]>
Commit | Line | Data |
---|---|---|
dc771ff4 | 1 | ## <summary>Common policy for authentication and user login.</summary> |
e181fe05 | 2 | |
296273a7 | 3 | ######################################## |
8ba1bd85 | 4 | ## <summary> |
296273a7 | 5 | ## Role access for password authentication. |
8ba1bd85 | 6 | ## </summary> |
296273a7 | 7 | ## <param name="role"> |
885b83ec | 8 | ## <summary> |
296273a7 | 9 | ## Role allowed access. |
885b83ec | 10 | ## </summary> |
8ba1bd85 | 11 | ## </param> |
296273a7 | 12 | ## <param name="domain"> |
885b83ec | 13 | ## <summary> |
296273a7 | 14 | ## Domain allowed access. |
885b83ec | 15 | ## </summary> |
8ba1bd85 CP |
16 | ## </param> |
17 | # | |
296273a7 | 18 | interface(`auth_role',` |
8ba1bd85 | 19 | gen_require(` |
296273a7 | 20 | type chkpwd_t, chkpwd_exec_t, shadow_t; |
cff75c90 | 21 | ') |
8ba1bd85 | 22 | |
296273a7 | 23 | role $1 types chkpwd_t; |
8ba1bd85 CP |
24 | |
25 | # Transition from the user domain to this domain. | |
296273a7 | 26 | domtrans_pattern($2, chkpwd_exec_t, chkpwd_t) |
8ba1bd85 | 27 | |
296273a7 | 28 | ps_process_pattern($2, chkpwd_t) |
350b6ab7 | 29 | |
296273a7 | 30 | dontaudit $2 shadow_t:file read_file_perms; |
2a94561a CP |
31 | ') |
32 | ||
153ed875 CP |
33 | ######################################## |
34 | ## <summary> | |
35 | ## Use PAM for authentication. | |
36 | ## </summary> | |
37 | ## <param name="domain"> | |
38 | ## <summary> | |
39 | ## Domain allowed access. | |
40 | ## </summary> | |
41 | ## </param> | |
42 | # | |
43 | interface(`auth_use_pam',` | |
44 | ||
45 | # for SSP/ProPolice | |
46 | dev_read_urand($1) | |
47 | # for encrypted homedir | |
48 | dev_read_sysfs($1) | |
49 | ||
50 | auth_domtrans_chk_passwd($1) | |
51 | auth_domtrans_upd_passwd($1) | |
52 | auth_dontaudit_read_shadow($1) | |
53 | auth_read_login_records($1) | |
54 | auth_append_login_records($1) | |
55 | auth_rw_lastlog($1) | |
56 | auth_rw_faillog($1) | |
57 | auth_exec_pam($1) | |
58 | auth_use_nsswitch($1) | |
59 | ||
c16ffd18 DW |
60 | init_rw_stream_sockets($1) |
61 | ||
153ed875 CP |
62 | logging_send_audit_msgs($1) |
63 | logging_send_syslog_msg($1) | |
64 | ||
65 | optional_policy(` | |
66 | dbus_system_bus_client($1) | |
67 | ||
68 | optional_policy(` | |
69 | consolekit_dbus_chat($1) | |
70 | ') | |
f5b49a5e DW |
71 | |
72 | optional_policy(` | |
73 | fprintd_dbus_chat($1) | |
74 | ') | |
153ed875 CP |
75 | ') |
76 | ||
77 | optional_policy(` | |
78 | kerberos_manage_host_rcache($1) | |
79 | kerberos_read_config($1) | |
80 | ') | |
81 | ||
82 | optional_policy(` | |
83 | nis_authenticate($1) | |
84 | ') | |
85 | ') | |
86 | ||
4b3b46d7 CP |
87 | ######################################## |
88 | ## <summary> | |
89 | ## Make the specified domain used for a login program. | |
90 | ## </summary> | |
91 | ## <param name="domain"> | |
92 | ## <summary> | |
93 | ## Domain type used for a login program domain. | |
94 | ## </summary> | |
95 | ## </param> | |
96 | # | |
97 | interface(`auth_login_pgm_domain',` | |
7d4161cd | 98 | gen_require(` |
30425aa8 | 99 | type var_auth_t, auth_cache_t; |
3eaa9939 | 100 | attribute polydomain; |
7d4161cd | 101 | ') |
4b3b46d7 CP |
102 | |
103 | domain_type($1) | |
3eaa9939 DW |
104 | typeattribute $1 polydomain; |
105 | ||
4b3b46d7 CP |
106 | domain_subj_id_change_exemption($1) |
107 | domain_role_change_exemption($1) | |
108 | domain_obj_id_change_exemption($1) | |
109 | role system_r types $1; | |
110 | ||
153ed875 CP |
111 | # Needed for pam_selinux_permit to cleanup properly |
112 | domain_read_all_domains_state($1) | |
b19c1615 | 113 | corecmd_getattr_all_executables($1) |
153ed875 CP |
114 | domain_kill_all_domains($1) |
115 | ||
116 | # pam_keyring | |
117 | allow $1 self:capability ipc_lock; | |
118 | allow $1 self:process setkeycreate; | |
119 | allow $1 self:key manage_key_perms; | |
3eaa9939 | 120 | userdom_manage_all_users_keys($1) |
153ed875 | 121 | |
7d4161cd | 122 | files_list_var_lib($1) |
c6fa935f | 123 | manage_dirs_pattern($1, var_auth_t, var_auth_t) |
7d4161cd CP |
124 | manage_files_pattern($1, var_auth_t, var_auth_t) |
125 | ||
30425aa8 CP |
126 | manage_dirs_pattern($1, auth_cache_t, auth_cache_t) |
127 | manage_files_pattern($1, auth_cache_t, auth_cache_t) | |
128 | manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) | |
129 | files_var_filetrans($1, auth_cache_t, dir) | |
130 | ||
153ed875 CP |
131 | # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 |
132 | kernel_rw_afs_state($1) | |
133 | ||
b82eab39 DW |
134 | tunable_policy(`authlogin_radius',` |
135 | corenet_udp_bind_all_unreserved_ports($1) | |
136 | ') | |
137 | ||
7d4161cd CP |
138 | # for fingerprint readers |
139 | dev_rw_input_dev($1) | |
140 | dev_rw_generic_usb_dev($1) | |
4b3b46d7 | 141 | |
8effc8a7 | 142 | files_read_config_files($1) |
4b3b46d7 | 143 | |
7d4161cd | 144 | fs_list_auto_mountpoints($1) |
3eaa9939 DW |
145 | fs_manage_cgroup_dirs($1) |
146 | fs_manage_cgroup_files($1) | |
7d4161cd | 147 | |
4b3b46d7 CP |
148 | selinux_get_fs_mount($1) |
149 | selinux_validate_context($1) | |
150 | selinux_compute_access_vector($1) | |
151 | selinux_compute_create_context($1) | |
152 | selinux_compute_relabel_context($1) | |
153 | selinux_compute_user_contexts($1) | |
154 | ||
f8233ab7 CP |
155 | mls_file_read_all_levels($1) |
156 | mls_file_write_all_levels($1) | |
4b3b46d7 CP |
157 | mls_file_upgrade($1) |
158 | mls_file_downgrade($1) | |
159 | mls_process_set_level($1) | |
6b19be33 | 160 | mls_fd_share_all_levels($1) |
4b3b46d7 | 161 | |
22c24aa7 | 162 | auth_manage_faillog($1) |
3eaa9939 | 163 | auth_manage_pam_pid($1) |
153ed875 | 164 | auth_use_pam($1) |
4b3b46d7 CP |
165 | |
166 | init_rw_utmp($1) | |
167 | ||
7cbfeb97 | 168 | logging_set_loginuid($1) |
153ed875 | 169 | logging_set_tty_audit($1) |
4b3b46d7 CP |
170 | |
171 | seutil_read_config($1) | |
172 | seutil_read_default_contexts($1) | |
173 | ||
3eaa9939 DW |
174 | userdom_set_rlimitnh($1) |
175 | userdom_read_user_home_content_symlinks($1) | |
176 | userdom_delete_user_tmp_files($1) | |
177 | userdom_search_admin_dir($1) | |
f4af9bf8 | 178 | userdom_stream_connect($1) |
3eaa9939 DW |
179 | |
180 | optional_policy(` | |
181 | afs_rw_udp_sockets($1) | |
182 | ') | |
183 | ||
184 | optional_policy(` | |
185 | kerberos_read_config($1) | |
186 | ') | |
187 | ||
188 | optional_policy(` | |
189 | oddjob_dbus_chat($1) | |
190 | oddjob_domtrans_mkhomedir($1) | |
191 | ') | |
192 | ||
afc9bf6c DG |
193 | optional_policy(` |
194 | openct_stream_connect($1) | |
195 | openct_signull($1) | |
196 | openct_read_pid_files($1) | |
197 | ') | |
198 | ||
3eaa9939 DW |
199 | optional_policy(` |
200 | corecmd_exec_bin($1) | |
201 | storage_getattr_fixed_disk_dev($1) | |
202 | mount_domtrans($1) | |
203 | ') | |
204 | ||
205 | optional_policy(` | |
206 | fprintd_dbus_chat($1) | |
207 | ') | |
208 | ||
209 | optional_policy(` | |
210 | ssh_agent_exec($1) | |
211 | ssh_read_user_home_files($1) | |
212 | userdom_read_user_home_content_files($1) | |
4b3b46d7 | 213 | ') |
fa22cd23 DG |
214 | |
215 | optional_policy(` | |
78702541 | 216 | systemd_dbus_chat_logind($1) |
fa22cd23 DG |
217 | systemd_use_fds_logind($1) |
218 | systemd_write_inherited_logind_sessions_pipes($1) | |
219 | ') | |
4b3b46d7 CP |
220 | ') |
221 | ||
dcd2801e DG |
222 | ######################################## |
223 | ## <summary> | |
224 | ## Read authlogin state files. | |
225 | ## </summary> | |
226 | ## <param name="domain"> | |
227 | ## <summary> | |
228 | ## Domain allowed access. | |
229 | ## </summary> | |
230 | ## </param> | |
231 | # | |
232 | interface(`authlogin_read_state',` | |
233 | gen_require(` | |
234 | attribute polydomain; | |
235 | ') | |
236 | ||
237 | kernel_search_proc($1) | |
238 | ps_process_pattern($1, polydomain) | |
239 | ') | |
240 | ||
375541b1 DW |
241 | ######################################## |
242 | ## <summary> | |
243 | ## Read and write a authlogin unnamed pipe. | |
244 | ## </summary> | |
245 | ## <param name="domain"> | |
246 | ## <summary> | |
247 | ## Domain allowed access. | |
248 | ## </summary> | |
249 | ## </param> | |
250 | # | |
251 | interface(`authlogin_rw_pipes',` | |
252 | gen_require(` | |
253 | attribute polydomain; | |
254 | ') | |
255 | ||
256 | allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; | |
257 | ') | |
258 | ||
2a94561a | 259 | ######################################## |
f7ebea06 | 260 | ## <summary> |
414e4151 | 261 | ## Use the login program as an entry point program. |
f7ebea06 | 262 | ## </summary> |
414e4151 | 263 | ## <param name="domain"> |
885b83ec | 264 | ## <summary> |
a0546c9d | 265 | ## Domain allowed access. |
885b83ec | 266 | ## </summary> |
414e4151 | 267 | ## </param> |
dd822947 | 268 | # |
199895e2 | 269 | interface(`auth_login_entry_type',` |
7a2f20a3 CP |
270 | gen_require(` |
271 | type login_exec_t; | |
272 | ') | |
0c73cd25 | 273 | |
3f67f722 | 274 | domain_entry_file($1, login_exec_t) |
07efe969 CP |
275 | ') |
276 | ||
e7fcdc6d | 277 | ######################################## |
f7ebea06 | 278 | ## <summary> |
414e4151 | 279 | ## Execute a login_program in the target domain. |
f7ebea06 | 280 | ## </summary> |
414e4151 | 281 | ## <param name="domain"> |
885b83ec | 282 | ## <summary> |
a0546c9d | 283 | ## Domain allowed to transition. |
885b83ec | 284 | ## </summary> |
414e4151 CP |
285 | ## </param> |
286 | ## <param name="target_domain"> | |
885b83ec | 287 | ## <summary> |
414e4151 | 288 | ## The type of the login_program process. |
885b83ec | 289 | ## </summary> |
414e4151 | 290 | ## </param> |
e7fcdc6d | 291 | # |
199895e2 | 292 | interface(`auth_domtrans_login_program',` |
7a2f20a3 CP |
293 | gen_require(` |
294 | type login_exec_t; | |
7a2f20a3 | 295 | ') |
0c73cd25 | 296 | |
7a2f20a3 | 297 | corecmd_search_bin($1) |
9262d3c9 | 298 | domtrans_pattern($1, login_exec_t, $2) |
e7fcdc6d CP |
299 | ') |
300 | ||
e070dd2d CP |
301 | ######################################## |
302 | ## <summary> | |
303 | ## Execute a login_program in the target domain, | |
304 | ## with a range transition. | |
305 | ## </summary> | |
306 | ## <param name="domain"> | |
307 | ## <summary> | |
a0546c9d | 308 | ## Domain allowed to transition. |
e070dd2d CP |
309 | ## </summary> |
310 | ## </param> | |
311 | ## <param name="target_domain"> | |
312 | ## <summary> | |
313 | ## The type of the login_program process. | |
314 | ## </summary> | |
315 | ## </param> | |
316 | ## <param name="range"> | |
317 | ## <summary> | |
318 | ## Range of the login program. | |
319 | ## </summary> | |
320 | ## </param> | |
321 | # | |
322 | interface(`auth_ranged_domtrans_login_program',` | |
323 | gen_require(` | |
324 | type login_exec_t; | |
325 | ') | |
326 | ||
9262d3c9 | 327 | auth_domtrans_login_program($1, $2) |
e070dd2d CP |
328 | |
329 | ifdef(`enable_mcs',` | |
330 | range_transition $1 login_exec_t:process $3; | |
331 | ') | |
332 | ||
333 | ifdef(`enable_mls',` | |
334 | range_transition $1 login_exec_t:process $3; | |
335 | ') | |
336 | ') | |
337 | ||
30425aa8 CP |
338 | ######################################## |
339 | ## <summary> | |
340 | ## Search authentication cache | |
341 | ## </summary> | |
342 | ## <param name="domain"> | |
343 | ## <summary> | |
344 | ## Domain allowed access. | |
345 | ## </summary> | |
346 | ## </param> | |
347 | # | |
348 | interface(`auth_search_cache',` | |
349 | gen_require(` | |
350 | type auth_cache_t; | |
351 | ') | |
352 | ||
3f67f722 | 353 | allow $1 auth_cache_t:dir search_dir_perms; |
30425aa8 CP |
354 | ') |
355 | ||
356 | ######################################## | |
357 | ## <summary> | |
358 | ## Read authentication cache | |
359 | ## </summary> | |
360 | ## <param name="domain"> | |
361 | ## <summary> | |
362 | ## Domain allowed access. | |
363 | ## </summary> | |
364 | ## </param> | |
365 | # | |
366 | interface(`auth_read_cache',` | |
367 | gen_require(` | |
368 | type auth_cache_t; | |
369 | ') | |
370 | ||
3f67f722 | 371 | read_files_pattern($1, auth_cache_t, auth_cache_t) |
30425aa8 CP |
372 | ') |
373 | ||
374 | ######################################## | |
375 | ## <summary> | |
376 | ## Read/Write authentication cache | |
377 | ## </summary> | |
378 | ## <param name="domain"> | |
379 | ## <summary> | |
380 | ## Domain allowed access. | |
381 | ## </summary> | |
382 | ## </param> | |
383 | # | |
384 | interface(`auth_rw_cache',` | |
385 | gen_require(` | |
386 | type auth_cache_t; | |
387 | ') | |
388 | ||
3f67f722 | 389 | rw_files_pattern($1, auth_cache_t, auth_cache_t) |
30425aa8 CP |
390 | ') |
391 | ||
392 | ######################################## | |
393 | ## <summary> | |
394 | ## Manage authentication cache | |
395 | ## </summary> | |
396 | ## <param name="domain"> | |
397 | ## <summary> | |
398 | ## Domain allowed access. | |
399 | ## </summary> | |
400 | ## </param> | |
401 | # | |
402 | interface(`auth_manage_cache',` | |
403 | gen_require(` | |
404 | type auth_cache_t; | |
405 | ') | |
406 | ||
153ed875 | 407 | manage_dirs_pattern($1, auth_cache_t, auth_cache_t) |
3f67f722 | 408 | manage_files_pattern($1, auth_cache_t, auth_cache_t) |
30425aa8 CP |
409 | ') |
410 | ||
411 | ####################################### | |
412 | ## <summary> | |
413 | ## Automatic transition from cache_t to cache. | |
414 | ## </summary> | |
415 | ## <param name="domain"> | |
416 | ## <summary> | |
417 | ## Domain allowed access. | |
418 | ## </summary> | |
419 | ## </param> | |
420 | # | |
421 | interface(`auth_var_filetrans_cache',` | |
422 | gen_require(` | |
423 | type auth_cache_t; | |
424 | ') | |
425 | ||
3f67f722 | 426 | files_var_filetrans($1, auth_cache_t, { file dir } ) |
30425aa8 CP |
427 | ') |
428 | ||
dd822947 | 429 | ######################################## |
f7ebea06 | 430 | ## <summary> |
414e4151 | 431 | ## Run unix_chkpwd to check a password. |
f7ebea06 | 432 | ## </summary> |
414e4151 | 433 | ## <param name="domain"> |
885b83ec | 434 | ## <summary> |
a0546c9d | 435 | ## Domain allowed to transition. |
885b83ec | 436 | ## </summary> |
414e4151 | 437 | ## </param> |
dd822947 | 438 | # |
199895e2 | 439 | interface(`auth_domtrans_chk_passwd',` |
7a2f20a3 | 440 | gen_require(` |
296273a7 | 441 | type chkpwd_t, chkpwd_exec_t, shadow_t; |
30425aa8 | 442 | type auth_cache_t; |
7a2f20a3 | 443 | ') |
0c73cd25 | 444 | |
30425aa8 CP |
445 | allow $1 auth_cache_t:dir search_dir_perms; |
446 | ||
8021cb4f | 447 | corecmd_search_bin($1) |
296273a7 | 448 | domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) |
0c73cd25 | 449 | |
03dd57fe | 450 | dontaudit $1 shadow_t:file read_file_perms; |
0c73cd25 | 451 | |
cff75c90 CP |
452 | dev_read_rand($1) |
453 | dev_read_urand($1) | |
454 | ||
153ed875 CP |
455 | auth_use_nsswitch($1) |
456 | auth_rw_faillog($1) | |
457 | ||
d5b81a81 CP |
458 | logging_send_audit_msgs($1) |
459 | ||
83406219 | 460 | miscfiles_read_generic_certs($1) |
29ce0009 | 461 | |
bb7170f6 | 462 | optional_policy(` |
153ed875 | 463 | kerberos_read_keytab($1) |
ab940a4c | 464 | ') |
cff75c90 | 465 | |
6b19be33 | 466 | optional_policy(` |
3eaa9939 DW |
467 | pcscd_manage_pub_files($1) |
468 | pcscd_manage_pub_pipes($1) | |
6b19be33 CP |
469 | pcscd_stream_connect($1) |
470 | ') | |
471 | ||
bb7170f6 | 472 | optional_policy(` |
1815bad1 | 473 | samba_stream_connect_winbind($1) |
cff75c90 | 474 | ') |
3eaa9939 | 475 | auth_domtrans_upd_passwd($1) |
0c73cd25 | 476 | ') |
c4890efc | 477 | |
153ed875 CP |
478 | ######################################## |
479 | ## <summary> | |
480 | ## Run unix_chkpwd to check a password. | |
481 | ## Stripped down version to be called within boolean | |
482 | ## </summary> | |
483 | ## <param name="domain"> | |
484 | ## <summary> | |
a0546c9d | 485 | ## Domain allowed to transition. |
153ed875 CP |
486 | ## </summary> |
487 | ## </param> | |
488 | # | |
489 | interface(`auth_domtrans_chkpwd',` | |
490 | gen_require(` | |
491 | type chkpwd_t, chkpwd_exec_t, shadow_t; | |
492 | ') | |
493 | ||
494 | corecmd_search_bin($1) | |
495 | domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) | |
496 | dontaudit $1 shadow_t:file { getattr read }; | |
497 | auth_domtrans_upd_passwd($1) | |
498 | ') | |
499 | ||
7d4161cd CP |
500 | ######################################## |
501 | ## <summary> | |
502 | ## Execute chkpwd programs in the chkpwd domain. | |
503 | ## </summary> | |
504 | ## <param name="domain"> | |
505 | ## <summary> | |
a0546c9d | 506 | ## Domain allowed to transition. |
7d4161cd CP |
507 | ## </summary> |
508 | ## </param> | |
509 | ## <param name="role"> | |
510 | ## <summary> | |
6138d3da | 511 | ## The role to allow the chkpwd domain. |
7d4161cd CP |
512 | ## </summary> |
513 | ## </param> | |
7d4161cd CP |
514 | # |
515 | interface(`auth_run_chk_passwd',` | |
516 | gen_require(` | |
296273a7 | 517 | type chkpwd_t; |
7d4161cd CP |
518 | ') |
519 | ||
520 | auth_domtrans_chk_passwd($1) | |
296273a7 | 521 | role $2 types chkpwd_t; |
3eaa9939 | 522 | auth_run_upd_passwd($1, $2) |
7d4161cd CP |
523 | ') |
524 | ||
5d45e62e DW |
525 | ######################################## |
526 | ## <summary> | |
527 | ## Send generic signals to chkpwd processes. | |
528 | ## </summary> | |
529 | ## <param name="domain"> | |
530 | ## <summary> | |
531 | ## Domain allowed access. | |
532 | ## </summary> | |
533 | ## </param> | |
534 | # | |
535 | interface(`auth_signal_chk_passwd',` | |
536 | gen_require(` | |
537 | type chkpwd_t; | |
538 | ') | |
539 | ||
540 | allow $1 chkpwd_t:process signal; | |
541 | ') | |
542 | ||
7d4161cd CP |
543 | ######################################## |
544 | ## <summary> | |
545 | ## Execute a domain transition to run unix_update. | |
546 | ## </summary> | |
547 | ## <param name="domain"> | |
548 | ## <summary> | |
549 | ## Domain allowed to transition. | |
550 | ## </summary> | |
551 | ## </param> | |
552 | # | |
553 | interface(`auth_domtrans_upd_passwd',` | |
554 | gen_require(` | |
555 | type updpwd_t, updpwd_exec_t; | |
556 | ') | |
557 | ||
3f67f722 | 558 | domtrans_pattern($1, updpwd_exec_t, updpwd_t) |
7d4161cd CP |
559 | auth_dontaudit_read_shadow($1) |
560 | ||
561 | ') | |
562 | ||
563 | ######################################## | |
564 | ## <summary> | |
565 | ## Execute updpwd programs in the updpwd domain. | |
566 | ## </summary> | |
567 | ## <param name="domain"> | |
568 | ## <summary> | |
a0546c9d | 569 | ## Domain allowed to transition. |
7d4161cd CP |
570 | ## </summary> |
571 | ## </param> | |
572 | ## <param name="role"> | |
573 | ## <summary> | |
574 | ## The role to allow the updpwd domain. | |
575 | ## </summary> | |
576 | ## </param> | |
7d4161cd CP |
577 | # |
578 | interface(`auth_run_upd_passwd',` | |
579 | gen_require(` | |
580 | type updpwd_t; | |
581 | ') | |
582 | ||
583 | auth_domtrans_upd_passwd($1) | |
584 | role $2 types updpwd_t; | |
7d4161cd CP |
585 | ') |
586 | ||
dd822947 | 587 | ######################################## |
493d6c4a CP |
588 | ## <summary> |
589 | ## Get the attributes of the shadow passwords file. | |
590 | ## </summary> | |
414e4151 | 591 | ## <param name="domain"> |
885b83ec | 592 | ## <summary> |
ac9db9b5 | 593 | ## Domain allowed access. |
885b83ec | 594 | ## </summary> |
414e4151 | 595 | ## </param> |
dd822947 | 596 | # |
493d6c4a CP |
597 | interface(`auth_getattr_shadow',` |
598 | gen_require(` | |
599 | type shadow_t; | |
493d6c4a CP |
600 | ') |
601 | ||
602 | files_search_etc($1) | |
603 | allow $1 shadow_t:file getattr; | |
604 | ') | |
605 | ||
606 | ######################################## | |
607 | ## <summary> | |
608 | ## Do not audit attempts to get the attributes | |
609 | ## of the shadow passwords file. | |
610 | ## </summary> | |
611 | ## <param name="domain"> | |
885b83ec | 612 | ## <summary> |
493d6c4a | 613 | ## Domain to not audit. |
885b83ec | 614 | ## </summary> |
493d6c4a CP |
615 | ## </param> |
616 | # | |
199895e2 | 617 | interface(`auth_dontaudit_getattr_shadow',` |
7a2f20a3 CP |
618 | gen_require(` |
619 | type shadow_t; | |
7a2f20a3 | 620 | ') |
0c73cd25 CP |
621 | |
622 | dontaudit $1 shadow_t:file getattr; | |
57440fb0 CP |
623 | ') |
624 | ||
dd822947 | 625 | ######################################## |
f7ebea06 | 626 | ## <summary> |
414e4151 | 627 | ## Read the shadow passwords file (/etc/shadow) |
f7ebea06 | 628 | ## </summary> |
414e4151 | 629 | ## <param name="domain"> |
885b83ec | 630 | ## <summary> |
ac9db9b5 | 631 | ## Domain allowed access. |
885b83ec | 632 | ## </summary> |
414e4151 | 633 | ## </param> |
dd822947 | 634 | # |
9262d3c9 | 635 | # cjp: these next three interfaces are split |
bf080a46 CP |
636 | # since typeattribute does not work in conditionals |
637 | # yet, otherwise they should be one interface. | |
9262d3c9 | 638 | # |
199895e2 | 639 | interface(`auth_read_shadow',` |
bf080a46 CP |
640 | auth_can_read_shadow_passwords($1) |
641 | auth_tunable_read_shadow($1) | |
642 | ') | |
643 | ||
ac9db9b5 CP |
644 | ######################################## |
645 | ## <summary> | |
646 | ## Pass shadow assertion for reading. | |
647 | ## </summary> | |
648 | ## <desc> | |
649 | ## <p> | |
650 | ## Pass shadow assertion for reading. | |
651 | ## This should only be used with | |
652 | ## auth_tunable_read_shadow(), and | |
653 | ## only exists because typeattribute | |
654 | ## does not work in conditionals. | |
655 | ## </p> | |
656 | ## </desc> | |
657 | ## <param name="domain"> | |
658 | ## <summary> | |
659 | ## Domain allowed access. | |
660 | ## </summary> | |
661 | ## </param> | |
662 | # | |
bf080a46 | 663 | interface(`auth_can_read_shadow_passwords',` |
7a2f20a3 CP |
664 | gen_require(` |
665 | attribute can_read_shadow_passwords; | |
bf080a46 CP |
666 | ') |
667 | ||
668 | typeattribute $1 can_read_shadow_passwords; | |
669 | ') | |
670 | ||
ac9db9b5 CP |
671 | ######################################## |
672 | ## <summary> | |
673 | ## Read the shadow password file. | |
674 | ## </summary> | |
675 | ## <desc> | |
676 | ## <p> | |
677 | ## Read the shadow password file. This | |
678 | ## should only be used in a conditional; | |
679 | ## it does not pass the reading shadow | |
680 | ## assertion. | |
681 | ## </p> | |
682 | ## </desc> | |
683 | ## <param name="domain"> | |
684 | ## <summary> | |
685 | ## Domain allowed access. | |
686 | ## </summary> | |
687 | ## </param> | |
688 | # | |
bf080a46 CP |
689 | interface(`auth_tunable_read_shadow',` |
690 | gen_require(` | |
7a2f20a3 | 691 | type shadow_t; |
7a2f20a3 | 692 | ') |
0c73cd25 | 693 | |
139520a2 | 694 | files_list_etc($1) |
c0868a7a | 695 | allow $1 shadow_t:file read_file_perms; |
c4890efc CP |
696 | ') |
697 | ||
dd822947 | 698 | ######################################## |
f7ebea06 | 699 | ## <summary> |
414e4151 CP |
700 | ## Do not audit attempts to read the shadow |
701 | ## password file (/etc/shadow). | |
f7ebea06 | 702 | ## </summary> |
414e4151 | 703 | ## <param name="domain"> |
885b83ec | 704 | ## <summary> |
a0546c9d | 705 | ## Domain to not audit. |
885b83ec | 706 | ## </summary> |
414e4151 | 707 | ## </param> |
dd822947 | 708 | # |
199895e2 | 709 | interface(`auth_dontaudit_read_shadow',` |
7a2f20a3 CP |
710 | gen_require(` |
711 | type shadow_t; | |
7a2f20a3 | 712 | ') |
0c73cd25 | 713 | |
932c3536 | 714 | dontaudit $1 shadow_t:file read_file_perms; |
c4890efc CP |
715 | ') |
716 | ||
dd822947 | 717 | ######################################## |
f7ebea06 | 718 | ## <summary> |
414e4151 | 719 | ## Read and write the shadow password file (/etc/shadow). |
f7ebea06 | 720 | ## </summary> |
414e4151 | 721 | ## <param name="domain"> |
885b83ec | 722 | ## <summary> |
ac9db9b5 | 723 | ## Domain allowed access. |
885b83ec | 724 | ## </summary> |
414e4151 | 725 | ## </param> |
dd822947 | 726 | # |
199895e2 | 727 | interface(`auth_rw_shadow',` |
7a2f20a3 CP |
728 | gen_require(` |
729 | attribute can_read_shadow_passwords, can_write_shadow_passwords; | |
730 | type shadow_t; | |
7a2f20a3 | 731 | ') |
0c73cd25 | 732 | |
139520a2 | 733 | files_list_etc($1) |
0c73cd25 CP |
734 | allow $1 shadow_t:file rw_file_perms; |
735 | typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; | |
c4890efc CP |
736 | ') |
737 | ||
ac9db9b5 CP |
738 | ######################################## |
739 | ## <summary> | |
740 | ## Create, read, write, and delete the shadow | |
741 | ## password file. | |
742 | ## </summary> | |
743 | ## <param name="domain"> | |
744 | ## <summary> | |
745 | ## Domain allowed access. | |
746 | ## </summary> | |
747 | ## </param> | |
a1f94a34 | 748 | # |
199895e2 | 749 | interface(`auth_manage_shadow',` |
7a2f20a3 CP |
750 | gen_require(` |
751 | attribute can_read_shadow_passwords, can_write_shadow_passwords; | |
752 | type shadow_t; | |
7a2f20a3 | 753 | ') |
0c73cd25 | 754 | |
ba1a545f | 755 | allow $1 shadow_t:file manage_file_perms; |
0c73cd25 | 756 | typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; |
a1f94a34 CP |
757 | ') |
758 | ||
8bf6f58e CP |
759 | ####################################### |
760 | ## <summary> | |
ac9db9b5 | 761 | ## Automatic transition from etc to shadow. |
8bf6f58e CP |
762 | ## </summary> |
763 | ## <param name="domain"> | |
764 | ## <summary> | |
765 | ## Domain allowed access. | |
766 | ## </summary> | |
767 | ## </param> | |
768 | # | |
769 | interface(`auth_etc_filetrans_shadow',` | |
770 | gen_require(` | |
771 | type shadow_t; | |
772 | ') | |
773 | ||
3f67f722 | 774 | files_etc_filetrans($1, shadow_t, file) |
8bf6f58e CP |
775 | ') |
776 | ||
a1f94a34 | 777 | ####################################### |
2629c659 CP |
778 | ## <summary> |
779 | ## Relabel to the shadow | |
780 | ## password file type. | |
781 | ## </summary> | |
782 | ## <param name="domain"> | |
885b83ec | 783 | ## <summary> |
2629c659 | 784 | ## Domain allowed access. |
885b83ec | 785 | ## </summary> |
2629c659 | 786 | ## </param> |
a1f94a34 | 787 | # |
199895e2 | 788 | interface(`auth_relabelto_shadow',` |
7a2f20a3 CP |
789 | gen_require(` |
790 | attribute can_relabelto_shadow_passwords; | |
791 | type shadow_t; | |
7a2f20a3 | 792 | ') |
0c73cd25 | 793 | |
c9428d33 | 794 | files_search_etc($1) |
0c73cd25 CP |
795 | allow $1 shadow_t:file relabelto; |
796 | typeattribute $1 can_relabelto_shadow_passwords; | |
a1f94a34 CP |
797 | ') |
798 | ||
2629c659 CP |
799 | ####################################### |
800 | ## <summary> | |
801 | ## Relabel from and to the shadow | |
802 | ## password file type. | |
803 | ## </summary> | |
804 | ## <param name="domain"> | |
885b83ec | 805 | ## <summary> |
2629c659 | 806 | ## Domain allowed access. |
885b83ec | 807 | ## </summary> |
2629c659 CP |
808 | ## </param> |
809 | # | |
810 | interface(`auth_relabel_shadow',` | |
811 | gen_require(` | |
812 | attribute can_relabelto_shadow_passwords; | |
813 | type shadow_t; | |
814 | ') | |
815 | ||
816 | files_search_etc($1) | |
83029ff3 | 817 | allow $1 shadow_t:file relabel_file_perms; |
2629c659 CP |
818 | typeattribute $1 can_relabelto_shadow_passwords; |
819 | ') | |
820 | ||
cf6a7d89 CP |
821 | ####################################### |
822 | ## <summary> | |
823 | ## Append to the login failure log. | |
824 | ## </summary> | |
825 | ## <param name="domain"> | |
885b83ec | 826 | ## <summary> |
cf6a7d89 | 827 | ## Domain allowed access. |
885b83ec | 828 | ## </summary> |
cf6a7d89 CP |
829 | ## </param> |
830 | # | |
831 | interface(`auth_append_faillog',` | |
832 | gen_require(` | |
833 | type faillog_t; | |
cf6a7d89 CP |
834 | ') |
835 | ||
836 | logging_search_logs($1) | |
c0868a7a | 837 | allow $1 faillog_t:file append_file_perms; |
cf6a7d89 CP |
838 | ') |
839 | ||
ac9db9b5 CP |
840 | ######################################## |
841 | ## <summary> | |
842 | ## Read and write the login failure log. | |
843 | ## </summary> | |
844 | ## <param name="domain"> | |
845 | ## <summary> | |
846 | ## Domain allowed access. | |
847 | ## </summary> | |
848 | ## </param> | |
4bf4ed9e | 849 | # |
199895e2 | 850 | interface(`auth_rw_faillog',` |
7a2f20a3 CP |
851 | gen_require(` |
852 | type faillog_t; | |
7a2f20a3 | 853 | ') |
0c73cd25 | 854 | |
c9428d33 | 855 | logging_search_logs($1) |
39403bae | 856 | rw_files_pattern($1, faillog_t, faillog_t) |
4bf4ed9e CP |
857 | ') |
858 | ||
86998556 DW |
859 | ######################################## |
860 | ## <summary> | |
861 | ## Relabel the login failure log. | |
862 | ## </summary> | |
863 | ## <param name="domain"> | |
864 | ## <summary> | |
865 | ## Domain allowed access. | |
866 | ## </summary> | |
867 | ## </param> | |
868 | # | |
869 | interface(`auth_relabel_faillog',` | |
870 | gen_require(` | |
871 | type faillog_t; | |
872 | ') | |
873 | ||
41a28ada | 874 | allow $1 faillog_t:dir relabel_dir_perms; |
6f9d6bd3 | 875 | allow $1 faillog_t:file relabel_file_perms; |
86998556 DW |
876 | ') |
877 | ||
6ed3f15e DW |
878 | ######################################## |
879 | ## <summary> | |
880 | ## Manage the login failure log. | |
881 | ## </summary> | |
882 | ## <param name="domain"> | |
883 | ## <summary> | |
884 | ## Domain allowed access. | |
885 | ## </summary> | |
886 | ## </param> | |
887 | # | |
888 | interface(`auth_manage_faillog',` | |
889 | gen_require(` | |
890 | type faillog_t; | |
891 | ') | |
892 | ||
893 | logging_search_logs($1) | |
22c24aa7 MG |
894 | files_search_pids($1) |
895 | allow $1 faillog_t:dir manage_dir_perms; | |
6ed3f15e DW |
896 | allow $1 faillog_t:file manage_file_perms; |
897 | ') | |
898 | ||
b4cd1533 | 899 | ####################################### |
d4dca585 CP |
900 | ## <summary> |
901 | ## Read the last logins log. | |
902 | ## </summary> | |
903 | ## <param name="domain"> | |
885b83ec | 904 | ## <summary> |
d4dca585 | 905 | ## Domain allowed access. |
885b83ec | 906 | ## </summary> |
d4dca585 | 907 | ## </param> |
bbcd3c97 | 908 | ## <rolecap/> |
b4cd1533 | 909 | # |
d4dca585 CP |
910 | interface(`auth_read_lastlog',` |
911 | gen_require(` | |
912 | type lastlog_t; | |
913 | ') | |
914 | ||
915 | logging_search_logs($1) | |
c0868a7a | 916 | allow $1 lastlog_t:file read_file_perms; |
d4dca585 CP |
917 | ') |
918 | ||
de764944 CP |
919 | ####################################### |
920 | ## <summary> | |
921 | ## Append only to the last logins log. | |
922 | ## </summary> | |
923 | ## <param name="domain"> | |
885b83ec | 924 | ## <summary> |
de764944 | 925 | ## Domain allowed access. |
885b83ec | 926 | ## </summary> |
de764944 CP |
927 | ## </param> |
928 | # | |
929 | interface(`auth_append_lastlog',` | |
930 | gen_require(` | |
931 | type lastlog_t; | |
932 | ') | |
933 | ||
934 | logging_search_logs($1) | |
c0868a7a | 935 | allow $1 lastlog_t:file { append_file_perms lock }; |
de764944 CP |
936 | ') |
937 | ||
d4dca585 CP |
938 | ####################################### |
939 | ## <summary> | |
940 | ## Read and write to the last logins log. | |
941 | ## </summary> | |
942 | ## <param name="domain"> | |
885b83ec | 943 | ## <summary> |
d4dca585 | 944 | ## Domain allowed access. |
885b83ec | 945 | ## </summary> |
d4dca585 | 946 | ## </param> |
b4cd1533 | 947 | # |
199895e2 | 948 | interface(`auth_rw_lastlog',` |
7a2f20a3 CP |
949 | gen_require(` |
950 | type lastlog_t; | |
7a2f20a3 | 951 | ') |
0c73cd25 | 952 | |
c9428d33 | 953 | logging_search_logs($1) |
c0868a7a | 954 | allow $1 lastlog_t:file { rw_file_perms lock setattr }; |
b4cd1533 CP |
955 | ') |
956 | ||
dc771ff4 | 957 | ######################################## |
f7ebea06 | 958 | ## <summary> |
414e4151 | 959 | ## Execute pam programs in the pam domain. |
f7ebea06 | 960 | ## </summary> |
414e4151 | 961 | ## <param name="domain"> |
885b83ec | 962 | ## <summary> |
a0546c9d | 963 | ## Domain allowed to transition. |
885b83ec | 964 | ## </summary> |
414e4151 | 965 | ## </param> |
1e5c2a41 | 966 | # |
199895e2 | 967 | interface(`auth_domtrans_pam',` |
7a2f20a3 CP |
968 | gen_require(` |
969 | type pam_t, pam_exec_t; | |
7a2f20a3 | 970 | ') |
0c73cd25 | 971 | |
3f67f722 | 972 | domtrans_pattern($1, pam_exec_t, pam_t) |
1e5c2a41 CP |
973 | ') |
974 | ||
7d4161cd CP |
975 | ######################################## |
976 | ## <summary> | |
30425aa8 | 977 | ## Send generic signals to pam processes. |
7d4161cd CP |
978 | ## </summary> |
979 | ## <param name="domain"> | |
980 | ## <summary> | |
981 | ## Domain allowed access. | |
982 | ## </summary> | |
983 | ## </param> | |
984 | # | |
985 | interface(`auth_signal_pam',` | |
986 | gen_require(` | |
987 | type pam_t; | |
988 | ') | |
989 | ||
990 | allow $1 pam_t:process signal; | |
991 | ') | |
992 | ||
dc771ff4 | 993 | ######################################## |
f7ebea06 | 994 | ## <summary> |
414e4151 | 995 | ## Execute pam programs in the PAM domain. |
f7ebea06 | 996 | ## </summary> |
414e4151 | 997 | ## <param name="domain"> |
885b83ec | 998 | ## <summary> |
a0546c9d | 999 | ## Domain allowed to transition. |
885b83ec | 1000 | ## </summary> |
414e4151 CP |
1001 | ## </param> |
1002 | ## <param name="role"> | |
885b83ec | 1003 | ## <summary> |
414e4151 | 1004 | ## The role to allow the PAM domain. |
885b83ec | 1005 | ## </summary> |
414e4151 | 1006 | ## </param> |
dc771ff4 | 1007 | # |
199895e2 | 1008 | interface(`auth_run_pam',` |
7a2f20a3 CP |
1009 | gen_require(` |
1010 | type pam_t; | |
7a2f20a3 | 1011 | ') |
0c73cd25 | 1012 | |
c9428d33 | 1013 | auth_domtrans_pam($1) |
0c73cd25 | 1014 | role $2 types pam_t; |
dc771ff4 CP |
1015 | ') |
1016 | ||
dd822947 | 1017 | ######################################## |
f7ebea06 | 1018 | ## <summary> |
414e4151 | 1019 | ## Execute the pam program. |
f7ebea06 | 1020 | ## </summary> |
414e4151 | 1021 | ## <param name="domain"> |
885b83ec | 1022 | ## <summary> |
ac9db9b5 | 1023 | ## Domain allowed access. |
885b83ec | 1024 | ## </summary> |
414e4151 | 1025 | ## </param> |
dd822947 | 1026 | # |
199895e2 | 1027 | interface(`auth_exec_pam',` |
7a2f20a3 CP |
1028 | gen_require(` |
1029 | type pam_exec_t; | |
1030 | ') | |
0c73cd25 | 1031 | |
3f67f722 | 1032 | can_exec($1, pam_exec_t) |
1e5c2a41 CP |
1033 | ') |
1034 | ||
3eaa9939 DW |
1035 | ######################################## |
1036 | ## <summary> | |
1037 | ## Read var auth files. Used by various other applications | |
1038 | ## and pam applets etc. | |
1039 | ## </summary> | |
1040 | ## <param name="domain"> | |
1041 | ## <summary> | |
1042 | ## Domain allowed access. | |
1043 | ## </summary> | |
1044 | ## </param> | |
1045 | # | |
1046 | interface(`auth_read_var_auth',` | |
1047 | gen_require(` | |
1048 | type var_auth_t; | |
1049 | ') | |
1050 | ||
1051 | files_search_var($1) | |
1052 | read_files_pattern($1, var_auth_t, var_auth_t) | |
1053 | ') | |
1054 | ||
e12b7e14 MG |
1055 | ####################################### |
1056 | ## <summary> | |
1057 | ## Read and write var auth files. Used by various other applications | |
1058 | ## and pam applets etc. | |
1059 | ## </summary> | |
1060 | ## <param name="domain"> | |
1061 | ## <summary> | |
1062 | ## Domain allowed access. | |
1063 | ## </summary> | |
1064 | ## </param> | |
1065 | # | |
1066 | interface(`auth_rw_var_auth',` | |
1067 | gen_require(` | |
1bc5de22 | 1068 | type var_auth_t; |
e12b7e14 MG |
1069 | ') |
1070 | ||
1071 | files_search_var($1) | |
1072 | rw_files_pattern($1, var_auth_t, var_auth_t) | |
1073 | ') | |
1074 | ||
7c2f5a82 CP |
1075 | ######################################## |
1076 | ## <summary> | |
1077 | ## Manage var auth files. Used by various other applications | |
1078 | ## and pam applets etc. | |
1079 | ## </summary> | |
1080 | ## <param name="domain"> | |
885b83ec | 1081 | ## <summary> |
ac9db9b5 | 1082 | ## Domain allowed access. |
885b83ec | 1083 | ## </summary> |
7c2f5a82 CP |
1084 | ## </param> |
1085 | # | |
1086 | interface(`auth_manage_var_auth',` | |
1087 | gen_require(` | |
1088 | type var_auth_t; | |
1089 | ') | |
1090 | ||
1091 | files_search_var($1) | |
edce4db8 | 1092 | |
8e2e1962 DG |
1093 | manage_dirs_pattern($1, var_auth_t, var_auth_t) |
1094 | manage_files_pattern($1, var_auth_t, var_auth_t) | |
1095 | manage_lnk_files_pattern($1, var_auth_t, var_auth_t) | |
7c2f5a82 CP |
1096 | ') |
1097 | ||
66668399 DW |
1098 | ######################################## |
1099 | ## <summary> | |
1100 | ## Relabel all var auth files. Used by various other applications | |
1101 | ## and pam applets etc. | |
1102 | ## </summary> | |
1103 | ## <param name="domain"> | |
1104 | ## <summary> | |
1105 | ## Domain allowed access. | |
1106 | ## </summary> | |
1107 | ## </param> | |
1108 | # | |
1109 | interface(`auth_relabel_var_auth_dirs',` | |
1110 | gen_require(` | |
1111 | type var_auth_t; | |
1112 | ') | |
1113 | ||
1114 | files_search_var($1) | |
1115 | relabel_dirs_pattern($1, var_auth_t, var_auth_t) | |
1116 | ') | |
1117 | ||
ac9db9b5 CP |
1118 | ######################################## |
1119 | ## <summary> | |
1120 | ## Read PAM PID files. | |
1121 | ## </summary> | |
1122 | ## <param name="domain"> | |
1123 | ## <summary> | |
1124 | ## Domain allowed access. | |
1125 | ## </summary> | |
1126 | ## </param> | |
dfaf6c2a | 1127 | # |
199895e2 | 1128 | interface(`auth_read_pam_pid',` |
7a2f20a3 CP |
1129 | gen_require(` |
1130 | type pam_var_run_t; | |
7a2f20a3 | 1131 | ') |
0c73cd25 | 1132 | |
c9428d33 | 1133 | files_search_pids($1) |
ba1a545f | 1134 | allow $1 pam_var_run_t:dir list_dir_perms; |
c0868a7a | 1135 | allow $1 pam_var_run_t:file read_file_perms; |
dfaf6c2a CP |
1136 | ') |
1137 | ||
9fd4b818 CP |
1138 | ####################################### |
1139 | ## <summary> | |
ac9db9b5 | 1140 | ## Do not audit attemps to read PAM PID files. |
9fd4b818 CP |
1141 | ## </summary> |
1142 | ## <param name="domain"> | |
885b83ec | 1143 | ## <summary> |
9fd4b818 | 1144 | ## Domain to not audit. |
885b83ec | 1145 | ## </summary> |
9fd4b818 CP |
1146 | ## </param> |
1147 | # | |
1148 | interface(`auth_dontaudit_read_pam_pid',` | |
1149 | gen_require(` | |
1150 | type pam_var_run_t; | |
1151 | ') | |
1152 | ||
1153 | dontaudit $1 pam_var_run_t:file { getattr read }; | |
1154 | ') | |
1155 | ||
dd822947 | 1156 | ######################################## |
f7ebea06 | 1157 | ## <summary> |
414e4151 | 1158 | ## Delete pam PID files. |
f7ebea06 | 1159 | ## </summary> |
414e4151 | 1160 | ## <param name="domain"> |
885b83ec | 1161 | ## <summary> |
ac9db9b5 | 1162 | ## Domain allowed access. |
885b83ec | 1163 | ## </summary> |
414e4151 | 1164 | ## </param> |
dd822947 | 1165 | # |
199895e2 | 1166 | interface(`auth_delete_pam_pid',` |
7a2f20a3 CP |
1167 | gen_require(` |
1168 | type pam_var_run_t; | |
7a2f20a3 | 1169 | ') |
0c73cd25 | 1170 | |
c9428d33 | 1171 | files_search_pids($1) |
c0868a7a CP |
1172 | allow $1 pam_var_run_t:dir del_entry_dir_perms; |
1173 | allow $1 pam_var_run_t:file delete_file_perms; | |
3ce6cb4a CP |
1174 | ') |
1175 | ||
7c2f5a82 CP |
1176 | ######################################## |
1177 | ## <summary> | |
1178 | ## Manage pam PID files. | |
1179 | ## </summary> | |
1180 | ## <param name="domain"> | |
885b83ec | 1181 | ## <summary> |
ac9db9b5 | 1182 | ## Domain allowed access. |
885b83ec | 1183 | ## </summary> |
7c2f5a82 CP |
1184 | ## </param> |
1185 | # | |
1186 | interface(`auth_manage_pam_pid',` | |
1187 | gen_require(` | |
1188 | type pam_var_run_t; | |
1189 | ') | |
1190 | ||
1191 | files_search_pids($1) | |
ba1a545f CP |
1192 | allow $1 pam_var_run_t:dir manage_dir_perms; |
1193 | allow $1 pam_var_run_t:file manage_file_perms; | |
7c2f5a82 CP |
1194 | ') |
1195 | ||
ac9db9b5 CP |
1196 | ######################################## |
1197 | ## <summary> | |
1198 | ## Execute pam_console with a domain transition. | |
1199 | ## </summary> | |
1200 | ## <param name="domain"> | |
1201 | ## <summary> | |
a0546c9d | 1202 | ## Domain allowed to transition. |
ac9db9b5 CP |
1203 | ## </summary> |
1204 | ## </param> | |
1e5c2a41 | 1205 | # |
199895e2 | 1206 | interface(`auth_domtrans_pam_console',` |
7a2f20a3 CP |
1207 | gen_require(` |
1208 | type pam_console_t, pam_console_exec_t; | |
7a2f20a3 | 1209 | ') |
0c73cd25 | 1210 | |
3f67f722 | 1211 | domtrans_pattern($1, pam_console_exec_t, pam_console_t) |
1e5c2a41 CP |
1212 | ') |
1213 | ||
ac9aa26d CP |
1214 | ######################################## |
1215 | ## <summary> | |
1216 | ## Search the contents of the | |
1217 | ## pam_console data directory. | |
1218 | ## </summary> | |
1219 | ## <param name="domain"> | |
885b83ec | 1220 | ## <summary> |
ac9db9b5 | 1221 | ## Domain allowed access. |
885b83ec | 1222 | ## </summary> |
ac9aa26d CP |
1223 | ## </param> |
1224 | # | |
1225 | interface(`auth_search_pam_console_data',` | |
1226 | gen_require(` | |
1227 | type pam_var_console_t; | |
1228 | ') | |
1229 | ||
ac9aa26d CP |
1230 | files_search_pids($1) |
1231 | allow $1 pam_var_console_t:dir search_dir_perms; | |
1232 | ') | |
1233 | ||
ac9db9b5 CP |
1234 | ######################################## |
1235 | ## <summary> | |
1236 | ## List the contents of the pam_console | |
1237 | ## data directory. | |
1238 | ## </summary> | |
1239 | ## <param name="domain"> | |
1240 | ## <summary> | |
1241 | ## Domain allowed access. | |
1242 | ## </summary> | |
1243 | ## </param> | |
f5c42bd8 | 1244 | # |
199895e2 | 1245 | interface(`auth_list_pam_console_data',` |
7a2f20a3 CP |
1246 | gen_require(` |
1247 | type pam_var_console_t; | |
7a2f20a3 | 1248 | ') |
0c73cd25 | 1249 | |
c9428d33 | 1250 | files_search_pids($1) |
ba1a545f | 1251 | allow $1 pam_var_console_t:dir list_dir_perms; |
f5c42bd8 CP |
1252 | ') |
1253 | ||
1bc5de22 CP |
1254 | ######################################## |
1255 | ## <summary> | |
1256 | ## Relabel pam_console data directories. | |
1257 | ## </summary> | |
1258 | ## <param name="domain"> | |
1259 | ## <summary> | |
1260 | ## Domain allowed access. | |
1261 | ## </summary> | |
1262 | ## </param> | |
1263 | # | |
1264 | interface(`auth_relabel_pam_console_data_dirs',` | |
1265 | gen_require(` | |
1266 | type pam_var_console_t; | |
1267 | ') | |
1268 | ||
1269 | relabel_dirs_pattern($1, pam_var_console_t, pam_var_console_t) | |
1270 | ') | |
1271 | ||
ac9db9b5 CP |
1272 | ######################################## |
1273 | ## <summary> | |
1274 | ## Read pam_console data files. | |
1275 | ## </summary> | |
1276 | ## <param name="domain"> | |
1277 | ## <summary> | |
1278 | ## Domain allowed access. | |
1279 | ## </summary> | |
1280 | ## </param> | |
1e5c2a41 | 1281 | # |
199895e2 | 1282 | interface(`auth_read_pam_console_data',` |
7a2f20a3 CP |
1283 | gen_require(` |
1284 | type pam_var_console_t; | |
7a2f20a3 | 1285 | ') |
0c73cd25 | 1286 | |
c9428d33 | 1287 | files_search_pids($1) |
ba1a545f | 1288 | allow $1 pam_var_console_t:dir list_dir_perms; |
c0868a7a | 1289 | allow $1 pam_var_console_t:file read_file_perms; |
1e5c2a41 CP |
1290 | ') |
1291 | ||
ac9db9b5 CP |
1292 | ######################################## |
1293 | ## <summary> | |
1294 | ## Create, read, write, and delete | |
1295 | ## pam_console data files. | |
1296 | ## </summary> | |
1297 | ## <param name="domain"> | |
1298 | ## <summary> | |
1299 | ## Domain allowed access. | |
1300 | ## </summary> | |
1301 | ## </param> | |
1e5c2a41 | 1302 | # |
199895e2 | 1303 | interface(`auth_manage_pam_console_data',` |
7a2f20a3 CP |
1304 | gen_require(` |
1305 | type pam_var_console_t; | |
7a2f20a3 | 1306 | ') |
0c73cd25 | 1307 | |
c9428d33 | 1308 | files_search_pids($1) |
3f67f722 CP |
1309 | manage_files_pattern($1, pam_var_console_t, pam_var_console_t) |
1310 | manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) | |
1e5c2a41 CP |
1311 | ') |
1312 | ||
a1fcff33 CP |
1313 | ####################################### |
1314 | ## <summary> | |
1315 | ## Delete pam_console data. | |
1316 | ## </summary> | |
1317 | ## <param name="domain"> | |
885b83ec | 1318 | ## <summary> |
a1fcff33 | 1319 | ## Domain allowed access. |
885b83ec | 1320 | ## </summary> |
a1fcff33 CP |
1321 | ## </param> |
1322 | # | |
1323 | interface(`auth_delete_pam_console_data',` | |
1324 | gen_require(` | |
1325 | type pam_var_console_t; | |
1326 | ') | |
1327 | ||
1328 | files_search_var($1) | |
1329 | files_search_pids($1) | |
3f67f722 | 1330 | delete_files_pattern($1, pam_var_console_t, pam_var_console_t) |
a1fcff33 CP |
1331 | ') |
1332 | ||
43989f82 CP |
1333 | ######################################## |
1334 | ## <summary> | |
1335 | ## Read all directories on the filesystem, except | |
1336 | ## the shadow passwords and listed exceptions. | |
1337 | ## </summary> | |
1338 | ## <param name="domain"> | |
885b83ec | 1339 | ## <summary> |
a0546c9d | 1340 | ## Domain allowed access. |
885b83ec | 1341 | ## </summary> |
43989f82 CP |
1342 | ## </param> |
1343 | ## <param name="exception_types" optional="true"> | |
885b83ec | 1344 | ## <summary> |
43989f82 CP |
1345 | ## The types to be excluded. Each type or attribute |
1346 | ## must be negated by the caller. | |
885b83ec | 1347 | ## </summary> |
43989f82 CP |
1348 | ## </param> |
1349 | # | |
1350 | interface(`auth_read_all_dirs_except_shadow',` | |
1351 | gen_require(` | |
1352 | type shadow_t; | |
1353 | ') | |
1354 | ||
9262d3c9 | 1355 | files_read_all_dirs_except($1, $2 -shadow_t) |
43989f82 CP |
1356 | ') |
1357 | ||
1358 | ######################################## | |
1359 | ## <summary> | |
1360 | ## Read all files on the filesystem, except | |
1361 | ## the shadow passwords and listed exceptions. | |
1362 | ## </summary> | |
1363 | ## <param name="domain"> | |
885b83ec | 1364 | ## <summary> |
a0546c9d | 1365 | ## Domain allowed access. |
885b83ec | 1366 | ## </summary> |
43989f82 CP |
1367 | ## </param> |
1368 | ## <param name="exception_types" optional="true"> | |
885b83ec | 1369 | ## <summary> |
43989f82 CP |
1370 | ## The types to be excluded. Each type or attribute |
1371 | ## must be negated by the caller. | |
885b83ec | 1372 | ## </summary> |
43989f82 | 1373 | ## </param> |
bbcd3c97 | 1374 | ## <rolecap/> |
43989f82 CP |
1375 | # |
1376 | interface(`auth_read_all_files_except_shadow',` | |
1377 | gen_require(` | |
1378 | type shadow_t; | |
1379 | ') | |
1380 | ||
9262d3c9 | 1381 | files_read_all_files_except($1, $2 -shadow_t) |
43989f82 CP |
1382 | ') |
1383 | ||
1384 | ######################################## | |
1385 | ## <summary> | |
1386 | ## Read all symbolic links on the filesystem, except | |
1387 | ## the shadow passwords and listed exceptions. | |
1388 | ## </summary> | |
1389 | ## <param name="domain"> | |
885b83ec | 1390 | ## <summary> |
a0546c9d | 1391 | ## Domain allowed access. |
885b83ec | 1392 | ## </summary> |
43989f82 CP |
1393 | ## </param> |
1394 | ## <param name="exception_types" optional="true"> | |
885b83ec | 1395 | ## <summary> |
43989f82 CP |
1396 | ## The types to be excluded. Each type or attribute |
1397 | ## must be negated by the caller. | |
885b83ec | 1398 | ## </summary> |
43989f82 CP |
1399 | ## </param> |
1400 | # | |
1401 | interface(`auth_read_all_symlinks_except_shadow',` | |
1402 | gen_require(` | |
1403 | type shadow_t; | |
1404 | ') | |
1405 | ||
9262d3c9 | 1406 | files_read_all_symlinks_except($1, $2 -shadow_t) |
43989f82 CP |
1407 | ') |
1408 | ||
efd8ede3 | 1409 | ######################################## |
f7ebea06 | 1410 | ## <summary> |
414e4151 CP |
1411 | ## Relabel all files on the filesystem, except |
1412 | ## the shadow passwords and listed exceptions. | |
f7ebea06 | 1413 | ## </summary> |
414e4151 | 1414 | ## <param name="domain"> |
885b83ec | 1415 | ## <summary> |
a0546c9d | 1416 | ## Domain allowed access. |
885b83ec | 1417 | ## </summary> |
414e4151 CP |
1418 | ## </param> |
1419 | ## <param name="exception_types" optional="true"> | |
885b83ec | 1420 | ## <summary> |
414e4151 CP |
1421 | ## The types to be excluded. Each type or attribute |
1422 | ## must be negated by the caller. | |
885b83ec | 1423 | ## </summary> |
414e4151 | 1424 | ## </param> |
efd8ede3 CP |
1425 | # |
1426 | ||
199895e2 | 1427 | interface(`auth_relabel_all_files_except_shadow',` |
7a2f20a3 CP |
1428 | gen_require(` |
1429 | type shadow_t; | |
1430 | ') | |
0c73cd25 | 1431 | |
9262d3c9 | 1432 | files_relabel_all_files($1, $2 -shadow_t) |
efd8ede3 CP |
1433 | ') |
1434 | ||
153ed875 CP |
1435 | ######################################## |
1436 | ## <summary> | |
1437 | ## Read and write all files on the filesystem, except | |
1438 | ## the shadow passwords and listed exceptions. | |
1439 | ## </summary> | |
1440 | ## <param name="domain"> | |
1441 | ## <summary> | |
a0546c9d | 1442 | ## Domain allowed access. |
153ed875 CP |
1443 | ## </summary> |
1444 | ## </param> | |
1445 | ## <param name="exception_types" optional="true"> | |
1446 | ## <summary> | |
1447 | ## The types to be excluded. Each type or attribute | |
1448 | ## must be negated by the caller. | |
1449 | ## </summary> | |
1450 | ## </param> | |
1451 | # | |
1452 | ||
1453 | interface(`auth_rw_all_files_except_shadow',` | |
1454 | gen_require(` | |
1455 | type shadow_t; | |
1456 | ') | |
1457 | ||
9262d3c9 | 1458 | files_rw_all_files($1, $2 -shadow_t) |
153ed875 CP |
1459 | ') |
1460 | ||
efd8ede3 | 1461 | ######################################## |
f7ebea06 | 1462 | ## <summary> |
414e4151 CP |
1463 | ## Manage all files on the filesystem, except |
1464 | ## the shadow passwords and listed exceptions. | |
f7ebea06 | 1465 | ## </summary> |
414e4151 | 1466 | ## <param name="domain"> |
885b83ec | 1467 | ## <summary> |
a0546c9d | 1468 | ## Domain allowed access. |
885b83ec | 1469 | ## </summary> |
414e4151 CP |
1470 | ## </param> |
1471 | ## <param name="exception_types" optional="true"> | |
885b83ec | 1472 | ## <summary> |
414e4151 CP |
1473 | ## The types to be excluded. Each type or attribute |
1474 | ## must be negated by the caller. | |
885b83ec | 1475 | ## </summary> |
414e4151 | 1476 | ## </param> |
efd8ede3 CP |
1477 | # |
1478 | ||
199895e2 | 1479 | interface(`auth_manage_all_files_except_shadow',` |
7a2f20a3 CP |
1480 | gen_require(` |
1481 | type shadow_t; | |
1482 | ') | |
0c73cd25 | 1483 | |
9262d3c9 | 1484 | files_manage_all_files($1, $2 -shadow_t) |
efd8ede3 CP |
1485 | ') |
1486 | ||
dc771ff4 | 1487 | ######################################## |
f7ebea06 | 1488 | ## <summary> |
414e4151 | 1489 | ## Execute utempter programs in the utempter domain. |
f7ebea06 | 1490 | ## </summary> |
414e4151 | 1491 | ## <param name="domain"> |
885b83ec | 1492 | ## <summary> |
a0546c9d | 1493 | ## Domain allowed to transition. |
885b83ec | 1494 | ## </summary> |
414e4151 | 1495 | ## </param> |
dc771ff4 | 1496 | # |
199895e2 | 1497 | interface(`auth_domtrans_utempter',` |
7a2f20a3 CP |
1498 | gen_require(` |
1499 | type utempter_t, utempter_exec_t; | |
7a2f20a3 | 1500 | ') |
0c73cd25 | 1501 | |
3f67f722 | 1502 | domtrans_pattern($1, utempter_exec_t, utempter_t) |
dc771ff4 CP |
1503 | ') |
1504 | ||
dc771ff4 | 1505 | ######################################## |
f7ebea06 | 1506 | ## <summary> |
414e4151 | 1507 | ## Execute utempter programs in the utempter domain. |
f7ebea06 | 1508 | ## </summary> |
414e4151 | 1509 | ## <param name="domain"> |
885b83ec | 1510 | ## <summary> |
a0546c9d | 1511 | ## Domain allowed to transition. |
885b83ec | 1512 | ## </summary> |
414e4151 CP |
1513 | ## </param> |
1514 | ## <param name="role"> | |
885b83ec | 1515 | ## <summary> |
414e4151 | 1516 | ## The role to allow the utempter domain. |
885b83ec | 1517 | ## </summary> |
414e4151 | 1518 | ## </param> |
dc771ff4 | 1519 | # |
199895e2 | 1520 | interface(`auth_run_utempter',` |
7a2f20a3 CP |
1521 | gen_require(` |
1522 | type utempter_t; | |
7a2f20a3 | 1523 | ') |
0c73cd25 | 1524 | |
c9428d33 | 1525 | auth_domtrans_utempter($1) |
0c73cd25 | 1526 | role $2 types utempter_t; |
dc771ff4 CP |
1527 | ') |
1528 | ||
c8ba6830 CP |
1529 | ####################################### |
1530 | ## <summary> | |
1531 | ## Do not audit attemps to execute utempter executable. | |
1532 | ## </summary> | |
1533 | ## <param name="domain"> | |
885b83ec | 1534 | ## <summary> |
c8ba6830 | 1535 | ## Domain to not audit. |
885b83ec | 1536 | ## </summary> |
c8ba6830 CP |
1537 | ## </param> |
1538 | # | |
1539 | interface(`auth_dontaudit_exec_utempter',` | |
1540 | gen_require(` | |
1541 | type utempter_exec_t; | |
1542 | ') | |
1543 | ||
1544 | dontaudit $1 utempter_exec_t:file { execute execute_no_trans }; | |
1545 | ') | |
1546 | ||
ac9db9b5 CP |
1547 | ######################################## |
1548 | ## <summary> | |
1549 | ## Set the attributes of login record files. | |
1550 | ## </summary> | |
1551 | ## <param name="domain"> | |
1552 | ## <summary> | |
1553 | ## Domain allowed access. | |
1554 | ## </summary> | |
1555 | ## </param> | |
93727e3f CP |
1556 | # |
1557 | interface(`auth_setattr_login_records',` | |
1558 | gen_require(` | |
1559 | type wtmp_t; | |
1560 | ') | |
1561 | ||
1562 | allow $1 wtmp_t:file setattr; | |
1563 | logging_search_logs($1) | |
1564 | ') | |
1565 | ||
c56e4a6d DW |
1566 | ######################################## |
1567 | ## <summary> | |
1568 | ## Relabel login record files. | |
1569 | ## </summary> | |
1570 | ## <param name="domain"> | |
1571 | ## <summary> | |
1572 | ## Domain allowed access. | |
1573 | ## </summary> | |
1574 | ## </param> | |
1575 | # | |
1576 | interface(`auth_relabel_login_records',` | |
1577 | gen_require(` | |
1578 | type wtmp_t; | |
1579 | ') | |
1580 | ||
1581 | allow $1 wtmp_t:file relabel_file_perms; | |
1582 | ') | |
1583 | ||
1584 | ||
ac9db9b5 CP |
1585 | ######################################## |
1586 | ## <summary> | |
1587 | ## Read login records files (/var/log/wtmp). | |
1588 | ## </summary> | |
1589 | ## <param name="domain"> | |
1590 | ## <summary> | |
1591 | ## Domain allowed access. | |
1592 | ## </summary> | |
1593 | ## </param> | |
bbcd3c97 | 1594 | ## <rolecap/> |
b16c6b8c | 1595 | # |
199895e2 | 1596 | interface(`auth_read_login_records',` |
7a2f20a3 CP |
1597 | gen_require(` |
1598 | type wtmp_t; | |
7a2f20a3 | 1599 | ') |
0c73cd25 | 1600 | |
c9428d33 | 1601 | logging_search_logs($1) |
c0868a7a | 1602 | allow $1 wtmp_t:file read_file_perms; |
b16c6b8c CP |
1603 | ') |
1604 | ||
153ed875 CP |
1605 | ######################################## |
1606 | ## <summary> | |
1607 | ## Do not audit attempts to read login records | |
1608 | ## files (/var/log/wtmp). | |
1609 | ## </summary> | |
1610 | ## <param name="domain"> | |
1611 | ## <summary> | |
a0546c9d | 1612 | ## Domain to not audit. |
153ed875 CP |
1613 | ## </summary> |
1614 | ## </param> | |
1615 | ## <rolecap/> | |
1616 | # | |
1617 | interface(`auth_dontaudit_read_login_records',` | |
1618 | gen_require(` | |
1619 | type wtmp_t; | |
1620 | ') | |
1621 | ||
1622 | dontaudit $1 wtmp_t:file read_file_perms; | |
1623 | ') | |
1624 | ||
ac9db9b5 CP |
1625 | ######################################## |
1626 | ## <summary> | |
1627 | ## Do not audit attempts to write to | |
1628 | ## login records files. | |
1629 | ## </summary> | |
1630 | ## <param name="domain"> | |
1631 | ## <summary> | |
1632 | ## Domain to not audit. | |
1633 | ## </summary> | |
1634 | ## </param> | |
b16c6b8c | 1635 | # |
199895e2 | 1636 | interface(`auth_dontaudit_write_login_records',` |
7a2f20a3 CP |
1637 | gen_require(` |
1638 | type wtmp_t; | |
7a2f20a3 | 1639 | ') |
0c73cd25 CP |
1640 | |
1641 | dontaudit $1 wtmp_t:file write; | |
b16c6b8c CP |
1642 | ') |
1643 | ||
fc6524d7 CP |
1644 | ####################################### |
1645 | ## <summary> | |
1646 | ## Append to login records (wtmp). | |
1647 | ## </summary> | |
1648 | ## <param name="domain"> | |
885b83ec | 1649 | ## <summary> |
fc6524d7 | 1650 | ## Domain allowed access. |
885b83ec | 1651 | ## </summary> |
fc6524d7 CP |
1652 | ## </param> |
1653 | # | |
1654 | interface(`auth_append_login_records',` | |
1655 | gen_require(` | |
1656 | type wtmp_t; | |
1657 | ') | |
1658 | ||
c0868a7a CP |
1659 | allow $1 wtmp_t:file append_file_perms; |
1660 | logging_search_logs($1) | |
fc6524d7 CP |
1661 | ') |
1662 | ||
1663 | ####################################### | |
1664 | ## <summary> | |
1665 | ## Write to login records (wtmp). | |
1666 | ## </summary> | |
1667 | ## <param name="domain"> | |
885b83ec | 1668 | ## <summary> |
fc6524d7 | 1669 | ## Domain allowed access. |
885b83ec | 1670 | ## </summary> |
fc6524d7 CP |
1671 | ## </param> |
1672 | # | |
1673 | interface(`auth_write_login_records',` | |
1674 | gen_require(` | |
1675 | type wtmp_t; | |
1676 | ') | |
1677 | ||
c0868a7a | 1678 | allow $1 wtmp_t:file { write_file_perms lock }; |
fc6524d7 CP |
1679 | ') |
1680 | ||
ac9db9b5 CP |
1681 | ######################################## |
1682 | ## <summary> | |
1683 | ## Read and write login records. | |
1684 | ## </summary> | |
1685 | ## <param name="domain"> | |
1686 | ## <summary> | |
1687 | ## Domain allowed access. | |
1688 | ## </summary> | |
1689 | ## </param> | |
b16c6b8c | 1690 | # |
199895e2 | 1691 | interface(`auth_rw_login_records',` |
0e721690 CP |
1692 | gen_require(` |
1693 | type wtmp_t; | |
0e721690 | 1694 | ') |
0c73cd25 CP |
1695 | |
1696 | allow $1 wtmp_t:file rw_file_perms; | |
c9428d33 | 1697 | logging_search_logs($1) |
b16c6b8c CP |
1698 | ') |
1699 | ||
ac9db9b5 CP |
1700 | ######################################## |
1701 | ## <summary> | |
1702 | ## Create a login records in the log directory | |
1703 | ## using a type transition. | |
1704 | ## </summary> | |
1705 | ## <param name="domain"> | |
1706 | ## <summary> | |
1707 | ## Domain allowed access. | |
1708 | ## </summary> | |
1709 | ## </param> | |
9a66d4e5 | 1710 | # |
103fe280 | 1711 | interface(`auth_log_filetrans_login_records',` |
9a66d4e5 CP |
1712 | gen_require(` |
1713 | type wtmp_t; | |
1714 | ') | |
1715 | ||
3f67f722 | 1716 | logging_log_filetrans($1, wtmp_t, file) |
9a66d4e5 CP |
1717 | ') |
1718 | ||
ac9db9b5 CP |
1719 | ######################################## |
1720 | ## <summary> | |
1721 | ## Create, read, write, and delete login | |
1722 | ## records files. | |
1723 | ## </summary> | |
1724 | ## <param name="domain"> | |
1725 | ## <summary> | |
1726 | ## Domain allowed access. | |
1727 | ## </summary> | |
1728 | ## </param> | |
96ce00af CP |
1729 | # |
1730 | interface(`auth_manage_login_records',` | |
1731 | gen_require(` | |
1732 | type wtmp_t; | |
96ce00af CP |
1733 | ') |
1734 | ||
1815bad1 | 1735 | logging_rw_generic_log_dirs($1) |
ba1a545f | 1736 | allow $1 wtmp_t:file manage_file_perms; |
96ce00af | 1737 | ') |
8b0bbdda | 1738 | |
77f6e2cd CP |
1739 | ######################################## |
1740 | ## <summary> | |
d24a7df1 CP |
1741 | ## Use nsswitch to look up user, password, group, or |
1742 | ## host information. | |
77f6e2cd | 1743 | ## </summary> |
d24a7df1 CP |
1744 | ## <desc> |
1745 | ## <p> | |
1746 | ## Allow the specified domain to look up user, password, | |
1747 | ## group, or host information using the name service. | |
1748 | ## The most common use of this interface is for services | |
1749 | ## that do host name resolution (usually DNS resolution). | |
1750 | ## </p> | |
1751 | ## </desc> | |
77f6e2cd | 1752 | ## <param name="domain"> |
885b83ec | 1753 | ## <summary> |
77f6e2cd | 1754 | ## Domain allowed access. |
885b83ec | 1755 | ## </summary> |
77f6e2cd | 1756 | ## </param> |
d24a7df1 | 1757 | ## <infoflow type="both" weight="10"/> |
77f6e2cd CP |
1758 | # |
1759 | interface(`auth_use_nsswitch',` | |
ae68f77d DW |
1760 | gen_require(` |
1761 | attribute nsswitch_domain; | |
3ef029db CP |
1762 | ') |
1763 | ||
ae68f77d | 1764 | typeattribute $1 nsswitch_domain; |
77f6e2cd CP |
1765 | ') |
1766 | ||
8b0bbdda CP |
1767 | ######################################## |
1768 | ## <summary> | |
1769 | ## Unconfined access to the authlogin module. | |
1770 | ## </summary> | |
1771 | ## <desc> | |
1772 | ## <p> | |
1773 | ## Unconfined access to the authlogin module. | |
1774 | ## </p> | |
1775 | ## <p> | |
1776 | ## Currently, this only allows assertions for | |
1777 | ## the shadow passwords file (/etc/shadow) to | |
1778 | ## be passed. No access is granted yet. | |
1779 | ## </p> | |
1780 | ## </desc> | |
1781 | ## <param name="domain"> | |
885b83ec | 1782 | ## <summary> |
8b0bbdda | 1783 | ## Domain allowed access. |
885b83ec | 1784 | ## </summary> |
8b0bbdda CP |
1785 | ## </param> |
1786 | # | |
1787 | interface(`auth_unconfined',` | |
1788 | gen_require(` | |
1789 | attribute can_read_shadow_passwords; | |
1790 | attribute can_write_shadow_passwords; | |
1791 | attribute can_relabelto_shadow_passwords; | |
1792 | ') | |
1793 | ||
1794 | typeattribute $1 can_read_shadow_passwords; | |
1795 | typeattribute $1 can_write_shadow_passwords; | |
1796 | typeattribute $1 can_relabelto_shadow_passwords; | |
1797 | ') |