selinux-refpolicy/policy/modules/system/authlogin.te

518 lines
12 KiB
Plaintext

policy_module(authlogin, 2.18.4)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
## </p>
## </desc>
gen_tunable(authlogin_pam, true)
## <desc>
## <p>
## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
## </p>
## </desc>
gen_tunable(authlogin_nsswitch_use_ldap, false)
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
attribute nsswitch_domain;
attribute pam_domain;
type auth_cache_t;
logging_log_file(auth_cache_t)
type chkpwd_t, can_read_shadow_passwords;
type chkpwd_exec_t;
application_domain(chkpwd_t, chkpwd_exec_t)
role system_r types chkpwd_t;
type faillog_t;
logging_log_file(faillog_t)
type lastlog_t;
logging_log_file(lastlog_t)
type login_exec_t;
application_executable_file(login_exec_t)
type pam_console_t;
type pam_console_exec_t;
init_system_domain(pam_console_t, pam_console_exec_t)
role system_r types pam_console_t;
type pam_t;
domain_type(pam_t)
role system_r types pam_t;
type pam_exec_t;
domain_entry_file(pam_t, pam_exec_t)
type pam_motd_runtime_t;
files_runtime_file(pam_motd_runtime_t)
type pam_runtime_t alias pam_var_run_t;
files_runtime_file(pam_runtime_t)
type pam_tmp_t;
files_tmp_file(pam_tmp_t)
type pam_var_console_t;
files_runtime_file(pam_var_console_t)
type shadow_t;
files_auth_file(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
type shadow_lock_t;
files_lock_file(shadow_lock_t)
type updpwd_t;
type updpwd_exec_t;
domain_type(updpwd_t)
domain_entry_file(updpwd_t, updpwd_exec_t)
domain_obj_id_change_exemption(updpwd_t)
role system_r types updpwd_t;
type utempter_t;
type utempter_exec_t;
application_domain(utempter_t, utempter_exec_t)
#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
#
type var_auth_t;
files_type(var_auth_t)
type wtmp_t;
logging_log_file(wtmp_t)
optional_policy(`
systemd_tmpfilesd_managed(faillog_t)
systemd_tmpfilesd_managed(var_auth_t)
')
########################################
#
# Check password local policy
#
allow chkpwd_t self:capability { dac_override setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
allow chkpwd_t self:process { getattr signal };
allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
kernel_read_crypto_sysctls(chkpwd_t)
kernel_dontaudit_search_kernel_sysctl(chkpwd_t)
kernel_dontaudit_read_kernel_sysctl(chkpwd_t)
kernel_dontaudit_getattr_proc(chkpwd_t)
domain_dontaudit_use_interactive_fds(chkpwd_t)
dev_read_rand(chkpwd_t)
dev_read_urand(chkpwd_t)
dev_search_sysfs(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
selinux_get_enforce_mode(chkpwd_t)
term_dontaudit_use_console(chkpwd_t)
term_dontaudit_use_unallocated_ttys(chkpwd_t)
term_dontaudit_use_generic_ptys(chkpwd_t)
term_dontaudit_use_all_ptys(chkpwd_t)
auth_use_nsswitch(chkpwd_t)
logging_send_audit_msgs(chkpwd_t)
logging_send_syslog_msg(chkpwd_t)
miscfiles_read_localization(chkpwd_t)
seutil_libselinux_linked(chkpwd_t)
seutil_dontaudit_use_newrole_fds(chkpwd_t)
userdom_use_user_terminals(chkpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(chkpwd_t)
')
')
optional_policy(`
# apache leaks file descriptors
apache_dontaudit_rw_tcp_sockets(chkpwd_t)
')
optional_policy(`
kerberos_use(chkpwd_t)
')
optional_policy(`
nis_authenticate(chkpwd_t)
')
########################################
#
# PAM local policy
#
allow pam_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
dontaudit pam_t self:capability sys_tty_config;
allow pam_t self:fd use;
allow pam_t self:fifo_file rw_fifo_file_perms;
allow pam_t self:unix_dgram_socket create_socket_perms;
allow pam_t self:unix_stream_socket rw_stream_socket_perms;
allow pam_t self:unix_dgram_socket sendto;
allow pam_t self:unix_stream_socket connectto;
allow pam_t self:shm create_shm_perms;
allow pam_t self:sem create_sem_perms;
allow pam_t self:msgq create_msgq_perms;
allow pam_t self:msg { send receive };
delete_files_pattern(pam_t, pam_runtime_t, pam_runtime_t)
read_files_pattern(pam_t, pam_runtime_t, pam_runtime_t)
files_list_runtime(pam_t)
allow pam_t pam_tmp_t:dir manage_dir_perms;
allow pam_t pam_tmp_t:file manage_file_perms;
files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
auth_use_nsswitch(pam_t)
kernel_read_system_state(pam_t)
files_read_etc_files(pam_t)
fs_search_auto_mountpoints(pam_t)
miscfiles_read_localization(pam_t)
term_use_all_ttys(pam_t)
term_use_all_ptys(pam_t)
init_dontaudit_rw_utmp(pam_t)
logging_send_syslog_msg(pam_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_t)
')
')
optional_policy(`
locallogin_use_fds(pam_t)
')
########################################
#
# PAM users local policy
#
# other access in auth_use_pam() due to nested typeattributes
# for SSP/ProPolice
dev_read_urand(pam_domain)
# for encrypted homedir
dev_read_sysfs(pam_domain)
auth_create_faillog_files(pam_domain)
auth_domtrans_upd_passwd(pam_domain)
auth_rw_lastlog(pam_domain)
auth_rw_faillog(pam_domain)
auth_rw_login_records(pam_domain)
auth_setattr_faillog_files(pam_domain)
auth_exec_pam(pam_domain)
files_read_etc_files(pam_domain)
logging_send_audit_msgs(pam_domain)
logging_send_syslog_msg(pam_domain)
tunable_policy(`authlogin_pam',`
dontaudit pam_domain shadow_t:file read_file_perms;
',`
allow pam_domain shadow_t:file read_file_perms;
')
optional_policy(`
nis_authenticate(pam_domain)
')
########################################
#
# PAM console local policy
#
allow pam_console_t self:capability { chown fowner fsetid };
dontaudit pam_console_t self:capability sys_tty_config;
allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
# for /var/run/console.lock checking
read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
read_lnk_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
dontaudit pam_console_t pam_var_console_t:file write;
kernel_read_kernel_sysctls(pam_console_t)
kernel_use_fds(pam_console_t)
kernel_dontaudit_search_unlabeled(pam_console_t)
# Read /proc/meminfo
kernel_read_system_state(pam_console_t)
dev_read_sysfs(pam_console_t)
dev_getattr_acpi_bios_dev(pam_console_t)
dev_setattr_acpi_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
dev_getattr_input_dev(pam_console_t)
dev_setattr_input_dev(pam_console_t)
dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_generic_usb_dev(pam_console_t)
dev_setattr_generic_usb_dev(pam_console_t)
dev_getattr_misc_dev(pam_console_t)
dev_setattr_misc_dev(pam_console_t)
dev_getattr_mouse_dev(pam_console_t)
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
dev_getattr_printer_dev(pam_console_t)
dev_setattr_printer_dev(pam_console_t)
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
dev_setattr_sound_dev(pam_console_t)
dev_getattr_video_dev(pam_console_t)
dev_setattr_video_dev(pam_console_t)
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
dev_read_urand(pam_console_t)
files_read_etc_files(pam_console_t)
files_search_runtime(pam_console_t)
files_list_mnt(pam_console_t)
# read /etc/mtab
files_read_etc_runtime_files(pam_console_t)
fs_list_auto_mountpoints(pam_console_t)
fs_list_noxattr_fs(pam_console_t)
fs_getattr_all_fs(pam_console_t)
mls_file_read_all_levels(pam_console_t)
mls_file_write_all_levels(pam_console_t)
storage_getattr_fixed_disk_dev(pam_console_t)
storage_setattr_fixed_disk_dev(pam_console_t)
storage_getattr_removable_dev(pam_console_t)
storage_setattr_removable_dev(pam_console_t)
storage_getattr_scsi_generic_dev(pam_console_t)
storage_setattr_scsi_generic_dev(pam_console_t)
term_use_console(pam_console_t)
term_use_all_ttys(pam_console_t)
term_use_all_ptys(pam_console_t)
term_setattr_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
term_use_unallocated_ttys(pam_console_t)
auth_use_nsswitch(pam_console_t)
domain_use_interactive_fds(pam_console_t)
init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)
logging_send_syslog_msg(pam_console_t)
miscfiles_read_localization(pam_console_t)
miscfiles_read_generic_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)
userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_console_t)
')
')
optional_policy(`
gpm_getattr_gpmctl(pam_console_t)
gpm_setattr_gpmctl(pam_console_t)
')
optional_policy(`
seutil_sigchld_newrole(pam_console_t)
')
optional_policy(`
xserver_read_xdm_runtime_files(pam_console_t)
xserver_dontaudit_write_log(pam_console_t)
')
########################################
#
# updpwd local policy
#
allow updpwd_t self:capability { chown dac_override };
allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
allow updpwd_t self:unix_dgram_socket create_socket_perms;
kernel_read_system_state(updpwd_t)
dev_read_urand(updpwd_t)
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
logging_send_syslog_msg(updpwd_t)
miscfiles_read_localization(updpwd_t)
userdom_use_user_terminals(updpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(updpwd_t)
')
')
########################################
#
# Utempter local policy
#
allow utempter_t self:capability setgid;
allow utempter_t self:unix_stream_socket create_stream_socket_perms;
allow utempter_t wtmp_t:file rw_file_perms;
dev_read_urand(utempter_t)
files_read_etc_files(utempter_t)
term_getattr_all_ttys(utempter_t)
term_getattr_all_ptys(utempter_t)
term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
init_rw_utmp(utempter_t)
domain_use_interactive_fds(utempter_t)
logging_search_logs(utempter_t)
userdom_use_user_terminals(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(utempter_t)
')
')
optional_policy(`
nscd_use(utempter_t)
')
optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
#######################################
#
# nsswitch_domain local policy
#
allow nsswitch_domain self:key manage_key_perms;
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
files_read_etc_files(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
ifdef(`init_systemd', `
systemd_stream_connect_userdb(nsswitch_domain)
')
tunable_policy(`authlogin_nsswitch_use_ldap',`
miscfiles_read_generic_certs(nsswitch_domain)
sysnet_use_ldap(nsswitch_domain)
',`
miscfiles_dontaudit_read_generic_certs(nsswitch_domain)
')
optional_policy(`
tunable_policy(`authlogin_nsswitch_use_ldap',`
ldap_stream_connect(nsswitch_domain)
')
')
optional_policy(`
avahi_stream_connect(nsswitch_domain)
')
optional_policy(`
likewise_stream_connect_lsassd(nsswitch_domain)
')
optional_policy(`
kerberos_use(nsswitch_domain)
')
optional_policy(`
nis_use_ypbind(nsswitch_domain)
')
optional_policy(`
nscd_use(nsswitch_domain)
')
optional_policy(`
nslcd_stream_connect(nsswitch_domain)
')
optional_policy(`
sssd_stream_connect(nsswitch_domain)
')
optional_policy(`
samba_stream_connect_winbind(nsswitch_domain)
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')