[people/stevee/selinux-policy.git] / policy / modules / admin / usermanage.te


policy_module(usermanage, 1.12.0)

########################################
#
# Declarations
#

type admin_passwd_exec_t;
files_type(admin_passwd_exec_t)

type chfn_t;
type chfn_exec_t;
domain_obj_id_change_exemption(chfn_t)
application_domain(chfn_t, chfn_exec_t)
role system_r types chfn_t;

type crack_t;
type crack_exec_t;
application_domain(crack_t, crack_exec_t)
role system_r types crack_t;

type crack_db_t;
files_type(crack_db_t)

type crack_tmp_t;
files_tmp_file(crack_tmp_t)

type groupadd_t;
type groupadd_exec_t;
domain_obj_id_change_exemption(groupadd_t)
init_system_domain(groupadd_t, groupadd_exec_t)
role system_r types groupadd_t;

type passwd_t;
type passwd_exec_t;
domain_obj_id_change_exemption(passwd_t)
application_domain(passwd_t, passwd_exec_t)
role system_r types passwd_t;

type sysadm_passwd_t;
domain_obj_id_change_exemption(sysadm_passwd_t)
application_domain(sysadm_passwd_t, admin_passwd_exec_t)
role system_r types sysadm_passwd_t;

type sysadm_passwd_tmp_t;
files_tmp_file(sysadm_passwd_tmp_t)

type useradd_t;
type useradd_exec_t;
domain_obj_id_change_exemption(useradd_t)
init_system_domain(useradd_t,useradd_exec_t)
role system_r types useradd_t;

########################################
#
# Chfn local policy
#

allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use;
allow chfn_t self:fifo_file rw_fifo_file_perms;
allow chfn_t self:sock_file read_sock_file_perms;
allow chfn_t self:shm create_shm_perms;
allow chfn_t self:sem create_sem_perms;
allow chfn_t self:msgq create_msgq_perms;
allow chfn_t self:msg { send receive };
allow chfn_t self:unix_dgram_socket create_socket_perms;
allow chfn_t self:unix_stream_socket create_stream_socket_perms;
allow chfn_t self:unix_dgram_socket sendto;
allow chfn_t self:unix_stream_socket connectto;

kernel_read_system_state(chfn_t)
kernel_read_kernel_sysctls(chfn_t)

selinux_get_fs_mount(chfn_t)
selinux_validate_context(chfn_t)
selinux_compute_access_vector(chfn_t)
selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)

term_use_all_user_ttys(chfn_t)
term_use_all_user_ptys(chfn_t)

fs_getattr_xattr_fs(chfn_t)
fs_search_auto_mountpoints(chfn_t)

# for SSP
dev_read_urand(chfn_t)

auth_domtrans_chk_passwd(chfn_t)
auth_dontaudit_read_shadow(chfn_t)
auth_use_nsswitch(chfn_t)

# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)

domain_use_interactive_fds(chfn_t)

files_manage_etc_files(chfn_t)
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
files_dontaudit_search_home(chfn_t)

# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it.  Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)

miscfiles_read_localization(chfn_t)

logging_send_syslog_msg(chfn_t)

# uses unix_chkpwd for checking passwords
seutil_dontaudit_search_config(chfn_t)

userdom_use_unpriv_users_fds(chfn_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)

########################################
#
# Crack local policy
#

allow crack_t self:process { sigkill sigstop signull signal };
allow crack_t self:fifo_file rw_fifo_file_perms;

manage_files_pattern(crack_t, crack_db_t, crack_db_t)
manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t)
files_search_var(crack_t)

manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t)
manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t)
files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })

kernel_read_system_state(crack_t)

# for SSP
dev_read_urand(crack_t)

fs_getattr_xattr_fs(crack_t)

files_read_etc_files(crack_t)
files_read_etc_runtime_files(crack_t)
# for dictionaries
files_read_usr_files(crack_t)

corecmd_exec_bin(crack_t)

logging_send_syslog_msg(crack_t)

userdom_dontaudit_search_user_home_dirs(crack_t)

ifdef(`distro_debian',`
	# the package cracklib-runtime on Debian contains a daily maintenance
	# script /etc/cron.daily/cracklib-runtime, that calls
	# update-cracklib and that calls crack_mkdict, which is a shell script.
	corecmd_exec_shell(crack_t)
')

optional_policy(`
	cron_system_entry(crack_t, crack_exec_t)
')

########################################
#
# Groupadd local policy
#

allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
allow groupadd_t self:fd use;
allow groupadd_t self:fifo_file rw_fifo_file_perms;
allow groupadd_t self:shm create_shm_perms;
allow groupadd_t self:sem create_sem_perms;
allow groupadd_t self:msgq create_msgq_perms;
allow groupadd_t self:msg { send receive };
allow groupadd_t self:unix_dgram_socket create_socket_perms;
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
allow groupadd_t self:unix_dgram_socket sendto;
allow groupadd_t self:unix_stream_socket connectto;

fs_getattr_xattr_fs(groupadd_t)
fs_search_auto_mountpoints(groupadd_t)

# Allow access to context for shadow file
selinux_get_fs_mount(groupadd_t)
selinux_validate_context(groupadd_t)
selinux_compute_access_vector(groupadd_t)
selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)

term_use_all_user_ttys(groupadd_t)
term_use_all_user_ptys(groupadd_t)

init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
init_dontaudit_write_utmp(groupadd_t)

domain_use_interactive_fds(groupadd_t)

files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)

# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)

logging_send_audit_msgs(groupadd_t)
logging_send_syslog_msg(groupadd_t)

miscfiles_read_localization(groupadd_t)

auth_manage_shadow(groupadd_t)
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
auth_rw_lastlog(groupadd_t)
auth_use_nsswitch(groupadd_t)

seutil_read_config(groupadd_t)

userdom_use_unpriv_users_fds(groupadd_t)
# for when /root is the cwd
userdom_dontaudit_search_user_home_dirs(groupadd_t)

optional_policy(`
	dpkg_use_fds(groupadd_t)
	dpkg_rw_pipes(groupadd_t)
')

optional_policy(`
	nscd_domtrans(groupadd_t)
')

optional_policy(`
	rpm_use_fds(groupadd_t)
	rpm_rw_pipes(groupadd_t)
')

########################################
#
# Passwd local policy
#

allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
allow passwd_t self:fifo_file rw_fifo_file_perms;
allow passwd_t self:sock_file read_sock_file_perms;
allow passwd_t self:unix_dgram_socket create_socket_perms;
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
allow passwd_t self:unix_dgram_socket sendto;
allow passwd_t self:unix_stream_socket connectto;
allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };

allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)

kernel_read_kernel_sysctls(passwd_t)

# for SSP
dev_read_urand(passwd_t)

fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)

mls_file_write_all_levels(passwd_t)
mls_file_downgrade(passwd_t)

selinux_get_fs_mount(passwd_t)
selinux_validate_context(passwd_t)
selinux_compute_access_vector(passwd_t)
selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)

term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)

auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
auth_use_nsswitch(passwd_t)

# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)

domain_use_interactive_fds(passwd_t)

files_read_etc_runtime_files(passwd_t)
files_manage_etc_files(passwd_t)
files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
files_relabel_etc_files(passwd_t)

# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it.  Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)

logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)

miscfiles_read_localization(passwd_t)

seutil_dontaudit_search_config(passwd_t)

userdom_use_user_terminals(passwd_t)
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
userdom_read_all_users_state(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)

optional_policy(`
	nscd_domtrans(passwd_t)
')

########################################
#
# Password admin local policy
#

allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
allow sysadm_passwd_t self:sock_file read_sock_file_perms;
allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow sysadm_passwd_t self:unix_dgram_socket sendto;
allow sysadm_passwd_t self:unix_stream_socket connectto;
allow sysadm_passwd_t self:shm create_shm_perms;
allow sysadm_passwd_t self:sem create_sem_perms;
allow sysadm_passwd_t self:msgq create_msgq_perms;
allow sysadm_passwd_t self:msg { send receive };

# allow vipw to create temporary files under /var/tmp/vi.recover
manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
files_search_var(sysadm_passwd_t)
files_dontaudit_search_home(sysadm_passwd_t)

kernel_read_kernel_sysctls(sysadm_passwd_t)
# for /proc/meminfo
kernel_read_system_state(sysadm_passwd_t)

selinux_get_fs_mount(sysadm_passwd_t)
selinux_validate_context(sysadm_passwd_t)
selinux_compute_access_vector(sysadm_passwd_t)
selinux_compute_create_context(sysadm_passwd_t)
selinux_compute_relabel_context(sysadm_passwd_t)
selinux_compute_user_contexts(sysadm_passwd_t)

# for SSP
dev_read_urand(sysadm_passwd_t)

fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)

term_use_all_user_ttys(sysadm_passwd_t)
term_use_all_user_ptys(sysadm_passwd_t)

auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
auth_use_nsswitch(sysadm_passwd_t)

# allow vipw to exec the editor
corecmd_exec_bin(sysadm_passwd_t)
corecmd_exec_shell(sysadm_passwd_t)
files_read_usr_files(sysadm_passwd_t)

domain_use_interactive_fds(sysadm_passwd_t)

files_manage_etc_files(sysadm_passwd_t)
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
files_dontaudit_search_pids(sysadm_passwd_t)

# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it.  Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)

miscfiles_read_localization(sysadm_passwd_t)

logging_send_syslog_msg(sysadm_passwd_t)

seutil_dontaudit_search_config(sysadm_passwd_t)

userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(sysadm_passwd_t)

optional_policy(`
	nscd_domtrans(sysadm_passwd_t)
')

########################################
#
# Useradd local policy
#

allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
allow useradd_t self:fifo_file rw_fifo_file_perms;
allow useradd_t self:shm create_shm_perms;
allow useradd_t self:sem create_sem_perms;
allow useradd_t self:msgq create_msgq_perms;
allow useradd_t self:msg { send receive };
allow useradd_t self:unix_dgram_socket create_socket_perms;
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;

# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)

corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)

domain_use_interactive_fds(useradd_t)

files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)

fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)

mls_file_upgrade(useradd_t)

# Allow access to context for shadow file
selinux_get_fs_mount(useradd_t)
selinux_validate_context(useradd_t)
selinux_compute_access_vector(useradd_t)
selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)

term_use_all_user_ttys(useradd_t)
term_use_all_user_ptys(useradd_t)

auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
auth_rw_lastlog(useradd_t)
auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)

init_use_fds(useradd_t)
init_rw_utmp(useradd_t)

logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)

miscfiles_read_localization(useradd_t)

seutil_read_config(useradd_t)
seutil_read_file_contexts(useradd_t)
seutil_read_default_contexts(useradd_t)
seutil_domtrans_semanage(useradd_t)
seutil_domtrans_setfiles(useradd_t)

userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
userdom_manage_user_home_content_dirs(useradd_t)
userdom_manage_user_home_content_files(useradd_t)
userdom_home_filetrans_user_home_dir(useradd_t)
userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)

mta_manage_spool(useradd_t)

optional_policy(`
	apache_manage_all_user_content(useradd_t)
')

optional_policy(`
	dpkg_use_fds(useradd_t)
	dpkg_rw_pipes(useradd_t)
')

optional_policy(`
	nscd_domtrans(useradd_t)
')

optional_policy(`
	rpm_use_fds(useradd_t)
	rpm_rw_pipes(useradd_t)
')
Commit	Line	Data
849380bd	1
17ec8c1f	2	policy_module(usermanage, 1.12.0)
849380bd CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type admin_passwd_exec_t;
8fd36732	10	files_type(admin_passwd_exec_t)
849380bd	11
a1f94a34	12	type chfn_t;
d46cfe45	13	type chfn_exec_t;
1815bad1	14	domain_obj_id_change_exemption(chfn_t)
0bfccda4	15	application_domain(chfn_t, chfn_exec_t)
849380bd CP	16	role system_r types chfn_t;
849380bd CP	17
849380bd	18	type crack_t;
849380bd	19	type crack_exec_t;
0bfccda4	20	application_domain(crack_t, crack_exec_t)
d46cfe45	21	role system_r types crack_t;
849380bd	22
9bbc757a	23	type crack_db_t;
b68a85cb	24	files_type(crack_db_t)
849380bd CP	25
849380bd CP	26	type crack_tmp_t;
c9428d33	27	files_tmp_file(crack_tmp_t)
849380bd	28
493d6c4a	29	type groupadd_t;
849380bd	30	type groupadd_exec_t;
1815bad1	31	domain_obj_id_change_exemption(groupadd_t)
0bfccda4	32	init_system_domain(groupadd_t, groupadd_exec_t)
bbd6a621	33	role system_r types groupadd_t;
849380bd	34
a1f94a34	35	type passwd_t;
d46cfe45	36	type passwd_exec_t;
1815bad1	37	domain_obj_id_change_exemption(passwd_t)
0bfccda4	38	application_domain(passwd_t, passwd_exec_t)
849380bd CP	39	role system_r types passwd_t;
849380bd CP	40
a1f94a34	41	type sysadm_passwd_t;
1815bad1	42	domain_obj_id_change_exemption(sysadm_passwd_t)
0bfccda4	43	application_domain(sysadm_passwd_t, admin_passwd_exec_t)
daff1dc5	44	role system_r types sysadm_passwd_t;
849380bd CP	45
849380bd CP	46	type sysadm_passwd_tmp_t;
7a6d427e	47	files_tmp_file(sysadm_passwd_tmp_t)
849380bd	48
493d6c4a	49	type useradd_t;
849380bd	50	type useradd_exec_t;
1815bad1	51	domain_obj_id_change_exemption(useradd_t)
c9428d33	52	init_system_domain(useradd_t,useradd_exec_t)
bbd6a621	53	role system_r types useradd_t;
849380bd CP	54
	55	########################################
	56	#
	57	# Chfn local policy
	58	#
	59
	60	allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
9d3bdc25	61	allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
849380bd CP	62	allow chfn_t self:process { setrlimit setfscreate };
849380bd CP	63	allow chfn_t self:fd use;
c0868a7a CP	64	allow chfn_t self:fifo_file rw_fifo_file_perms;
c0868a7a CP	65	allow chfn_t self:sock_file read_sock_file_perms;
dc67f782 CP	66	allow chfn_t self:shm create_shm_perms;
	67	allow chfn_t self:sem create_sem_perms;
	68	allow chfn_t self:msgq create_msgq_perms;
849380bd	69	allow chfn_t self:msg { send receive };
77f6e2cd CP	70	allow chfn_t self:unix_dgram_socket create_socket_perms;
	71	allow chfn_t self:unix_stream_socket create_stream_socket_perms;
	72	allow chfn_t self:unix_dgram_socket sendto;
	73	allow chfn_t self:unix_stream_socket connectto;
849380bd CP	74
849380bd CP	75	kernel_read_system_state(chfn_t)
445522dc	76	kernel_read_kernel_sysctls(chfn_t)
a0824843	77
5e0da6a0 CP	78	selinux_get_fs_mount(chfn_t)
	79	selinux_validate_context(chfn_t)
	80	selinux_compute_access_vector(chfn_t)
	81	selinux_compute_create_context(chfn_t)
	82	selinux_compute_relabel_context(chfn_t)
	83	selinux_compute_user_contexts(chfn_t)
849380bd	84
0fd9dc55 CP	85	term_use_all_user_ttys(chfn_t)
0fd9dc55 CP	86	term_use_all_user_ptys(chfn_t)
849380bd	87
0fd9dc55	88	fs_getattr_xattr_fs(chfn_t)
ab940a4c	89	fs_search_auto_mountpoints(chfn_t)
849380bd CP	90
849380bd CP	91	# for SSP
f0c985ca	92	dev_read_urand(chfn_t)
849380bd	93
3774e4eb CP	94	auth_domtrans_chk_passwd(chfn_t)
3774e4eb CP	95	auth_dontaudit_read_shadow(chfn_t)
c0cf6e0a	96	auth_use_nsswitch(chfn_t)
3774e4eb	97
725926c5 CP	98	# allow checking if a shell is executable
725926c5 CP	99	corecmd_check_exec_shell(chfn_t)
ebdc3b79	100
15722ec9	101	domain_use_interactive_fds(chfn_t)
849380bd	102
8fd36732	103	files_manage_etc_files(chfn_t)
c9428d33	104	files_read_etc_runtime_files(chfn_t)
ab940a4c	105	files_dontaudit_search_var(chfn_t)
6b19be33	106	files_dontaudit_search_home(chfn_t)
ab940a4c CP	107
	108	# /usr/bin/passwd asks for w access to utmp, but it will operate
	109	# correctly without it. Do not audit write denials to utmp.
68228b33	110	init_dontaudit_rw_utmp(chfn_t)
849380bd	111
849380bd CP	112	miscfiles_read_localization(chfn_t)
849380bd CP	113
c9428d33	114	logging_send_syslog_msg(chfn_t)
849380bd	115
3774e4eb CP	116	# uses unix_chkpwd for checking passwords
3774e4eb CP	117	seutil_dontaudit_search_config(chfn_t)
849380bd	118
103fe280	119	userdom_use_unpriv_users_fds(chfn_t)
3774e4eb CP	120	# user generally runs this from their home directory, so do not audit a search
3774e4eb CP	121	# on user home dir
296273a7	122	userdom_dontaudit_search_user_home_content(chfn_t)
ab940a4c	123
849380bd CP	124	########################################
	125	#
	126	# Crack local policy
	127	#
	128
	129	allow crack_t self:process { sigkill sigstop signull signal };
c0868a7a	130	allow crack_t self:fifo_file rw_fifo_file_perms;
849380bd	131
0bfccda4 CP	132	manage_files_pattern(crack_t, crack_db_t, crack_db_t)
0bfccda4 CP	133	manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t)
c9428d33	134	files_search_var(crack_t)
849380bd	135
0bfccda4 CP	136	manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t)
0bfccda4 CP	137	manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t)
103fe280	138	files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
849380bd CP	139
	140	kernel_read_system_state(crack_t)
	141
	142	# for SSP
f0c985ca	143	dev_read_urand(crack_t)
849380bd	144
0fd9dc55	145	fs_getattr_xattr_fs(crack_t)
849380bd	146
8fd36732	147	files_read_etc_files(crack_t)
c9428d33	148	files_read_etc_runtime_files(crack_t)
849380bd	149	# for dictionaries
c9428d33	150	files_read_usr_files(crack_t)
849380bd	151
c9428d33	152	corecmd_exec_bin(crack_t)
849380bd	153
c9428d33	154	logging_send_syslog_msg(crack_t)
849380bd	155
296273a7	156	userdom_dontaudit_search_user_home_dirs(crack_t)
849380bd	157
51223bfc CP	158	ifdef(`distro_debian',`
	159	# the package cracklib-runtime on Debian contains a daily maintenance
	160	# script /etc/cron.daily/cracklib-runtime, that calls
	161	# update-cracklib and that calls crack_mkdict, which is a shell script.
	162	corecmd_exec_shell(crack_t)
	163	')
	164
bb7170f6	165	optional_policy(`
0bfccda4	166	cron_system_entry(crack_t, crack_exec_t)
3774e4eb	167	')
849380bd CP	168
	169	########################################
	170	#
	171	# Groupadd local policy
	172	#
	173
da9bbc65	174	allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
d6d16b97	175	dontaudit groupadd_t self:capability { fsetid sys_tty_config };
9d3bdc25	176	allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
849380bd CP	177	allow groupadd_t self:process { setrlimit setfscreate };
849380bd CP	178	allow groupadd_t self:fd use;
c0868a7a	179	allow groupadd_t self:fifo_file rw_fifo_file_perms;
dc67f782 CP	180	allow groupadd_t self:shm create_shm_perms;
	181	allow groupadd_t self:sem create_sem_perms;
	182	allow groupadd_t self:msgq create_msgq_perms;
849380bd	183	allow groupadd_t self:msg { send receive };
77f6e2cd CP	184	allow groupadd_t self:unix_dgram_socket create_socket_perms;
	185	allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
	186	allow groupadd_t self:unix_dgram_socket sendto;
	187	allow groupadd_t self:unix_stream_socket connectto;
849380bd	188
ab940a4c CP	189	fs_getattr_xattr_fs(groupadd_t)
	190	fs_search_auto_mountpoints(groupadd_t)
	191
849380bd	192	# Allow access to context for shadow file
5e0da6a0 CP	193	selinux_get_fs_mount(groupadd_t)
	194	selinux_validate_context(groupadd_t)
	195	selinux_compute_access_vector(groupadd_t)
	196	selinux_compute_create_context(groupadd_t)
	197	selinux_compute_relabel_context(groupadd_t)
	198	selinux_compute_user_contexts(groupadd_t)
849380bd	199
0fd9dc55 CP	200	term_use_all_user_ttys(groupadd_t)
0fd9dc55 CP	201	term_use_all_user_ptys(groupadd_t)
849380bd	202
1c1ac67f	203	init_use_fds(groupadd_t)
68228b33 CP	204	init_read_utmp(groupadd_t)
68228b33 CP	205	init_dontaudit_write_utmp(groupadd_t)
849380bd	206
15722ec9	207	domain_use_interactive_fds(groupadd_t)
849380bd	208
8fd36732	209	files_manage_etc_files(groupadd_t)
2629c659	210	files_relabel_etc_files(groupadd_t)
72492557	211	files_read_etc_runtime_files(groupadd_t)
849380bd	212
849380bd	213	# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
c9428d33	214	corecmd_exec_bin(groupadd_t)
849380bd	215
0a0b8078	216	logging_send_audit_msgs(groupadd_t)
c9428d33	217	logging_send_syslog_msg(groupadd_t)
849380bd CP	218
	219	miscfiles_read_localization(groupadd_t)
	220
c9428d33	221	auth_manage_shadow(groupadd_t)
2629c659	222	auth_relabel_shadow(groupadd_t)
8bf6f58e	223	auth_etc_filetrans_shadow(groupadd_t)
c9428d33	224	auth_rw_lastlog(groupadd_t)
77f6e2cd	225	auth_use_nsswitch(groupadd_t)
849380bd	226
5e0da6a0	227	seutil_read_config(groupadd_t)
849380bd	228
103fe280	229	userdom_use_unpriv_users_fds(groupadd_t)
3774e4eb	230	# for when /root is the cwd
296273a7	231	userdom_dontaudit_search_user_home_dirs(groupadd_t)
849380bd	232
bb7170f6	233	optional_policy(`
0c54fcf8 CP	234	dpkg_use_fds(groupadd_t)
	235	dpkg_rw_pipes(groupadd_t)
	236	')
	237
0a0b8078 CP	238	optional_policy(`
	239	nscd_domtrans(groupadd_t)
	240	')
	241
bb7170f6	242	optional_policy(`
1c1ac67f	243	rpm_use_fds(groupadd_t)
1815bad1	244	rpm_rw_pipes(groupadd_t)
b24f35d8 CP	245	')
b24f35d8 CP	246
849380bd CP	247	########################################
	248	#
	249	# Passwd local policy
	250	#
	251
0a0b8078	252	allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
9d3bdc25	253	allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
849380bd CP	254	allow passwd_t self:process { setrlimit setfscreate };
849380bd CP	255	allow passwd_t self:fd use;
c0868a7a CP	256	allow passwd_t self:fifo_file rw_fifo_file_perms;
c0868a7a CP	257	allow passwd_t self:sock_file read_sock_file_perms;
dc67f782 CP	258	allow passwd_t self:unix_dgram_socket create_socket_perms;
dc67f782 CP	259	allow passwd_t self:unix_stream_socket create_stream_socket_perms;
849380bd CP	260	allow passwd_t self:unix_dgram_socket sendto;
849380bd CP	261	allow passwd_t self:unix_stream_socket connectto;
dc67f782 CP	262	allow passwd_t self:shm create_shm_perms;
dc67f782 CP	263	allow passwd_t self:sem create_sem_perms;
0fd9dc55	264	allow passwd_t self:msgq create_msgq_perms;
849380bd CP	265	allow passwd_t self:msg { send receive };
849380bd CP	266
c0868a7a	267	allow passwd_t crack_db_t:dir list_dir_perms;
0bfccda4	268	read_files_pattern(passwd_t, crack_db_t, crack_db_t)
ab940a4c	269
445522dc	270	kernel_read_kernel_sysctls(passwd_t)
a0824843	271
ab940a4c CP	272	# for SSP
	273	dev_read_urand(passwd_t)
	274
	275	fs_getattr_xattr_fs(passwd_t)
	276	fs_search_auto_mountpoints(passwd_t)
	277
f8233ab7	278	mls_file_write_all_levels(passwd_t)
95501942 CP	279	mls_file_downgrade(passwd_t)
95501942 CP	280
5e0da6a0 CP	281	selinux_get_fs_mount(passwd_t)
	282	selinux_validate_context(passwd_t)
	283	selinux_compute_access_vector(passwd_t)
	284	selinux_compute_create_context(passwd_t)
	285	selinux_compute_relabel_context(passwd_t)
	286	selinux_compute_user_contexts(passwd_t)
849380bd	287
4614e83f CP	288	term_use_all_user_ttys(passwd_t)
	289	term_use_all_user_ptys(passwd_t)
	290
3774e4eb	291	auth_manage_shadow(passwd_t)
2629c659	292	auth_relabel_shadow(passwd_t)
8bf6f58e	293	auth_etc_filetrans_shadow(passwd_t)
c0cf6e0a	294	auth_use_nsswitch(passwd_t)
3774e4eb	295
725926c5 CP	296	# allow checking if a shell is executable
725926c5 CP	297	corecmd_check_exec_shell(passwd_t)
849380bd	298
15722ec9	299	domain_use_interactive_fds(passwd_t)
849380bd	300
c9428d33	301	files_read_etc_runtime_files(passwd_t)
8fd36732	302	files_manage_etc_files(passwd_t)
ab940a4c	303	files_search_var(passwd_t)
3774e4eb	304	files_dontaudit_search_pids(passwd_t)
2629c659	305	files_relabel_etc_files(passwd_t)
849380bd	306
725926c5 CP	307	# /usr/bin/passwd asks for w access to utmp, but it will operate
725926c5 CP	308	# correctly without it. Do not audit write denials to utmp.
68228b33	309	init_dontaudit_rw_utmp(passwd_t)
725926c5	310
0a0b8078	311	logging_send_audit_msgs(passwd_t)
c9428d33	312	logging_send_syslog_msg(passwd_t)
849380bd CP	313
	314	miscfiles_read_localization(passwd_t)
	315
3774e4eb	316	seutil_dontaudit_search_config(passwd_t)
a1f94a34	317
296273a7	318	userdom_use_user_terminals(passwd_t)
103fe280	319	userdom_use_unpriv_users_fds(passwd_t)
2629c659	320	# make sure that getcon succeeds
15722ec9	321	userdom_getattr_all_users(passwd_t)
1815bad1	322	userdom_read_all_users_state(passwd_t)
3774e4eb CP	323	# user generally runs this from their home directory, so do not audit a search
3774e4eb CP	324	# on user home dir
296273a7	325	userdom_dontaudit_search_user_home_content(passwd_t)
ab940a4c	326
bb7170f6	327	optional_policy(`
0a0b8078	328	nscd_domtrans(passwd_t)
bf080a46 CP	329	')
bf080a46 CP	330
849380bd CP	331	########################################
	332	#
	333	# Password admin local policy
	334	#
	335
	336	allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
9d3bdc25	337	allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
849380bd CP	338	allow sysadm_passwd_t self:process { setrlimit setfscreate };
849380bd CP	339	allow sysadm_passwd_t self:fd use;
c0868a7a CP	340	allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
c0868a7a CP	341	allow sysadm_passwd_t self:sock_file read_sock_file_perms;
dc67f782 CP	342	allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
dc67f782 CP	343	allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
849380bd CP	344	allow sysadm_passwd_t self:unix_dgram_socket sendto;
849380bd CP	345	allow sysadm_passwd_t self:unix_stream_socket connectto;
dc67f782 CP	346	allow sysadm_passwd_t self:shm create_shm_perms;
	347	allow sysadm_passwd_t self:sem create_sem_perms;
	348	allow sysadm_passwd_t self:msgq create_msgq_perms;
849380bd CP	349	allow sysadm_passwd_t self:msg { send receive };
	350
	351	# allow vipw to create temporary files under /var/tmp/vi.recover
0bfccda4 CP	352	manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
0bfccda4 CP	353	manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
103fe280	354	files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
c9428d33	355	files_search_var(sysadm_passwd_t)
d9845ae9	356	files_dontaudit_search_home(sysadm_passwd_t)
849380bd	357
445522dc	358	kernel_read_kernel_sysctls(sysadm_passwd_t)
a0824843 CP	359	# for /proc/meminfo
	360	kernel_read_system_state(sysadm_passwd_t)
	361
5e0da6a0 CP	362	selinux_get_fs_mount(sysadm_passwd_t)
	363	selinux_validate_context(sysadm_passwd_t)
	364	selinux_compute_access_vector(sysadm_passwd_t)
	365	selinux_compute_create_context(sysadm_passwd_t)
	366	selinux_compute_relabel_context(sysadm_passwd_t)
	367	selinux_compute_user_contexts(sysadm_passwd_t)
849380bd CP	368
849380bd CP	369	# for SSP
f0c985ca	370	dev_read_urand(sysadm_passwd_t)
849380bd	371
0fd9dc55	372	fs_getattr_xattr_fs(sysadm_passwd_t)
ab940a4c	373	fs_search_auto_mountpoints(sysadm_passwd_t)
849380bd	374
0fd9dc55 CP	375	term_use_all_user_ttys(sysadm_passwd_t)
0fd9dc55 CP	376	term_use_all_user_ptys(sysadm_passwd_t)
849380bd	377
ab940a4c	378	auth_manage_shadow(sysadm_passwd_t)
2629c659	379	auth_relabel_shadow(sysadm_passwd_t)
8bf6f58e	380	auth_etc_filetrans_shadow(sysadm_passwd_t)
c0cf6e0a	381	auth_use_nsswitch(sysadm_passwd_t)
ab940a4c CP	382
	383	# allow vipw to exec the editor
	384	corecmd_exec_bin(sysadm_passwd_t)
	385	corecmd_exec_shell(sysadm_passwd_t)
	386	files_read_usr_files(sysadm_passwd_t)
849380bd	387
15722ec9	388	domain_use_interactive_fds(sysadm_passwd_t)
849380bd	389
8fd36732	390	files_manage_etc_files(sysadm_passwd_t)
2629c659	391	files_relabel_etc_files(sysadm_passwd_t)
c9428d33	392	files_read_etc_runtime_files(sysadm_passwd_t)
3774e4eb CP	393	# for nscd lookups
3774e4eb CP	394	files_dontaudit_search_pids(sysadm_passwd_t)
849380bd	395
ab940a4c CP	396	# /usr/bin/passwd asks for w access to utmp, but it will operate
ab940a4c CP	397	# correctly without it. Do not audit write denials to utmp.
68228b33	398	init_dontaudit_rw_utmp(sysadm_passwd_t)
849380bd	399
849380bd CP	400	miscfiles_read_localization(sysadm_passwd_t)
849380bd CP	401
c9428d33	402	logging_send_syslog_msg(sysadm_passwd_t)
849380bd	403
3774e4eb CP	404	seutil_dontaudit_search_config(sysadm_passwd_t)
3774e4eb CP	405
103fe280	406	userdom_use_unpriv_users_fds(sysadm_passwd_t)
3774e4eb CP	407	# user generally runs this from their home directory, so do not audit a search
3774e4eb CP	408	# on user home dir
296273a7	409	userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
ab940a4c	410
bb7170f6	411	optional_policy(`
0a0b8078	412	nscd_domtrans(sysadm_passwd_t)
8708d9be CP	413	')
8708d9be CP	414
849380bd CP	415	########################################
	416	#
	417	# Useradd local policy
	418	#
	419
0a0b8078	420	allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
d6d16b97	421	dontaudit useradd_t self:capability sys_tty_config;
9d3bdc25	422	allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
849380bd CP	423	allow useradd_t self:process setfscreate;
849380bd CP	424	allow useradd_t self:fd use;
c0868a7a	425	allow useradd_t self:fifo_file rw_fifo_file_perms;
dc67f782 CP	426	allow useradd_t self:shm create_shm_perms;
	427	allow useradd_t self:sem create_sem_perms;
	428	allow useradd_t self:msgq create_msgq_perms;
849380bd	429	allow useradd_t self:msg { send receive };
77f6e2cd CP	430	allow useradd_t self:unix_dgram_socket create_socket_perms;
	431	allow useradd_t self:unix_stream_socket create_stream_socket_perms;
	432	allow useradd_t self:unix_dgram_socket sendto;
	433	allow useradd_t self:unix_stream_socket connectto;
849380bd	434
d9845ae9 CP	435	# for getting the number of groups
	436	kernel_read_kernel_sysctls(useradd_t)
	437
	438	corecmd_exec_shell(useradd_t)
	439	# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
	440	corecmd_exec_bin(useradd_t)
d9845ae9 CP	441
	442	domain_use_interactive_fds(useradd_t)
	443
	444	files_manage_etc_files(useradd_t)
	445	files_search_var_lib(useradd_t)
	446	files_relabel_etc_files(useradd_t)
	447	files_read_etc_runtime_files(useradd_t)
	448
	449	fs_search_auto_mountpoints(useradd_t)
	450	fs_getattr_xattr_fs(useradd_t)
	451
6b19be33 CP	452	mls_file_upgrade(useradd_t)
6b19be33 CP	453
849380bd	454	# Allow access to context for shadow file
5e0da6a0 CP	455	selinux_get_fs_mount(useradd_t)
	456	selinux_validate_context(useradd_t)
	457	selinux_compute_access_vector(useradd_t)
	458	selinux_compute_create_context(useradd_t)
	459	selinux_compute_relabel_context(useradd_t)
	460	selinux_compute_user_contexts(useradd_t)
849380bd	461
0fd9dc55 CP	462	term_use_all_user_ttys(useradd_t)
0fd9dc55 CP	463	term_use_all_user_ptys(useradd_t)
849380bd	464
ab940a4c	465	auth_manage_shadow(useradd_t)
2629c659	466	auth_relabel_shadow(useradd_t)
8bf6f58e	467	auth_etc_filetrans_shadow(useradd_t)
ab940a4c	468	auth_rw_lastlog(useradd_t)
a5e2133b	469	auth_rw_faillog(useradd_t)
77f6e2cd	470	auth_use_nsswitch(useradd_t)
ab940a4c	471
1c1ac67f	472	init_use_fds(useradd_t)
68228b33	473	init_rw_utmp(useradd_t)
ab940a4c	474
0a0b8078	475	logging_send_audit_msgs(useradd_t)
ab940a4c	476	logging_send_syslog_msg(useradd_t)
849380bd CP	477
	478	miscfiles_read_localization(useradd_t)
	479
5e0da6a0	480	seutil_read_config(useradd_t)
605ba285	481	seutil_read_file_contexts(useradd_t)
d9845ae9	482	seutil_read_default_contexts(useradd_t)
6b19be33	483	seutil_domtrans_semanage(useradd_t)
762d2cb9	484	seutil_domtrans_setfiles(useradd_t)
849380bd	485
103fe280	486	userdom_use_unpriv_users_fds(useradd_t)
3774e4eb	487	# Add/remove user home directories
296273a7 CP	488	userdom_manage_user_home_content_dirs(useradd_t)
	489	userdom_manage_user_home_content_files(useradd_t)
	490	userdom_home_filetrans_user_home_dir(useradd_t)
	491	userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
849380bd	492
ab940a4c	493	mta_manage_spool(useradd_t)
849380bd	494
2f27163c CP	495	optional_policy(`
	496	apache_manage_all_user_content(useradd_t)
	497	')
	498
bb7170f6	499	optional_policy(`
0c54fcf8 CP	500	dpkg_use_fds(useradd_t)
	501	dpkg_rw_pipes(useradd_t)
	502	')
	503
0a0b8078 CP	504	optional_policy(`
	505	nscd_domtrans(useradd_t)
	506	')
	507
bb7170f6	508	optional_policy(`
1c1ac67f	509	rpm_use_fds(useradd_t)
1815bad1	510	rpm_rw_pipes(useradd_t)
b24f35d8	511	')