323 lines
7.9 KiB
Plaintext
323 lines
7.9 KiB
Plaintext
|
|
policy_module(authlogin,1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute can_read_shadow_passwords;
|
|
attribute can_write_shadow_passwords;
|
|
attribute can_relabelto_shadow_passwords;
|
|
|
|
type chkpwd_exec_t;
|
|
files_type(chkpwd_exec_t)
|
|
|
|
type faillog_t;
|
|
logging_log_file(faillog_t)
|
|
|
|
type lastlog_t;
|
|
logging_log_file(lastlog_t)
|
|
|
|
type login_exec_t;
|
|
files_type(login_exec_t)
|
|
|
|
type pam_console_t;
|
|
type pam_console_exec_t;
|
|
init_system_domain(pam_console_t,pam_console_exec_t)
|
|
role system_r types pam_console_t;
|
|
|
|
domain_entry_file(pam_console_t,pam_console_exec_t)
|
|
|
|
type pam_t; #, nscd_client_domain;
|
|
domain_type(pam_t)
|
|
role system_r types pam_t;
|
|
|
|
type pam_exec_t;
|
|
domain_entry_file(pam_t,pam_exec_t)
|
|
|
|
type pam_tmp_t;
|
|
files_tmp_file(pam_tmp_t)
|
|
|
|
type pam_var_console_t; #, nscd_client_domain
|
|
files_type(pam_var_console_t)
|
|
|
|
type pam_var_run_t;
|
|
files_pid_file(pam_var_run_t)
|
|
|
|
type shadow_t;
|
|
files_type(shadow_t)
|
|
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
|
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
|
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
|
|
|
type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
|
|
domain_type(system_chkpwd_t)
|
|
domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
|
|
role system_r types system_chkpwd_t;
|
|
|
|
type utempter_t; #, nscd_client_domain;
|
|
domain_type(utempter_t)
|
|
|
|
type utempter_exec_t;
|
|
domain_entry_file(utempter_t,utempter_exec_t)
|
|
|
|
type wtmp_t;
|
|
logging_log_file(wtmp_t)
|
|
|
|
########################################
|
|
#
|
|
# PAM local policy
|
|
#
|
|
|
|
allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
|
dontaudit pam_t self:capability sys_tty_config;
|
|
|
|
allow pam_t self:fd use;
|
|
allow pam_t self:fifo_file rw_file_perms;
|
|
allow pam_t self:unix_dgram_socket create_socket_perms;
|
|
allow pam_t self:unix_stream_socket rw_stream_socket_perms;
|
|
allow pam_t self:unix_dgram_socket sendto;
|
|
allow pam_t self:unix_stream_socket connectto;
|
|
allow pam_t self:shm create_shm_perms;
|
|
allow pam_t self:sem create_sem_perms;
|
|
allow pam_t self:msgq create_msgq_perms;
|
|
allow pam_t self:msg { send receive };
|
|
|
|
allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
|
|
allow pam_t pam_var_run_t:file { getattr read unlink };
|
|
|
|
allow pam_t pam_tmp_t:dir create_dir_perms;
|
|
allow pam_t pam_tmp_t:file create_file_perms;
|
|
files_create_tmp_files(pam_t, pam_tmp_t, { file dir })
|
|
|
|
kernel_read_system_state(pam_t)
|
|
|
|
fs_search_auto_mountpoints(pam_t)
|
|
|
|
term_use_all_user_ttys(pam_t)
|
|
term_use_all_user_ptys(pam_t)
|
|
|
|
init_dontaudit_rw_script_pid(pam_t)
|
|
|
|
files_read_etc_files(pam_t)
|
|
files_list_pids(pam_t)
|
|
|
|
libs_use_ld_so(pam_t)
|
|
libs_use_shared_libs(pam_t)
|
|
|
|
logging_send_syslog_msg(pam_t)
|
|
|
|
userdom_use_unpriv_users_fd(pam_t)
|
|
|
|
optional_policy(`locallogin.te',`
|
|
locallogin_use_fd(pam_t)
|
|
')
|
|
|
|
optional_policy(`nis.te',`
|
|
nis_use_ypbind(pam_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
|
|
') dnl endif TODO
|
|
|
|
########################################
|
|
#
|
|
# PAM console local policy
|
|
#
|
|
|
|
allow pam_console_t self:capability { chown fowner fsetid };
|
|
dontaudit pam_console_t self:capability sys_tty_config;
|
|
|
|
allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
|
|
|
|
# for /var/run/console.lock checking
|
|
allow pam_console_t pam_var_console_t:dir r_dir_perms;;
|
|
allow pam_console_t pam_var_console_t:file r_file_perms;
|
|
allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
|
|
|
|
kernel_read_kernel_sysctl(pam_console_t)
|
|
kernel_read_system_state(pam_console_t)
|
|
kernel_use_fd(pam_console_t)
|
|
|
|
dev_read_sysfs(pam_console_t)
|
|
dev_getattr_apm_bios(pam_console_t)
|
|
dev_setattr_apm_bios(pam_console_t)
|
|
dev_getattr_framebuffer(pam_console_t)
|
|
dev_setattr_framebuffer(pam_console_t)
|
|
dev_getattr_misc(pam_console_t)
|
|
dev_setattr_misc(pam_console_t)
|
|
dev_getattr_mouse(pam_console_t)
|
|
dev_setattr_mouse(pam_console_t)
|
|
dev_getattr_power_management(pam_console_t)
|
|
dev_setattr_power_management(pam_console_t)
|
|
dev_getattr_scanner(pam_console_t)
|
|
dev_setattr_scanner(pam_console_t)
|
|
dev_getattr_snd_dev(pam_console_t)
|
|
dev_setattr_snd_dev(pam_console_t)
|
|
dev_getattr_video_dev(pam_console_t)
|
|
dev_setattr_video_dev(pam_console_t)
|
|
|
|
fs_search_auto_mountpoints(pam_console_t)
|
|
|
|
storage_getattr_fixed_disk(pam_console_t)
|
|
storage_setattr_fixed_disk(pam_console_t)
|
|
storage_getattr_removable_device(pam_console_t)
|
|
storage_setattr_removable_device(pam_console_t)
|
|
storage_getattr_scsi_generic(pam_console_t)
|
|
storage_setattr_scsi_generic(pam_console_t)
|
|
|
|
term_use_console(pam_console_t)
|
|
term_getattr_unallocated_ttys(pam_console_t)
|
|
term_setattr_unallocated_ttys(pam_console_t)
|
|
|
|
domain_use_wide_inherit_fd(pam_console_t)
|
|
|
|
files_read_etc_files(pam_console_t)
|
|
files_search_pids(pam_console_t)
|
|
files_list_mnt(pam_console_t)
|
|
|
|
init_use_fd(pam_console_t)
|
|
init_use_script_pty(pam_console_t)
|
|
|
|
libs_use_ld_so(pam_console_t)
|
|
libs_use_shared_libs(pam_console_t)
|
|
|
|
logging_send_syslog_msg(pam_console_t)
|
|
|
|
seutil_read_file_contexts(pam_console_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fd(pam_console_t)
|
|
|
|
# cjp: with the old daemon_(base_)domain being broken up into
|
|
# a daemon and system interface, this probably is not needed:
|
|
ifdef(`direct_sysadm_daemon', `
|
|
userdom_dontaudit_use_sysadm_terms(pam_console_t)
|
|
')
|
|
|
|
ifdef(`targeted_policy', `
|
|
term_dontaudit_use_unallocated_tty(pam_console_t)
|
|
term_dontaudit_use_generic_pty(pam_console_t)
|
|
files_dontaudit_read_root_file(pam_console_t)
|
|
')
|
|
|
|
optional_policy(`hotplug.te', `
|
|
hotplug_use_fd(pam_console_t)
|
|
hotplug_dontaudit_search_config(pam_console_t)
|
|
')
|
|
|
|
optional_policy(`selinuxutil.te',`
|
|
seutil_sigchld_newrole(pam_console_t)
|
|
')
|
|
|
|
optional_policy(`udev.te', `
|
|
udev_read_db(pam_console_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
optional_policy(`rhgb.te', `
|
|
rhgb_domain(pam_console_t)
|
|
')
|
|
|
|
ifdef(`gpm.te', `
|
|
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
|
|
')
|
|
|
|
ifdef(`xdm.te', `
|
|
allow pam_console_t xdm_var_run_t:file { getattr read };
|
|
')
|
|
') dnl endif TODO
|
|
|
|
########################################
|
|
#
|
|
# System check password local policy
|
|
#
|
|
|
|
allow system_chkpwd_t self:capability setuid;
|
|
allow system_chkpwd_t self:process getattr;
|
|
|
|
allow system_chkpwd_t shadow_t:file { getattr read };
|
|
|
|
# is_selinux_enabled
|
|
kernel_read_system_state(system_chkpwd_t)
|
|
|
|
fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
|
|
|
|
term_use_unallocated_tty(system_chkpwd_t)
|
|
|
|
files_read_etc_files(system_chkpwd_t)
|
|
# for nscd
|
|
files_dontaudit_search_var(system_chkpwd_t)
|
|
|
|
libs_use_ld_so(system_chkpwd_t)
|
|
libs_use_shared_libs(system_chkpwd_t)
|
|
|
|
logging_send_syslog_msg(system_chkpwd_t)
|
|
|
|
miscfiles_read_localization(system_chkpwd_t)
|
|
|
|
seutil_read_config(system_chkpwd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
|
|
|
|
tunable_policy(`use_dns',`
|
|
allow system_chkpwd_t self:udp_socket create_socket_perms;
|
|
corenet_udp_sendrecv_all_if(system_chkpwd_t)
|
|
corenet_raw_sendrecv_all_if(system_chkpwd_t)
|
|
corenet_udp_sendrecv_all_nodes(system_chkpwd_t)
|
|
corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
|
|
corenet_udp_bind_all_nodes(system_chkpwd_t)
|
|
corenet_udp_sendrecv_dns_port(system_chkpwd_t)
|
|
sysnet_read_config(system_chkpwd_t)
|
|
')
|
|
|
|
optional_policy(`kerberos.te',`
|
|
kerberos_use(system_chkpwd_t)
|
|
')
|
|
|
|
optional_policy(`nis.te',`
|
|
nis_use_ypbind(system_chkpwd_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
can_ldap(system_chkpwd_t)
|
|
') dnl end TODO
|
|
|
|
########################################
|
|
#
|
|
# Utempter local policy
|
|
#
|
|
|
|
allow utempter_t self:capability setgid;
|
|
allow utempter_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow utempter_t wtmp_t:file rw_file_perms;
|
|
|
|
term_getattr_all_user_ttys(utempter_t)
|
|
term_getattr_all_user_ptys(utempter_t)
|
|
term_dontaudit_use_all_user_ttys(utempter_t)
|
|
term_dontaudit_use_all_user_ptys(utempter_t)
|
|
term_dontaudit_use_ptmx(utempter_t)
|
|
|
|
init_rw_script_pid(utempter_t)
|
|
|
|
files_read_etc_files(utempter_t)
|
|
|
|
domain_use_wide_inherit_fd(utempter_t)
|
|
|
|
libs_use_ld_so(utempter_t)
|
|
libs_use_shared_libs(utempter_t)
|
|
|
|
logging_search_logs(utempter_t)
|
|
|
|
# Allow utemper to write to /tmp/.xses-*
|
|
userdom_write_unpriv_user_tmp(utempter_t)
|
|
|
|
optional_policy(`xdm.te', `
|
|
#allow utempter_t xdm_t:fd use;
|
|
xdm_use_fd(utempter_t)
|
|
#allow utempter_t xdm_t:fifo_file { write getattr };
|
|
xdm_write_fifo(utempter_t)
|
|
')
|