Introduce exec-check interfaces for passwd binaries and useradd binaries

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-12-17 10:42:50 +01:00 · 2012-12-17 10:42:50 +01:00 · 517f37fd26
parent be31d3a183
commit 517f37fd26
1 changed files with 36 additions and 0 deletions
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@ -138,6 +138,24 @@ interface(`usermanage_kill_passwd',`
 	allow $1 passwd_t:process sigkill;
 ')

+########################################
+## <summary>
+##	Check if the passwd binary is executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_check_exec_passwd',`
+	gen_require(`
+		type passwd_exec_t;
+	')
+
+	allow $1 passwd_exec_t:file { execute getattr_file_perms };
+')
+
 ########################################
 ## <summary>
 ##	Execute passwd in the passwd domain, and
@ -251,6 +269,24 @@ interface(`usermanage_domtrans_useradd',`
 	')
 ')

+########################################
+## <summary>
+##	Check if the useradd binaries are executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_check_exec_useradd',`
+	gen_require(`
+		type useradd_exec_t;
+	')
+
+	allow $1 useradd_exec_t:file { execute getattr_file_perms };
+')
+
 ########################################
 ## <summary>
 ##	Execute useradd in the useradd domain, and