]>
Commit | Line | Data |
---|---|---|
849380bd | 1 | |
17ec8c1f | 2 | policy_module(usermanage, 1.12.0) |
849380bd CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type admin_passwd_exec_t; | |
8fd36732 | 10 | files_type(admin_passwd_exec_t) |
849380bd | 11 | |
a1f94a34 | 12 | type chfn_t; |
d46cfe45 | 13 | type chfn_exec_t; |
1815bad1 | 14 | domain_obj_id_change_exemption(chfn_t) |
0bfccda4 | 15 | application_domain(chfn_t, chfn_exec_t) |
849380bd CP |
16 | role system_r types chfn_t; |
17 | ||
849380bd | 18 | type crack_t; |
849380bd | 19 | type crack_exec_t; |
0bfccda4 | 20 | application_domain(crack_t, crack_exec_t) |
d46cfe45 | 21 | role system_r types crack_t; |
849380bd | 22 | |
9bbc757a | 23 | type crack_db_t; |
b68a85cb | 24 | files_type(crack_db_t) |
849380bd CP |
25 | |
26 | type crack_tmp_t; | |
c9428d33 | 27 | files_tmp_file(crack_tmp_t) |
849380bd | 28 | |
493d6c4a | 29 | type groupadd_t; |
849380bd | 30 | type groupadd_exec_t; |
1815bad1 | 31 | domain_obj_id_change_exemption(groupadd_t) |
0bfccda4 | 32 | init_system_domain(groupadd_t, groupadd_exec_t) |
bbd6a621 | 33 | role system_r types groupadd_t; |
849380bd | 34 | |
a1f94a34 | 35 | type passwd_t; |
d46cfe45 | 36 | type passwd_exec_t; |
1815bad1 | 37 | domain_obj_id_change_exemption(passwd_t) |
0bfccda4 | 38 | application_domain(passwd_t, passwd_exec_t) |
849380bd CP |
39 | role system_r types passwd_t; |
40 | ||
a1f94a34 | 41 | type sysadm_passwd_t; |
1815bad1 | 42 | domain_obj_id_change_exemption(sysadm_passwd_t) |
0bfccda4 | 43 | application_domain(sysadm_passwd_t, admin_passwd_exec_t) |
daff1dc5 | 44 | role system_r types sysadm_passwd_t; |
849380bd CP |
45 | |
46 | type sysadm_passwd_tmp_t; | |
7a6d427e | 47 | files_tmp_file(sysadm_passwd_tmp_t) |
849380bd | 48 | |
493d6c4a | 49 | type useradd_t; |
849380bd | 50 | type useradd_exec_t; |
1815bad1 | 51 | domain_obj_id_change_exemption(useradd_t) |
c9428d33 | 52 | init_system_domain(useradd_t,useradd_exec_t) |
bbd6a621 | 53 | role system_r types useradd_t; |
849380bd CP |
54 | |
55 | ######################################## | |
56 | # | |
57 | # Chfn local policy | |
58 | # | |
59 | ||
60 | allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; | |
9d3bdc25 | 61 | allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; |
849380bd CP |
62 | allow chfn_t self:process { setrlimit setfscreate }; |
63 | allow chfn_t self:fd use; | |
c0868a7a CP |
64 | allow chfn_t self:fifo_file rw_fifo_file_perms; |
65 | allow chfn_t self:sock_file read_sock_file_perms; | |
dc67f782 CP |
66 | allow chfn_t self:shm create_shm_perms; |
67 | allow chfn_t self:sem create_sem_perms; | |
68 | allow chfn_t self:msgq create_msgq_perms; | |
849380bd | 69 | allow chfn_t self:msg { send receive }; |
77f6e2cd CP |
70 | allow chfn_t self:unix_dgram_socket create_socket_perms; |
71 | allow chfn_t self:unix_stream_socket create_stream_socket_perms; | |
72 | allow chfn_t self:unix_dgram_socket sendto; | |
73 | allow chfn_t self:unix_stream_socket connectto; | |
849380bd CP |
74 | |
75 | kernel_read_system_state(chfn_t) | |
445522dc | 76 | kernel_read_kernel_sysctls(chfn_t) |
a0824843 | 77 | |
5e0da6a0 CP |
78 | selinux_get_fs_mount(chfn_t) |
79 | selinux_validate_context(chfn_t) | |
80 | selinux_compute_access_vector(chfn_t) | |
81 | selinux_compute_create_context(chfn_t) | |
82 | selinux_compute_relabel_context(chfn_t) | |
83 | selinux_compute_user_contexts(chfn_t) | |
849380bd | 84 | |
0fd9dc55 CP |
85 | term_use_all_user_ttys(chfn_t) |
86 | term_use_all_user_ptys(chfn_t) | |
849380bd | 87 | |
0fd9dc55 | 88 | fs_getattr_xattr_fs(chfn_t) |
ab940a4c | 89 | fs_search_auto_mountpoints(chfn_t) |
849380bd CP |
90 | |
91 | # for SSP | |
f0c985ca | 92 | dev_read_urand(chfn_t) |
849380bd | 93 | |
3774e4eb CP |
94 | auth_domtrans_chk_passwd(chfn_t) |
95 | auth_dontaudit_read_shadow(chfn_t) | |
c0cf6e0a | 96 | auth_use_nsswitch(chfn_t) |
3774e4eb | 97 | |
725926c5 CP |
98 | # allow checking if a shell is executable |
99 | corecmd_check_exec_shell(chfn_t) | |
ebdc3b79 | 100 | |
15722ec9 | 101 | domain_use_interactive_fds(chfn_t) |
849380bd | 102 | |
8fd36732 | 103 | files_manage_etc_files(chfn_t) |
c9428d33 | 104 | files_read_etc_runtime_files(chfn_t) |
ab940a4c | 105 | files_dontaudit_search_var(chfn_t) |
6b19be33 | 106 | files_dontaudit_search_home(chfn_t) |
ab940a4c CP |
107 | |
108 | # /usr/bin/passwd asks for w access to utmp, but it will operate | |
109 | # correctly without it. Do not audit write denials to utmp. | |
68228b33 | 110 | init_dontaudit_rw_utmp(chfn_t) |
849380bd | 111 | |
849380bd CP |
112 | miscfiles_read_localization(chfn_t) |
113 | ||
c9428d33 | 114 | logging_send_syslog_msg(chfn_t) |
849380bd | 115 | |
3774e4eb CP |
116 | # uses unix_chkpwd for checking passwords |
117 | seutil_dontaudit_search_config(chfn_t) | |
849380bd | 118 | |
103fe280 | 119 | userdom_use_unpriv_users_fds(chfn_t) |
3774e4eb CP |
120 | # user generally runs this from their home directory, so do not audit a search |
121 | # on user home dir | |
296273a7 | 122 | userdom_dontaudit_search_user_home_content(chfn_t) |
ab940a4c | 123 | |
849380bd CP |
124 | ######################################## |
125 | # | |
126 | # Crack local policy | |
127 | # | |
128 | ||
129 | allow crack_t self:process { sigkill sigstop signull signal }; | |
c0868a7a | 130 | allow crack_t self:fifo_file rw_fifo_file_perms; |
849380bd | 131 | |
0bfccda4 CP |
132 | manage_files_pattern(crack_t, crack_db_t, crack_db_t) |
133 | manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t) | |
c9428d33 | 134 | files_search_var(crack_t) |
849380bd | 135 | |
0bfccda4 CP |
136 | manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t) |
137 | manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t) | |
103fe280 | 138 | files_tmp_filetrans(crack_t, crack_tmp_t, { file dir }) |
849380bd CP |
139 | |
140 | kernel_read_system_state(crack_t) | |
141 | ||
142 | # for SSP | |
f0c985ca | 143 | dev_read_urand(crack_t) |
849380bd | 144 | |
0fd9dc55 | 145 | fs_getattr_xattr_fs(crack_t) |
849380bd | 146 | |
8fd36732 | 147 | files_read_etc_files(crack_t) |
c9428d33 | 148 | files_read_etc_runtime_files(crack_t) |
849380bd | 149 | # for dictionaries |
c9428d33 | 150 | files_read_usr_files(crack_t) |
849380bd | 151 | |
c9428d33 | 152 | corecmd_exec_bin(crack_t) |
849380bd | 153 | |
c9428d33 | 154 | logging_send_syslog_msg(crack_t) |
849380bd | 155 | |
296273a7 | 156 | userdom_dontaudit_search_user_home_dirs(crack_t) |
849380bd | 157 | |
51223bfc CP |
158 | ifdef(`distro_debian',` |
159 | # the package cracklib-runtime on Debian contains a daily maintenance | |
160 | # script /etc/cron.daily/cracklib-runtime, that calls | |
161 | # update-cracklib and that calls crack_mkdict, which is a shell script. | |
162 | corecmd_exec_shell(crack_t) | |
163 | ') | |
164 | ||
bb7170f6 | 165 | optional_policy(` |
0bfccda4 | 166 | cron_system_entry(crack_t, crack_exec_t) |
3774e4eb | 167 | ') |
849380bd CP |
168 | |
169 | ######################################## | |
170 | # | |
171 | # Groupadd local policy | |
172 | # | |
173 | ||
da9bbc65 | 174 | allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; |
d6d16b97 | 175 | dontaudit groupadd_t self:capability { fsetid sys_tty_config }; |
9d3bdc25 | 176 | allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; |
849380bd CP |
177 | allow groupadd_t self:process { setrlimit setfscreate }; |
178 | allow groupadd_t self:fd use; | |
c0868a7a | 179 | allow groupadd_t self:fifo_file rw_fifo_file_perms; |
dc67f782 CP |
180 | allow groupadd_t self:shm create_shm_perms; |
181 | allow groupadd_t self:sem create_sem_perms; | |
182 | allow groupadd_t self:msgq create_msgq_perms; | |
849380bd | 183 | allow groupadd_t self:msg { send receive }; |
77f6e2cd CP |
184 | allow groupadd_t self:unix_dgram_socket create_socket_perms; |
185 | allow groupadd_t self:unix_stream_socket create_stream_socket_perms; | |
186 | allow groupadd_t self:unix_dgram_socket sendto; | |
187 | allow groupadd_t self:unix_stream_socket connectto; | |
849380bd | 188 | |
ab940a4c CP |
189 | fs_getattr_xattr_fs(groupadd_t) |
190 | fs_search_auto_mountpoints(groupadd_t) | |
191 | ||
849380bd | 192 | # Allow access to context for shadow file |
5e0da6a0 CP |
193 | selinux_get_fs_mount(groupadd_t) |
194 | selinux_validate_context(groupadd_t) | |
195 | selinux_compute_access_vector(groupadd_t) | |
196 | selinux_compute_create_context(groupadd_t) | |
197 | selinux_compute_relabel_context(groupadd_t) | |
198 | selinux_compute_user_contexts(groupadd_t) | |
849380bd | 199 | |
0fd9dc55 CP |
200 | term_use_all_user_ttys(groupadd_t) |
201 | term_use_all_user_ptys(groupadd_t) | |
849380bd | 202 | |
1c1ac67f | 203 | init_use_fds(groupadd_t) |
68228b33 CP |
204 | init_read_utmp(groupadd_t) |
205 | init_dontaudit_write_utmp(groupadd_t) | |
849380bd | 206 | |
15722ec9 | 207 | domain_use_interactive_fds(groupadd_t) |
849380bd | 208 | |
8fd36732 | 209 | files_manage_etc_files(groupadd_t) |
2629c659 | 210 | files_relabel_etc_files(groupadd_t) |
72492557 | 211 | files_read_etc_runtime_files(groupadd_t) |
849380bd | 212 | |
849380bd | 213 | # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. |
c9428d33 | 214 | corecmd_exec_bin(groupadd_t) |
849380bd | 215 | |
0a0b8078 | 216 | logging_send_audit_msgs(groupadd_t) |
c9428d33 | 217 | logging_send_syslog_msg(groupadd_t) |
849380bd CP |
218 | |
219 | miscfiles_read_localization(groupadd_t) | |
220 | ||
c9428d33 | 221 | auth_manage_shadow(groupadd_t) |
2629c659 | 222 | auth_relabel_shadow(groupadd_t) |
8bf6f58e | 223 | auth_etc_filetrans_shadow(groupadd_t) |
c9428d33 | 224 | auth_rw_lastlog(groupadd_t) |
77f6e2cd | 225 | auth_use_nsswitch(groupadd_t) |
849380bd | 226 | |
5e0da6a0 | 227 | seutil_read_config(groupadd_t) |
849380bd | 228 | |
103fe280 | 229 | userdom_use_unpriv_users_fds(groupadd_t) |
3774e4eb | 230 | # for when /root is the cwd |
296273a7 | 231 | userdom_dontaudit_search_user_home_dirs(groupadd_t) |
849380bd | 232 | |
bb7170f6 | 233 | optional_policy(` |
0c54fcf8 CP |
234 | dpkg_use_fds(groupadd_t) |
235 | dpkg_rw_pipes(groupadd_t) | |
236 | ') | |
237 | ||
0a0b8078 CP |
238 | optional_policy(` |
239 | nscd_domtrans(groupadd_t) | |
240 | ') | |
241 | ||
bb7170f6 | 242 | optional_policy(` |
1c1ac67f | 243 | rpm_use_fds(groupadd_t) |
1815bad1 | 244 | rpm_rw_pipes(groupadd_t) |
b24f35d8 CP |
245 | ') |
246 | ||
849380bd CP |
247 | ######################################## |
248 | # | |
249 | # Passwd local policy | |
250 | # | |
251 | ||
0a0b8078 | 252 | allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; |
9d3bdc25 | 253 | allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
849380bd CP |
254 | allow passwd_t self:process { setrlimit setfscreate }; |
255 | allow passwd_t self:fd use; | |
c0868a7a CP |
256 | allow passwd_t self:fifo_file rw_fifo_file_perms; |
257 | allow passwd_t self:sock_file read_sock_file_perms; | |
dc67f782 CP |
258 | allow passwd_t self:unix_dgram_socket create_socket_perms; |
259 | allow passwd_t self:unix_stream_socket create_stream_socket_perms; | |
849380bd CP |
260 | allow passwd_t self:unix_dgram_socket sendto; |
261 | allow passwd_t self:unix_stream_socket connectto; | |
dc67f782 CP |
262 | allow passwd_t self:shm create_shm_perms; |
263 | allow passwd_t self:sem create_sem_perms; | |
0fd9dc55 | 264 | allow passwd_t self:msgq create_msgq_perms; |
849380bd CP |
265 | allow passwd_t self:msg { send receive }; |
266 | ||
c0868a7a | 267 | allow passwd_t crack_db_t:dir list_dir_perms; |
0bfccda4 | 268 | read_files_pattern(passwd_t, crack_db_t, crack_db_t) |
ab940a4c | 269 | |
445522dc | 270 | kernel_read_kernel_sysctls(passwd_t) |
a0824843 | 271 | |
ab940a4c CP |
272 | # for SSP |
273 | dev_read_urand(passwd_t) | |
274 | ||
275 | fs_getattr_xattr_fs(passwd_t) | |
276 | fs_search_auto_mountpoints(passwd_t) | |
277 | ||
f8233ab7 | 278 | mls_file_write_all_levels(passwd_t) |
95501942 CP |
279 | mls_file_downgrade(passwd_t) |
280 | ||
5e0da6a0 CP |
281 | selinux_get_fs_mount(passwd_t) |
282 | selinux_validate_context(passwd_t) | |
283 | selinux_compute_access_vector(passwd_t) | |
284 | selinux_compute_create_context(passwd_t) | |
285 | selinux_compute_relabel_context(passwd_t) | |
286 | selinux_compute_user_contexts(passwd_t) | |
849380bd | 287 | |
4614e83f CP |
288 | term_use_all_user_ttys(passwd_t) |
289 | term_use_all_user_ptys(passwd_t) | |
290 | ||
3774e4eb | 291 | auth_manage_shadow(passwd_t) |
2629c659 | 292 | auth_relabel_shadow(passwd_t) |
8bf6f58e | 293 | auth_etc_filetrans_shadow(passwd_t) |
c0cf6e0a | 294 | auth_use_nsswitch(passwd_t) |
3774e4eb | 295 | |
725926c5 CP |
296 | # allow checking if a shell is executable |
297 | corecmd_check_exec_shell(passwd_t) | |
849380bd | 298 | |
15722ec9 | 299 | domain_use_interactive_fds(passwd_t) |
849380bd | 300 | |
c9428d33 | 301 | files_read_etc_runtime_files(passwd_t) |
8fd36732 | 302 | files_manage_etc_files(passwd_t) |
ab940a4c | 303 | files_search_var(passwd_t) |
3774e4eb | 304 | files_dontaudit_search_pids(passwd_t) |
2629c659 | 305 | files_relabel_etc_files(passwd_t) |
849380bd | 306 | |
725926c5 CP |
307 | # /usr/bin/passwd asks for w access to utmp, but it will operate |
308 | # correctly without it. Do not audit write denials to utmp. | |
68228b33 | 309 | init_dontaudit_rw_utmp(passwd_t) |
725926c5 | 310 | |
0a0b8078 | 311 | logging_send_audit_msgs(passwd_t) |
c9428d33 | 312 | logging_send_syslog_msg(passwd_t) |
849380bd CP |
313 | |
314 | miscfiles_read_localization(passwd_t) | |
315 | ||
3774e4eb | 316 | seutil_dontaudit_search_config(passwd_t) |
a1f94a34 | 317 | |
296273a7 | 318 | userdom_use_user_terminals(passwd_t) |
103fe280 | 319 | userdom_use_unpriv_users_fds(passwd_t) |
2629c659 | 320 | # make sure that getcon succeeds |
15722ec9 | 321 | userdom_getattr_all_users(passwd_t) |
1815bad1 | 322 | userdom_read_all_users_state(passwd_t) |
3774e4eb CP |
323 | # user generally runs this from their home directory, so do not audit a search |
324 | # on user home dir | |
296273a7 | 325 | userdom_dontaudit_search_user_home_content(passwd_t) |
ab940a4c | 326 | |
bb7170f6 | 327 | optional_policy(` |
0a0b8078 | 328 | nscd_domtrans(passwd_t) |
bf080a46 CP |
329 | ') |
330 | ||
849380bd CP |
331 | ######################################## |
332 | # | |
333 | # Password admin local policy | |
334 | # | |
335 | ||
336 | allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; | |
9d3bdc25 | 337 | allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
849380bd CP |
338 | allow sysadm_passwd_t self:process { setrlimit setfscreate }; |
339 | allow sysadm_passwd_t self:fd use; | |
c0868a7a CP |
340 | allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms; |
341 | allow sysadm_passwd_t self:sock_file read_sock_file_perms; | |
dc67f782 CP |
342 | allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms; |
343 | allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms; | |
849380bd CP |
344 | allow sysadm_passwd_t self:unix_dgram_socket sendto; |
345 | allow sysadm_passwd_t self:unix_stream_socket connectto; | |
dc67f782 CP |
346 | allow sysadm_passwd_t self:shm create_shm_perms; |
347 | allow sysadm_passwd_t self:sem create_sem_perms; | |
348 | allow sysadm_passwd_t self:msgq create_msgq_perms; | |
849380bd CP |
349 | allow sysadm_passwd_t self:msg { send receive }; |
350 | ||
351 | # allow vipw to create temporary files under /var/tmp/vi.recover | |
0bfccda4 CP |
352 | manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t) |
353 | manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t) | |
103fe280 | 354 | files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) |
c9428d33 | 355 | files_search_var(sysadm_passwd_t) |
d9845ae9 | 356 | files_dontaudit_search_home(sysadm_passwd_t) |
849380bd | 357 | |
445522dc | 358 | kernel_read_kernel_sysctls(sysadm_passwd_t) |
a0824843 CP |
359 | # for /proc/meminfo |
360 | kernel_read_system_state(sysadm_passwd_t) | |
361 | ||
5e0da6a0 CP |
362 | selinux_get_fs_mount(sysadm_passwd_t) |
363 | selinux_validate_context(sysadm_passwd_t) | |
364 | selinux_compute_access_vector(sysadm_passwd_t) | |
365 | selinux_compute_create_context(sysadm_passwd_t) | |
366 | selinux_compute_relabel_context(sysadm_passwd_t) | |
367 | selinux_compute_user_contexts(sysadm_passwd_t) | |
849380bd CP |
368 | |
369 | # for SSP | |
f0c985ca | 370 | dev_read_urand(sysadm_passwd_t) |
849380bd | 371 | |
0fd9dc55 | 372 | fs_getattr_xattr_fs(sysadm_passwd_t) |
ab940a4c | 373 | fs_search_auto_mountpoints(sysadm_passwd_t) |
849380bd | 374 | |
0fd9dc55 CP |
375 | term_use_all_user_ttys(sysadm_passwd_t) |
376 | term_use_all_user_ptys(sysadm_passwd_t) | |
849380bd | 377 | |
ab940a4c | 378 | auth_manage_shadow(sysadm_passwd_t) |
2629c659 | 379 | auth_relabel_shadow(sysadm_passwd_t) |
8bf6f58e | 380 | auth_etc_filetrans_shadow(sysadm_passwd_t) |
c0cf6e0a | 381 | auth_use_nsswitch(sysadm_passwd_t) |
ab940a4c CP |
382 | |
383 | # allow vipw to exec the editor | |
384 | corecmd_exec_bin(sysadm_passwd_t) | |
385 | corecmd_exec_shell(sysadm_passwd_t) | |
386 | files_read_usr_files(sysadm_passwd_t) | |
849380bd | 387 | |
15722ec9 | 388 | domain_use_interactive_fds(sysadm_passwd_t) |
849380bd | 389 | |
8fd36732 | 390 | files_manage_etc_files(sysadm_passwd_t) |
2629c659 | 391 | files_relabel_etc_files(sysadm_passwd_t) |
c9428d33 | 392 | files_read_etc_runtime_files(sysadm_passwd_t) |
3774e4eb CP |
393 | # for nscd lookups |
394 | files_dontaudit_search_pids(sysadm_passwd_t) | |
849380bd | 395 | |
ab940a4c CP |
396 | # /usr/bin/passwd asks for w access to utmp, but it will operate |
397 | # correctly without it. Do not audit write denials to utmp. | |
68228b33 | 398 | init_dontaudit_rw_utmp(sysadm_passwd_t) |
849380bd | 399 | |
849380bd CP |
400 | miscfiles_read_localization(sysadm_passwd_t) |
401 | ||
c9428d33 | 402 | logging_send_syslog_msg(sysadm_passwd_t) |
849380bd | 403 | |
3774e4eb CP |
404 | seutil_dontaudit_search_config(sysadm_passwd_t) |
405 | ||
103fe280 | 406 | userdom_use_unpriv_users_fds(sysadm_passwd_t) |
3774e4eb CP |
407 | # user generally runs this from their home directory, so do not audit a search |
408 | # on user home dir | |
296273a7 | 409 | userdom_dontaudit_search_user_home_content(sysadm_passwd_t) |
ab940a4c | 410 | |
bb7170f6 | 411 | optional_policy(` |
0a0b8078 | 412 | nscd_domtrans(sysadm_passwd_t) |
8708d9be CP |
413 | ') |
414 | ||
849380bd CP |
415 | ######################################## |
416 | # | |
417 | # Useradd local policy | |
418 | # | |
419 | ||
0a0b8078 | 420 | allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; |
d6d16b97 | 421 | dontaudit useradd_t self:capability sys_tty_config; |
9d3bdc25 | 422 | allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
849380bd CP |
423 | allow useradd_t self:process setfscreate; |
424 | allow useradd_t self:fd use; | |
c0868a7a | 425 | allow useradd_t self:fifo_file rw_fifo_file_perms; |
dc67f782 CP |
426 | allow useradd_t self:shm create_shm_perms; |
427 | allow useradd_t self:sem create_sem_perms; | |
428 | allow useradd_t self:msgq create_msgq_perms; | |
849380bd | 429 | allow useradd_t self:msg { send receive }; |
77f6e2cd CP |
430 | allow useradd_t self:unix_dgram_socket create_socket_perms; |
431 | allow useradd_t self:unix_stream_socket create_stream_socket_perms; | |
432 | allow useradd_t self:unix_dgram_socket sendto; | |
433 | allow useradd_t self:unix_stream_socket connectto; | |
849380bd | 434 | |
d9845ae9 CP |
435 | # for getting the number of groups |
436 | kernel_read_kernel_sysctls(useradd_t) | |
437 | ||
438 | corecmd_exec_shell(useradd_t) | |
439 | # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. | |
440 | corecmd_exec_bin(useradd_t) | |
d9845ae9 CP |
441 | |
442 | domain_use_interactive_fds(useradd_t) | |
443 | ||
444 | files_manage_etc_files(useradd_t) | |
445 | files_search_var_lib(useradd_t) | |
446 | files_relabel_etc_files(useradd_t) | |
447 | files_read_etc_runtime_files(useradd_t) | |
448 | ||
449 | fs_search_auto_mountpoints(useradd_t) | |
450 | fs_getattr_xattr_fs(useradd_t) | |
451 | ||
6b19be33 CP |
452 | mls_file_upgrade(useradd_t) |
453 | ||
849380bd | 454 | # Allow access to context for shadow file |
5e0da6a0 CP |
455 | selinux_get_fs_mount(useradd_t) |
456 | selinux_validate_context(useradd_t) | |
457 | selinux_compute_access_vector(useradd_t) | |
458 | selinux_compute_create_context(useradd_t) | |
459 | selinux_compute_relabel_context(useradd_t) | |
460 | selinux_compute_user_contexts(useradd_t) | |
849380bd | 461 | |
0fd9dc55 CP |
462 | term_use_all_user_ttys(useradd_t) |
463 | term_use_all_user_ptys(useradd_t) | |
849380bd | 464 | |
ab940a4c | 465 | auth_manage_shadow(useradd_t) |
2629c659 | 466 | auth_relabel_shadow(useradd_t) |
8bf6f58e | 467 | auth_etc_filetrans_shadow(useradd_t) |
ab940a4c | 468 | auth_rw_lastlog(useradd_t) |
a5e2133b | 469 | auth_rw_faillog(useradd_t) |
77f6e2cd | 470 | auth_use_nsswitch(useradd_t) |
ab940a4c | 471 | |
1c1ac67f | 472 | init_use_fds(useradd_t) |
68228b33 | 473 | init_rw_utmp(useradd_t) |
ab940a4c | 474 | |
0a0b8078 | 475 | logging_send_audit_msgs(useradd_t) |
ab940a4c | 476 | logging_send_syslog_msg(useradd_t) |
849380bd CP |
477 | |
478 | miscfiles_read_localization(useradd_t) | |
479 | ||
5e0da6a0 | 480 | seutil_read_config(useradd_t) |
605ba285 | 481 | seutil_read_file_contexts(useradd_t) |
d9845ae9 | 482 | seutil_read_default_contexts(useradd_t) |
6b19be33 | 483 | seutil_domtrans_semanage(useradd_t) |
762d2cb9 | 484 | seutil_domtrans_setfiles(useradd_t) |
849380bd | 485 | |
103fe280 | 486 | userdom_use_unpriv_users_fds(useradd_t) |
3774e4eb | 487 | # Add/remove user home directories |
296273a7 CP |
488 | userdom_manage_user_home_content_dirs(useradd_t) |
489 | userdom_manage_user_home_content_files(useradd_t) | |
490 | userdom_home_filetrans_user_home_dir(useradd_t) | |
491 | userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) | |
849380bd | 492 | |
ab940a4c | 493 | mta_manage_spool(useradd_t) |
849380bd | 494 | |
2f27163c CP |
495 | optional_policy(` |
496 | apache_manage_all_user_content(useradd_t) | |
497 | ') | |
498 | ||
bb7170f6 | 499 | optional_policy(` |
0c54fcf8 CP |
500 | dpkg_use_fds(useradd_t) |
501 | dpkg_rw_pipes(useradd_t) | |
502 | ') | |
503 | ||
0a0b8078 CP |
504 | optional_policy(` |
505 | nscd_domtrans(useradd_t) | |
506 | ') | |
507 | ||
bb7170f6 | 508 | optional_policy(` |
1c1ac67f | 509 | rpm_use_fds(useradd_t) |
1815bad1 | 510 | rpm_rw_pipes(useradd_t) |
b24f35d8 | 511 | ') |