36c3a7903c
Signed-off-by: Daniel Burgener <dburgener@tresys.com>
232 lines
4.9 KiB
Plaintext
232 lines
4.9 KiB
Plaintext
## <summary>A wrapper that helps users run system programs.</summary>
|
|
|
|
#######################################
|
|
## <summary>
|
|
## The role template for the userhelper module.
|
|
## </summary>
|
|
## <param name="userrole_prefix">
|
|
## <summary>
|
|
## The prefix of the user role (e.g., user
|
|
## is the prefix for user_r).
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_role">
|
|
## <summary>
|
|
## The user role.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_domain">
|
|
## <summary>
|
|
## The user domain associated with the role.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`userhelper_role_template',`
|
|
gen_require(`
|
|
attribute userhelper_type, consolehelper_type;
|
|
attribute_role userhelper_roles, consolehelper_roles;
|
|
type userhelper_exec_t, consolehelper_exec_t;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type $1_consolehelper_t, consolehelper_type;
|
|
userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t)
|
|
|
|
role consolehelper_roles types $1_consolehelper_t;
|
|
roleattribute $2 consolehelper_roles;
|
|
|
|
type $1_userhelper_t, userhelper_type;
|
|
userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
|
|
|
|
domain_role_change_exemption($1_userhelper_t)
|
|
domain_obj_id_change_exemption($1_userhelper_t)
|
|
domain_interactive_fd($1_userhelper_t)
|
|
domain_subj_id_change_exemption($1_userhelper_t)
|
|
|
|
role userhelper_roles types $1_userhelper_t;
|
|
roleattribute $2 userhelper_roles;
|
|
|
|
########################################
|
|
#
|
|
# Consolehelper local policy
|
|
#
|
|
|
|
allow $1_consolehelper_t $3:unix_stream_socket connectto;
|
|
|
|
domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
|
|
|
|
allow $3 $1_consolehelper_t:process { ptrace signal_perms };
|
|
ps_process_pattern($3, $1_consolehelper_t)
|
|
|
|
auth_use_pam($1_consolehelper_t)
|
|
|
|
optional_policy(`
|
|
dbus_connect_all_session_bus($1_consolehelper_t)
|
|
|
|
optional_policy(`
|
|
userhelper_dbus_chat_all_consolehelper($3)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Userhelper local policy
|
|
#
|
|
|
|
domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
|
|
|
|
dontaudit $3 $1_userhelper_t:process signal;
|
|
|
|
corecmd_bin_domtrans($1_userhelper_t, $3)
|
|
|
|
auth_domtrans_chk_passwd($1_userhelper_t)
|
|
auth_use_nsswitch($1_userhelper_t)
|
|
|
|
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
|
|
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
|
|
|
|
optional_policy(`
|
|
tunable_policy(`! secure_mode',`
|
|
sysadm_bin_spec_domtrans($1_userhelper_t)
|
|
sysadm_entry_spec_domtrans($1_userhelper_t)
|
|
')
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search userhelper configuration directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`userhelper_search_config',`
|
|
gen_require(`
|
|
type userhelper_conf_t;
|
|
')
|
|
|
|
allow $1 userhelper_conf_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to search
|
|
## userhelper configuration directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`userhelper_dontaudit_search_config',`
|
|
gen_require(`
|
|
type userhelper_conf_t;
|
|
')
|
|
|
|
dontaudit $1 userhelper_conf_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## consolehelper over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`userhelper_dbus_chat_all_consolehelper',`
|
|
gen_require(`
|
|
attribute consolehelper_type;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 consolehelper_type:dbus send_msg;
|
|
allow consolehelper_type $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Use userhelper all userhelper file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`userhelper_use_fd',`
|
|
gen_require(`
|
|
attribute userhelper_type;
|
|
')
|
|
|
|
allow $1 userhelper_type:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send child terminated signals to all userhelper.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`userhelper_sigchld',`
|
|
gen_require(`
|
|
attribute userhelper_type;
|
|
')
|
|
|
|
allow $1 userhelper_type:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the userhelper program in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`userhelper_exec',`
|
|
gen_require(`
|
|
type userhelper_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, userhelper_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the consolehelper program
|
|
## in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`userhelper_exec_consolehelper',`
|
|
gen_require(`
|
|
type consolehelper_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, consolehelper_exec_t)
|
|
')
|