_login_t)
|
|
ifdef(`automount.te', `
|
|
allow local_login_t autofs_t:dir { search getattr };
|
|
')
|
|
|
|
allow local_login_t bin_t:dir r_dir_perms;
|
|
allow local_login_t bin_t:notdevfile_class_set r_file_perms;
|
|
allow local_login_t sbin_t:dir r_dir_perms;
|
|
allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
|
|
if (read_default_t) {
|
|
allow local_login_t default_t:dir r_dir_perms;
|
|
allow local_login_t default_t:notdevfile_class_set r_file_perms;
|
|
}
|
|
|
|
# Read directories and files with the readable_t type.
|
|
# This type is a general type for "world"-readable files.
|
|
allow local_login_t readable_t:dir r_dir_perms;
|
|
allow local_login_t readable_t:notdevfile_class_set r_file_perms;
|
|
|
|
# Read /var, /var/spool
|
|
allow local_login_t { var_t var_spool_t }:dir search;
|
|
|
|
# for when /var/mail is a sym-link
|
|
allow local_login_t var_t:lnk_file read;
|
|
|
|
# Read /dev directories and any symbolic links.
|
|
allow local_login_t device_t:lnk_file r_file_perms;
|
|
|
|
dontaudit local_login_t sysfs_t:dir search;
|
|
|
|
allow local_login_t autofs_t:dir { search read getattr };
|
|
allow local_login_t mnt_t:dir r_dir_perms;
|
|
|
|
# FIXME: what is this for?
|
|
optional_policy(`xdm.te', `
|
|
allow xdm_t local_login_t:process signull;
|
|
')
|
|
|
|
ifdef(`crack.te', `
|
|
allow local_login_t crack_db_t:file r_file_perms;
|
|
')
|
|
|
|
# Permit login to search the user home directories.
|
|
allow local_login_t home_root_t:dir search;
|
|
allow local_login_t home_dir_type:dir search;
|
|
|
|
# Write to /var/log/btmp
|
|
allow local_login_t faillog_t:file { append read write };
|
|
|
|
# Search for mail spool file.
|
|
allow local_login_t mail_spool_t:dir r_dir_perms;
|
|
allow local_login_t mail_spool_t:file getattr;
|
|
allow local_login_t mail_spool_t:lnk_file read;
|
|
|
|
allow local_login_t mouse_device_t:chr_file { getattr setattr };
|
|
|
|
tunable_policy(`targeted_policy',`
|
|
unconfined_domain(local_login_t)
|
|
domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
|
|
')
|
|
|
|
# But also permit other user domains to be entered by login.
|
|
domain_trans(local_login_t, shell_exec_t, userdomain)
|
|
allow local_login_t userdomain:process signal;
|
|
|
|
# Do not audit denied attempts to access devices.
|
|
dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
|
|
dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
|
|
dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
|
|
dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
|
|
dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
|
|
dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
|
|
dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
|
|
dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
|
|
dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
|
|
|
|
# Do not audit denied attempts to access /mnt.
|
|
dontaudit local_login_t mnt_t:dir r_dir_perms;
|
|
|
|
# Create lock file.
|
|
allow local_login_t var_lock_t:dir rw_dir_perms;
|
|
allow local_login_t var_lock_t:file create_file_perms;
|
|
|
|
# Read and write ttys.
|
|
allow local_login_t tty_device_t:chr_file setattr;
|
|
allow local_login_t ttyfile:chr_file setattr;
|
|
|
|
# Relabel ttys.
|
|
allow local_login_t tty_device_t:chr_file { relabelfrom relabelto };
|
|
allow local_login_t ttyfile:chr_file { relabelfrom relabelto };
|
|
|
|
optional_policy(`gpm.te',`
|
|
allow local_login_t gpmctl_t:sock_file { getattr setattr };
|
|
')
|
|
|
|
# Allow setting of attributes on sound devices.
|
|
allow local_login_t sound_device_t:chr_file { getattr setattr };
|
|
|
|
# Allow setting of attributes on power management devices.
|
|
allow local_login_t power_device_t:chr_file { getattr setattr };
|
|
|
|
#if (use_nfs_home_dirs) {
|
|
#r_dir_file(local_login_t, nfs_t)
|
|
#}
|
|
|
|
#if (use_samba_home_dirs) {
|
|
#r_dir_file(local_login_t, cifs_t)
|
|
#}
|
|
') dnl endif TODO
|
|
|
|
#################################
|
|
#
|
|
# Sulogin local policy
|
|
#
|
|
|
|
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
|
allow sulogin_t self:fd use;
|
|
allow sulogin_t self:fifo_file { read getattr lock ioctl write append };
|
|
allow sulogin_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
|
allow sulogin_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
|
allow sulogin_t self:unix_dgram_socket sendto;
|
|
allow sulogin_t self:unix_stream_socket connectto;
|
|
allow sulogin_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
|
allow sulogin_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
|
allow sulogin_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
|
allow sulogin_t self:msg { send receive };
|
|
|
|
kernel_read_system_state(sulogin_t)
|
|
|
|
init_script_get_process_group(sulogin_t)
|
|
|
|
files_read_general_system_config(sulogin_t)
|
|
|
|
libraries_use_dynamic_loader(sulogin_t)
|
|
libraries_use_shared_libraries(sulogin_t)
|
|
|
|
logging_send_system_log_message(sulogin_t)
|
|
|
|
selinux_read_config(sulogin_t)
|
|
selinux_read_default_contexts(sulogin_t)
|
|
|
|
authlogin_read_shadow_passwords(sulogin_t)
|
|
|
|
# suse and debian do not use pam with sulogin...
|
|
ifdef(`monolithic_policy',`
|
|
ifdef(`distro_suse', `define(`sulogin_no_pam')')
|
|
ifdef(`distro_debian', `define(`sulogin_no_pam')')
|
|
') dnl end monolithic_policy
|
|
|
|
tunable_policy(`sulogin_no_pam', `
|
|
allow sulogin_t self:capability sys_tty_config;
|
|
init_get_process_group(sulogin_t)
|
|
#domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
|
|
', `
|
|
allow sulogin_t self:process setexec;
|
|
kernel_get_selinuxfs_mount_point(sulogin_t)
|
|
kernel_validate_selinux_context(sulogin_t)
|
|
kernel_compute_selinux_av(sulogin_t)
|
|
kernel_compute_create(sulogin_t)
|
|
kernel_compute_relabel(sulogin_t)
|
|
kernel_compute_reachable_user_contexts(sulogin_t)
|
|
#domain_trans(sulogin_t, shell_exec_t, sysadm_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
allow sulogin_t unpriv_userdomain:fd use;
|
|
can_ypbind(sulogin_t)
|
|
ifdef(`automount.te', `
|
|
allow sulogin_t autofs_t:dir { search getattr };
|
|
')
|
|
|
|
allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
|
|
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
|
|
|
# because file systems are not mounted
|
|
dontaudit sulogin_t file_t:dir search;
|
|
') dnl endif TODO
|