#DESC Useradd - Manage system user accounts # # Authors: Chris Vance David Caplan # Russell Coker # X-Debian-Packages: passwd # ################################# # # Rules for the useradd_t and groupadd_t domains. # # useradd_t is the domain of the useradd/userdel programs. # groupadd_t is for adding groups (can not create home dirs) # define(`user_group_add_program', ` type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain; role sysadm_r types $1_t; role system_r types $1_t; general_domain_access($1_t) uses_shlib($1_t) type $1_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(sysadm_t, $1_exec_t, $1_t) domain_auto_trans(initrc_t, $1_exec_t, $1_t) # Use capabilities. allow $1_t self:capability { dac_override chown kill }; # Allow access to context for shadow file can_getsecurity($1_t) # Inherit and use descriptors from login. allow $1_t { init_t privfd }:fd use; # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. allow $1_t { bin_t sbin_t }:dir r_dir_perms; can_exec($1_t, { bin_t sbin_t }) # Update /etc/shadow and /etc/passwd file_type_auto_trans($1_t, etc_t, shadow_t, file) allow $1_t etc_t:file create_file_perms; # some apps ask for these accesses, but seems to work regardless dontaudit $1_t var_run_t:dir search; r_dir_file($1_t, selinux_config_t) # Set fscreate context. can_setfscreate($1_t) allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; read_locale($1_t) # useradd/userdel request read/write for /var/log/lastlog, and read of /dev, # but will operate without them. dontaudit $1_t { device_t var_t var_log_t }:dir search; # For userdel and groupadd allow $1_t fs_t:filesystem getattr; # Access terminals. allow $1_t ttyfile:chr_file rw_file_perms; allow $1_t ptyfile:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;') # for when /root is the cwd dontaudit $1_t sysadm_home_dir_t:dir search; nsswitch_domain($1_t) allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; ') user_group_add_program(useradd) allow useradd_t lastlog_t:file { getattr read write }; # for getting the number of groups read_sysctl(useradd_t) # Add/remove user home directories file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir) file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t) # create/delete mail spool file in /var/mail allow useradd_t var_spool_t:dir search; allow useradd_t mail_spool_t:dir { search write add_name remove_name }; allow useradd_t mail_spool_t:file create_file_perms; # /var/mail is a link to /var/spool/mail allow useradd_t mail_spool_t:lnk_file read; allow useradd_t self:capability { fowner fsetid setuid sys_resource }; can_exec(useradd_t, shell_exec_t) # /usr/bin/userdel locks the user being deleted, allow write access to utmp allow useradd_t initrc_var_run_t:file { read write lock }; user_group_add_program(groupadd) dontaudit groupadd_t self:capability fsetid; allow groupadd_t self:capability { setuid sys_resource }; allow groupadd_t self:process setrlimit; allow groupadd_t initrc_var_run_t:file r_file_perms; dontaudit groupadd_t initrc_var_run_t:file write; allow useradd_t default_context_t:dir search; allow useradd_t file_context_t:dir search; allow useradd_t file_context_t:file { getattr read }; allow useradd_t var_lib_t:dir search;