149 lines
5.1 KiB
Plaintext
149 lines
5.1 KiB
Plaintext
#DESC SE Linux User Manager (seuser)
|
|
#DEPENDS checkpolicy.te load_policy.te
|
|
#
|
|
# Authors: don.patterson@tresys.com, mayerf@tresys.com
|
|
# Additions: wsalamon@tislabs.com, dac@tresys.com
|
|
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the seuser_t domain.
|
|
#
|
|
# seuser_t is the domain of the seuser application when it is executed.
|
|
# seuser_conf_t is the type of the seuser configuration file.
|
|
# seuser_exec_t is the type of the seuser executable.
|
|
# seuser_tmp_t is the type of the temporary file(s) created by seuser.
|
|
#
|
|
##############################################
|
|
# Define types, and typical rules including
|
|
# access to execute and transition
|
|
##############################################
|
|
|
|
# Defined seuser types
|
|
type seuser_t, domain, privhome ;
|
|
type seuser_conf_t, file_type, sysadmfile ;
|
|
type seuser_exec_t, file_type, sysadmfile, exec_type ;
|
|
tmp_domain(seuser)
|
|
|
|
# Authorize roles
|
|
role sysadm_r types seuser_t ;
|
|
|
|
# Allow sysadm_t to run with privilege
|
|
domain_auto_trans(sysadm_t, seuser_exec_t, seuser_t)
|
|
|
|
# Grant the new domain permissions to many common operations
|
|
# FIX: Should be more resticted than this.
|
|
#every_domain(seuser_t)
|
|
allow seuser_t self:process { fork sigchld };
|
|
allow seuser_t self:fifo_file read;
|
|
allow seuser_t self:unix_stream_socket {create connect};
|
|
allow seuser_t self:dir search;
|
|
allow seuser_t self:file { read getattr };
|
|
|
|
allow seuser_t etc_t:dir search;
|
|
allow seuser_t etc_t:{lnk_file file} { read getattr};
|
|
read_locale(seuser_t)
|
|
allow seuser_t { var_run_t var_t}:dir search;
|
|
|
|
uses_shlib(seuser_t)
|
|
|
|
allow seuser_t devtty_t:chr_file {read write };
|
|
allow seuser_t proc_t:dir search;
|
|
allow seuser_t proc_t:{lnk_file file} { getattr read };
|
|
|
|
allow seuser_t root_t:dir search;
|
|
allow seuser_t staff_home_dir_t:dir search;
|
|
allow seuser_t home_root_t:dir { getattr search };
|
|
allow seuser_t staff_home_dir_t:dir getattr;
|
|
allow seuser_t default_t:file {read getattr};
|
|
|
|
allow seuser_t bin_t:dir { getattr search read} ;
|
|
allow seuser_t bin_t:lnk_file { read getattr };
|
|
allow seuser_t sbin_t:dir search;
|
|
|
|
# Inherit and use descriptors from login.
|
|
allow seuser_t privfd:fd use;
|
|
|
|
###############################################
|
|
|
|
# Use capabilities to self
|
|
allow seuser_t self:capability { dac_override setuid setgid } ;
|
|
|
|
# Grant the seuser domain ability to change passwords for a user.
|
|
allow seuser_t self:passwd { passwd chfn chsh } ;
|
|
|
|
# Read permissions for seuser.conf file
|
|
allow seuser_t seuser_conf_t:file r_file_perms ;
|
|
|
|
|
|
###################################################################
|
|
# Policy section: Define the ability to change and load policies
|
|
###################################################################
|
|
|
|
# seuser_t domain needs to transition to the checkpolicy and loadpolicy
|
|
# domains in order to install and load new policies.
|
|
domain_auto_trans(seuser_t, checkpolicy_exec_t, checkpolicy_t)
|
|
domain_auto_trans(seuser_t, load_policy_exec_t, load_policy_t)
|
|
|
|
# allow load_policy and checkpolicy domains access to seuser_tmp_t
|
|
# files in order for their stdout/stderr able to be put into
|
|
# seuser's tmp files.
|
|
#
|
|
# Since both these domains carefully try to limit where the
|
|
# assoicated program can read from, we won't use the standard
|
|
# rw_file_perm macro, but instead only grant the minimum needed
|
|
# to redirect output, write and getattr.
|
|
allow checkpolicy_t seuser_tmp_t:file { getattr write } ;
|
|
allow load_policy_t seuser_tmp_t:file { getattr write } ;
|
|
allow useradd_t seuser_tmp_t:file { getattr write } ;
|
|
|
|
|
|
# FIX: Temporarily allow seuser_t permissions for executing programs with a
|
|
# bint_t type without changing domains. We have to give seuser_t the following
|
|
# access because we use the policy make process to build new plicy.conf files.
|
|
# At some point, a new policy management infrastructure should remove the ability
|
|
# to modify policy source files with arbitrary progams
|
|
#
|
|
can_exec(seuser_t, bin_t)
|
|
can_exec(seuser_t, shell_exec_t)
|
|
|
|
|
|
# Read/write permission to the login context files in /etc/security
|
|
allow seuser_t login_contexts:file create_file_perms ;
|
|
|
|
# Read/write permission to the policy source and its' directory
|
|
allow seuser_t policy_src_t:dir create_dir_perms ;
|
|
allow seuser_t policy_src_t:file create_file_perms ;
|
|
|
|
# Allow search and stat for policy_config_t
|
|
allow seuser_t policy_config_t:dir { search getattr } ;
|
|
allow seuser_t policy_config_t:file stat_file_perms;
|
|
|
|
|
|
#ifdef(`xserver.te', `
|
|
############################################################
|
|
# Xserver section - To support our GUI interface,
|
|
############################################################
|
|
# Permission to create files in /tmp/.X11-Unix
|
|
#allow seuser_t sysadm_xserver_tmp_t:dir search ;
|
|
#allow seuser_t sysadm_xserver_tmp_t:sock_file write ;
|
|
#allow seuser_t user_xserver_tmp_t:dir search ;
|
|
#allow seuser_t user_xserver_tmp_t:sock_file write ;
|
|
|
|
# Permission to establish a Unix stream connection to X server
|
|
#can_unix_connect(seuser_t, user_xserver_t)
|
|
#can_unix_connect(seuser_t, sysadm_xserver_t)
|
|
#')
|
|
ifdef(`xdm.te', `
|
|
can_unix_connect(seuser_t, xdm_xserver_t)
|
|
')
|
|
|
|
# seuser_t domain needs execute access to the library files so that it can run.
|
|
can_exec(seuser_t, lib_t)
|
|
|
|
# Access ttys
|
|
allow seuser_t sysadm_tty_device_t:chr_file rw_file_perms ;
|
|
allow seuser_t sysadm_devpts_t:chr_file rw_file_perms ;
|
|
|