Adding support for the vlock program.

Both the system administrator and the unprivileged user could use vlock
to lock the current console when logging in either from the serial console
or by ssh.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
This commit is contained in:
Harry Ciao 2010-10-26 14:34:11 +08:00 committed by Chris PeBenito
parent ff827d6cc3
commit d35e2ee03b
6 changed files with 116 additions and 0 deletions

View File

@ -0,0 +1 @@
/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)

View File

@ -0,0 +1,46 @@
## <summary>Lock one or more sessions on the Linux console.</summary>
#######################################
## <summary>
## Execute vlock in the vlock domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`vlock_domtrans_vlock',`
gen_require(`
type vlock_t, vlock_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, vlock_exec_t, vlock_t)
')
########################################
## <summary>
## Execute vlock in the vlock domain, and
## allow the specified role the vlock domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed to access.
## </summary>
## </param>
## <rolecap/>
#
interface(`vlock_run_vlock',`
gen_require(`
type vlock_t;
')
vlock_domtrans_vlock($1)
role $2 types vlock_t;
')

View File

@ -0,0 +1,57 @@
policy_module(vlock, 1.0.0)
########################################
#
# Declarations
#
type vlock_t;
type vlock_exec_t;
application_domain(vlock_t, vlock_exec_t)
########################################
#
# Local policy
#
dontaudit vlock_t self:capability { setuid setgid };
allow vlock_t self:fd use;
allow vlock_t self:fifo_file rw_fifo_file_perms;
allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow vlock_t self:unix_dgram_socket { create connect };
corecmd_list_bin(vlock_t)
corecmd_read_bin_symlinks(vlock_t)
# Must call this interface otherwise PAM session will fail
# with message of "terminal=? res=failed"
domain_use_interactive_fds(vlock_t)
files_dontaudit_search_home(vlock_t)
files_read_etc_files(vlock_t)
term_use_all_user_ttys(vlock_t)
term_use_all_user_ptys(vlock_t)
kernel_read_system_state(vlock_t)
selinux_dontaudit_getattr_fs(vlock_t)
auth_domtrans_chk_passwd(vlock_t)
init_dontaudit_rw_utmp(vlock_t)
logging_send_syslog_msg(vlock_t)
miscfiles_read_localization(vlock_t)
userdom_dontaudit_search_user_home_dirs(vlock_t)
userdom_use_user_terminals(vlock_t)
# pam_tally2 module could be used by vlock for authentication,
# /var/log/tallylog's SL is usually s0, while the caller's SL could
# be higher than s0.
ifdef(`enable_mls',`
mls_file_write_all_levels(vlock_t)
')

View File

@ -47,6 +47,10 @@ optional_policy(`
userdom_dontaudit_use_user_terminals(staff_t) userdom_dontaudit_use_user_terminals(staff_t)
') ')
optional_policy(`
vlock_run_vlock(staff_t, staff_r)
')
optional_policy(` optional_policy(`
xserver_role(staff_r, staff_t) xserver_role(staff_r, staff_t)
') ')

View File

@ -388,6 +388,10 @@ optional_policy(`
wireshark_role(sysadm_r, sysadm_t) wireshark_role(sysadm_r, sysadm_t)
') ')
optional_policy(`
vlock_run_vlock(sysadm_t, sysadm_r)
')
optional_policy(` optional_policy(`
xserver_role(sysadm_r, sysadm_t) xserver_role(sysadm_r, sysadm_t)
') ')

View File

@ -20,6 +20,10 @@ optional_policy(`
screen_role_template(user, user_r, user_t) screen_role_template(user, user_r, user_t)
') ')
optional_policy(`
vlock_run_vlock(user_t, user_r)
')
optional_policy(` optional_policy(`
xserver_role(user_r, user_t) xserver_role(user_r, user_t)
') ')