Add role attributes to usermanage.
This commit is contained in:
parent
26761b31cd
commit
af1f9606c3
@ -41,11 +41,11 @@ interface(`usermanage_domtrans_chfn',`
|
||||
#
|
||||
interface(`usermanage_run_chfn',`
|
||||
gen_require(`
|
||||
type chfn_t;
|
||||
attribute_role chfn_roles;
|
||||
')
|
||||
|
||||
usermanage_domtrans_chfn($1)
|
||||
role $2 types chfn_t;
|
||||
roleattribute $2 chfn_roles;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -90,15 +90,11 @@ interface(`usermanage_domtrans_groupadd',`
|
||||
#
|
||||
interface(`usermanage_run_groupadd',`
|
||||
gen_require(`
|
||||
type groupadd_t;
|
||||
attribute_role groupadd_roles;
|
||||
')
|
||||
|
||||
usermanage_domtrans_groupadd($1)
|
||||
role $2 types groupadd_t;
|
||||
|
||||
optional_policy(`
|
||||
nscd_run(groupadd_t, $2)
|
||||
')
|
||||
roleattribute $2 groupadd_roles;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -160,12 +156,11 @@ interface(`usermanage_kill_passwd',`
|
||||
#
|
||||
interface(`usermanage_run_passwd',`
|
||||
gen_require(`
|
||||
type passwd_t;
|
||||
attribute_role passwd_roles;
|
||||
')
|
||||
|
||||
usermanage_domtrans_passwd($1)
|
||||
role $2 types passwd_t;
|
||||
auth_run_chk_passwd(passwd_t, $2)
|
||||
roleattribute $2 passwd_roles;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -208,15 +203,11 @@ interface(`usermanage_domtrans_admin_passwd',`
|
||||
#
|
||||
interface(`usermanage_run_admin_passwd',`
|
||||
gen_require(`
|
||||
type sysadm_passwd_t;
|
||||
attribute_role sysadm_passwd_roles;
|
||||
')
|
||||
|
||||
usermanage_domtrans_admin_passwd($1)
|
||||
role $2 types sysadm_passwd_t;
|
||||
|
||||
optional_policy(`
|
||||
nscd_run(sysadm_passwd_t, $2)
|
||||
')
|
||||
roleattribute $2 sysadm_passwd_roles;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -279,17 +270,11 @@ interface(`usermanage_domtrans_useradd',`
|
||||
#
|
||||
interface(`usermanage_run_useradd',`
|
||||
gen_require(`
|
||||
type useradd_t;
|
||||
attribute_role useradd_roles;
|
||||
')
|
||||
|
||||
usermanage_domtrans_useradd($1)
|
||||
role $2 types useradd_t;
|
||||
|
||||
seutil_run_semanage(useradd_t, $2)
|
||||
|
||||
optional_policy(`
|
||||
nscd_run(useradd_t, $2)
|
||||
')
|
||||
roleattribute $2 useradd_roles;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -5,6 +5,19 @@ policy_module(usermanage, 1.16.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute_role chfn_roles;
|
||||
role system_r types chfn_t;
|
||||
|
||||
attribute_role groupadd_roles;
|
||||
|
||||
attribute_role passwd_roles;
|
||||
roleattribute system_r passwd_roles;
|
||||
|
||||
attribute_role sysadm_passwd_roles;
|
||||
roleattribute system_r sysadm_passwd_roles;
|
||||
|
||||
attribute_role useradd_roles;
|
||||
|
||||
type admin_passwd_exec_t;
|
||||
files_type(admin_passwd_exec_t)
|
||||
|
||||
@ -12,7 +25,6 @@ type chfn_t;
|
||||
type chfn_exec_t;
|
||||
domain_obj_id_change_exemption(chfn_t)
|
||||
application_domain(chfn_t, chfn_exec_t)
|
||||
role system_r types chfn_t;
|
||||
|
||||
type crack_t;
|
||||
type crack_exec_t;
|
||||
@ -34,12 +46,12 @@ type passwd_t;
|
||||
type passwd_exec_t;
|
||||
domain_obj_id_change_exemption(passwd_t)
|
||||
application_domain(passwd_t, passwd_exec_t)
|
||||
role system_r types passwd_t;
|
||||
role passwd_roles types passwd_t;
|
||||
|
||||
type sysadm_passwd_t;
|
||||
domain_obj_id_change_exemption(sysadm_passwd_t)
|
||||
application_domain(sysadm_passwd_t, admin_passwd_exec_t)
|
||||
role system_r types sysadm_passwd_t;
|
||||
role sysadm_passwd_roles types sysadm_passwd_t;
|
||||
|
||||
type sysadm_passwd_tmp_t;
|
||||
files_tmp_file(sysadm_passwd_tmp_t)
|
||||
@ -88,7 +100,7 @@ fs_search_auto_mountpoints(chfn_t)
|
||||
# for SSP
|
||||
dev_read_urand(chfn_t)
|
||||
|
||||
auth_domtrans_chk_passwd(chfn_t)
|
||||
auth_run_chk_passwd(chfn_t, chfn_roles)
|
||||
auth_dontaudit_read_shadow(chfn_t)
|
||||
auth_use_nsswitch(chfn_t)
|
||||
|
||||
@ -216,7 +228,7 @@ logging_send_syslog_msg(groupadd_t)
|
||||
|
||||
miscfiles_read_localization(groupadd_t)
|
||||
|
||||
auth_domtrans_chk_passwd(groupadd_t)
|
||||
auth_run_chk_passwd(groupadd_t, groupadd_roles)
|
||||
auth_rw_lastlog(groupadd_t)
|
||||
auth_use_nsswitch(groupadd_t)
|
||||
# these may be unnecessary due to the above
|
||||
@ -237,7 +249,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_domtrans(groupadd_t)
|
||||
nscd_run(groupadd_t, groupadd_roles)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -294,7 +306,7 @@ selinux_compute_user_contexts(passwd_t)
|
||||
term_use_all_ttys(passwd_t)
|
||||
term_use_all_ptys(passwd_t)
|
||||
|
||||
auth_domtrans_chk_passwd(passwd_t)
|
||||
auth_run_chk_passwd(passwd_t, passwd_roles)
|
||||
auth_manage_shadow(passwd_t)
|
||||
auth_relabel_shadow(passwd_t)
|
||||
auth_etc_filetrans_shadow(passwd_t)
|
||||
@ -334,7 +346,7 @@ userdom_read_user_tmp_files(passwd_t)
|
||||
userdom_dontaudit_search_user_home_content(passwd_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_domtrans(passwd_t)
|
||||
nscd_run(passwd_t, passwd_roles)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -418,7 +430,7 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
|
||||
userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_domtrans(sysadm_passwd_t)
|
||||
nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -472,7 +484,7 @@ selinux_compute_user_contexts(useradd_t)
|
||||
term_use_all_ttys(useradd_t)
|
||||
term_use_all_ptys(useradd_t)
|
||||
|
||||
auth_domtrans_chk_passwd(useradd_t)
|
||||
auth_run_chk_passwd(useradd_t, useradd_roles)
|
||||
auth_rw_lastlog(useradd_t)
|
||||
auth_rw_faillog(useradd_t)
|
||||
auth_use_nsswitch(useradd_t)
|
||||
@ -493,8 +505,8 @@ miscfiles_read_localization(useradd_t)
|
||||
seutil_read_config(useradd_t)
|
||||
seutil_read_file_contexts(useradd_t)
|
||||
seutil_read_default_contexts(useradd_t)
|
||||
seutil_domtrans_semanage(useradd_t)
|
||||
seutil_domtrans_setfiles(useradd_t)
|
||||
seutil_run_semanage(useradd_t, useradd_roles)
|
||||
seutil_run_setfiles(useradd_t, useradd_roles)
|
||||
|
||||
userdom_use_unpriv_users_fds(useradd_t)
|
||||
# Add/remove user home directories
|
||||
@ -525,7 +537,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_domtrans(useradd_t)
|
||||
nscd_run(useradd_t, useradd_roles)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
Loading…
Reference in New Issue
Block a user