From 9489149ec06a517f0c3d94f231857fb747f07210 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 8 Aug 2005 21:03:23 +0000 Subject: [PATCH] add su --- refpolicy/Changelog | 1 + .../policy/modules.conf.targeted_example | 219 ++++++++++-------- refpolicy/policy/modules/admin/su.fc | 2 + refpolicy/policy/modules/admin/su.if | 149 ++++++++++++ refpolicy/policy/modules/admin/su.te | 12 + refpolicy/policy/modules/kernel/filesystem.if | 34 +++ 6 files changed, 325 insertions(+), 92 deletions(-) create mode 100644 refpolicy/policy/modules/admin/su.fc create mode 100644 refpolicy/policy/modules/admin/su.if create mode 100644 refpolicy/policy/modules/admin/su.te diff --git a/refpolicy/Changelog b/refpolicy/Changelog index b04973a5b..c2b4898d4 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -8,6 +8,7 @@ * Added policies: acct mysql + su tmpreaper updfstab diff --git a/refpolicy/policy/modules.conf.targeted_example b/refpolicy/policy/modules.conf.targeted_example index 488d6f8c1..c0fbd0a57 100644 --- a/refpolicy/policy/modules.conf.targeted_example +++ b/refpolicy/policy/modules.conf.targeted_example @@ -59,20 +59,6 @@ files = base # domain = base -# Layer: admin -# Module: consoletype -# -# Determine of the console connected to the controlling terminal. -# -consoletype = base - -# Layer: admin -# Module: netutils -# -# Network analysis utilities -# -netutils = base - # Layer: admin # Module: usermanage # @@ -101,6 +87,48 @@ dmesg = base # logrotate = off +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = base + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = base + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = base + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = base + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = base + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = off + # Layer: apps # Module: gpg # @@ -136,20 +164,6 @@ storage = base # terminal = base -# Layer: services -# Module: cron -# -# Periodic execution of scheduled commands. -# -cron = base - -# Layer: services -# Module: ssh -# -# Secure shell client and server policy. -# -ssh = off - # Layer: services # Module: remotelogin # @@ -157,6 +171,20 @@ ssh = off # remotelogin = base +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = base + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = base + # Layer: services # Module: sendmail # @@ -165,18 +193,18 @@ remotelogin = base sendmail = off # Layer: services -# Module: mta +# Module: ssh # -# Policy common to all email tranfer agents. +# Secure shell client and server policy. # -mta = base +ssh = off # Layer: services -# Module: nis +# Module: cron # -# Policy for NIS (YP) servers and clients +# Periodic execution of scheduled commands. # -nis = base +cron = base # Layer: services # Module: inetd @@ -193,11 +221,32 @@ inetd = base kerberos = base # Layer: services -# Module: nscd +# Module: mta # -# Name service cache daemon +# Policy common to all email tranfer agents. # -nscd = base +mta = base + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = base + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = base + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base # Layer: system # Module: selinuxutil @@ -221,11 +270,11 @@ getty = base mount = base # Layer: system -# Module: logging +# Module: ipsec # -# Policy for the kernel message logger and system logging daemon. +# TCP/IP encryption # -logging = base +ipsec = base # Layer: system # Module: locallogin @@ -234,6 +283,13 @@ logging = base # locallogin = base +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = base + # Layer: system # Module: sysnetwork # @@ -241,6 +297,20 @@ locallogin = base # sysnetwork = base +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = base + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = base + # Layer: system # Module: iptables # @@ -255,13 +325,6 @@ iptables = base # userdomain = base -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = base - # Layer: system # Module: corecommands # @@ -278,6 +341,13 @@ corecommands = base # hotplug = base +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = base + # Layer: system # Module: lvm # @@ -292,13 +362,6 @@ lvm = base # modutils = base -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = base - # Layer: system # Module: init # @@ -306,6 +369,13 @@ udev = base # init = base +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = base + # Layer: system # Module: hostname # @@ -314,11 +384,11 @@ init = base hostname = base # Layer: system -# Module: authlogin +# Module: raid # -# Common policy for authentication and user login. +# RAID array management tools # -authlogin = base +raid = base # Layer: system # Module: libraries @@ -327,20 +397,6 @@ authlogin = base # libraries = base -# Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = base - -# Layer: system -# Module: unconfined -# -# The unconfined domain. -# -unconfined = base - # Layer: system # Module: miscfiles # @@ -348,24 +404,3 @@ unconfined = base # miscfiles = base -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = base - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = base - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = base - diff --git a/refpolicy/policy/modules/admin/su.fc b/refpolicy/policy/modules/admin/su.fc new file mode 100644 index 000000000..ed98aba04 --- /dev/null +++ b/refpolicy/policy/modules/admin/su.fc @@ -0,0 +1,2 @@ + +/bin/su -- context_template(system_u:object_r:su_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if new file mode 100644 index 000000000..6dc5216e3 --- /dev/null +++ b/refpolicy/policy/modules/admin/su.if @@ -0,0 +1,149 @@ +## Run shells with substitute user and group + +template(`su_per_userdomain_template',` + + type $1_su_t; + domain_entry_file($1_su_t,su_exec_t) + domain_type($1_su_t) + domain_role_change_exempt($1_su_t) + domain_subj_id_change_exempt($1_su_t) + domain_obj_id_change_exempt($1_su_t) + domain_wide_inherit_fd($1_su_t) + role $1_r types $1_su_t; + + allow $1_t $1_su_t:process signal; + + allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + dontaudit $1_su_t self:capability sys_tty_config; + allow $1_su_t self:process { setexec setsched setrlimit }; + allow $1_su_t self:fifo_file rw_file_perms; + + # Transition from the user domain to this domain. + domain_auto_trans($1_t, su_exec_t, $1_su_t) + allow $1_t $1_su_t:fd use; + allow $1_su_t $1_t:fd use; + allow $1_su_t $1_t:fifo_file rw_file_perms; + allow $1_su_t $1_t:process sigchld; + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_su_t,$1_t) + allow $1_t $1_su_t:fd use; + allow $1_su_t $1_t:fd use; + allow $1_su_t $1_t:fifo_file rw_file_perms; + allow $1_su_t $1_t:process sigchld; + + kernel_read_system_state($1_su_t) + kernel_read_kernel_sysctl($1_su_t) + + # for SSP + dev_read_urand($1_su_t) + + fs_search_auto_mountpoints($1_su_t) + + selinux_get_fs_mount($1_su_t) + selinux_validate_context($1_su_t) + selinux_compute_access_vector($1_su_t) + selinux_compute_create_context($1_su_t) + selinux_compute_relabel_context($1_su_t) + selinux_compute_user_contexts($1_su_t) + + # Relabel ttys and ptys. + term_relabel_all_user_ttys($1_su_t) + term_relabel_all_user_ptys($1_su_t) + # Close and re-open ttys and ptys to get the fd into the correct domain. + term_use_all_user_ttys($1_su_t) + term_use_all_user_ptys($1_su_t) + + auth_dontaudit_read_shadow($1_su_t) + + domain_wide_inherit_fd($1_su_t) + + files_read_etc_files($1_su_t) + files_search_var_lib($1_su_t) + + init_dontaudit_use_fd($1_su_t) + # Write to utmp. + init_rw_script_pid($1_su_t) + + libs_use_ld_so($1_su_t) + libs_use_shared_libs($1_su_t) + + logging_send_syslog_msg($1_su_t) + + miscfiles_read_localization($1_su_t) + + seutil_read_config($1_su_t) + seutil_read_default_contexts($1_su_t) + + if(secure_mode) + { + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) + } else { + # Allow transitions to all user domains + userdom_spec_domtrans_all_users($1_su_t) + } + + if (use_nfs_home_dirs) { + fs_search_nfs($1_su_t) + } + + if (use_samba_home_dirs) { + fs_search_cifs($1_su_t) + } + + optional_policy(`crond.te',` + cron_read_pipe($1_su_t) + ') + + optional_policy(`kerberos.te',` + kerberos_use($1_su_t) + ') + + optional_policy(`nis.te',` + nis_use_ypbind($1_su_t) + ') + + optional_policy(`nscd.te',` + nscd_use_socket($1_su_t) + ') + + ifdef(`TODO',` + domain_auto_trans($1_su_t, chkpwd_exec_t, $1_chkpwd_t) + + # Caused by su - init scripts + dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; + + # Inherit and use descriptors from gnome-pty-helper. + ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') + + # Write to the user domain tty. + access_terminal($1_su_t, $1) + + allow $1_su_t { home_root_t $1_home_dir_t }:dir search; + allow $1_su_t $1_home_t:file create_file_perms; + + ifdef(`user_canbe_sysadm', ` + allow $1_su_t home_dir_type:dir { search write }; + ', ` + dontaudit $1_su_t home_dir_type:dir { search write }; + ') + + # Modify .Xauthority file (via xauth program). + ifdef(`xauth.te', ` + file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) + file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) + file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) + domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) + ') + + ifdef(`cyrus.te', ` + allow $1_su_t cyrus_var_lib_t:dir search; + ') + ifdef(`ssh.te', ` + # Access sshd cookie files. + allow $1_su_t sshd_tmp_t:file rw_file_perms; + file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) + ') + ') dnl end TODO +') diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te new file mode 100644 index 000000000..e01bee1c0 --- /dev/null +++ b/refpolicy/policy/modules/admin/su.te @@ -0,0 +1,12 @@ + +policy_module(su,1.0) + +######################################## +# +# Declarations +# + +type su_exec_t; +files_type(su_exec_t) + +# Remaining policy in the per-user domain template diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 825818ccd..09e1c6bd4 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -401,6 +401,23 @@ interface(`fs_getattr_cifs',` allow $1 cifs_t:filesystem getattr; ') +######################################## +## +## Search directories on a CIFS or SMB filesystem. +## +## +## The type of the domain reading the files. +## +# +interface(`fs_search_cifs',` + gen_require(` + type cifs_t; + class dir search; + ') + + allow $1 cifs_t:dir search; +') + ######################################## ## ## Read files on a CIFS or SMB filesystem. @@ -871,6 +888,23 @@ interface(`fs_getattr_nfs',` allow $1 nfs_t:filesystem getattr; ') +######################################## +## +## Search directories on a NFS filesystem. +## +## +## The type of the domain reading the files. +## +# +interface(`fs_search_nfs',` + gen_require(` + type nfs_t; + class dir search; + ') + + allow $1 nfs_t:dir search; +') + ######################################## ## ## Read files on a NFS filesystem.