[people/stevee/selinux-policy.git] / policy / modules / system / authlogin.te

policy_module(authlogin, 2.2.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow users to login using a radius server
## </p>
## </desc>
gen_tunable(authlogin_radius, false)

## <desc>
## <p>
## Allow users to login using a sssd server
## </p>
## </desc>
gen_tunable(authlogin_nsswitch_use_ldap, false)

attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
attribute polydomain;
attribute nsswitch_domain;<

type auth_cache_t;
logging_log_file(auth_cache_t)

type auth_home_t;
userdom_user_home_content(auth_home_t)

type chkpwd_t, can_read_shadow_passwords;
type chkpwd_exec_t;
typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t };
application_domain(chkpwd_t, chkpwd_exec_t)
role system_r types chkpwd_t;

type faillog_t;
logging_log_file(faillog_t)
mls_trusted_object(faillog_t)

type lastlog_t;
logging_log_file(lastlog_t)

type login_exec_t;
application_executable_file(login_exec_t)

type pam_console_t;
type pam_console_exec_t;
init_system_domain(pam_console_t, pam_console_exec_t)
role system_r types pam_console_t;

type pam_t;
domain_type(pam_t)
role system_r types pam_t;

type pam_exec_t;
domain_entry_file(pam_t, pam_exec_t)

type pam_tmp_t;
files_tmp_file(pam_tmp_t)

type pam_var_console_t;
files_pid_file(pam_var_console_t)

type pam_var_run_t;
files_pid_file(pam_var_run_t)

type shadow_t;
files_security_file(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;

type passwd_file_t;
files_type(passwd_file_t)

type updpwd_t;
type updpwd_exec_t;
domain_type(updpwd_t)
domain_entry_file(updpwd_t, updpwd_exec_t)
domain_obj_id_change_exemption(updpwd_t)
role system_r types updpwd_t;

type utempter_t;
type utempter_exec_t;
application_domain(utempter_t, utempter_exec_t)

#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
#
type var_auth_t;
files_type(var_auth_t)

type wtmp_t;
logging_log_file(wtmp_t)

########################################
#
# Check password local policy
#

allow chkpwd_t self:capability { dac_override setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
allow chkpwd_t self:process { getattr signal };

allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)

kernel_read_crypto_sysctls(chkpwd_t)
# is_selinux_enabled
kernel_read_system_state(chkpwd_t)

domain_dontaudit_use_interactive_fds(chkpwd_t)

dev_read_rand(chkpwd_t)
dev_read_urand(chkpwd_t)

files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)
files_read_usr_symlinks(chkpwd_t)
files_list_tmp(chkpwd_t)

fs_dontaudit_getattr_xattr_fs(chkpwd_t)

term_dontaudit_use_console(chkpwd_t)
term_dontaudit_use_unallocated_ttys(chkpwd_t)
term_dontaudit_use_generic_ptys(chkpwd_t)
term_dontaudit_use_all_ptys(chkpwd_t)

auth_use_nsswitch(chkpwd_t)

logging_send_audit_msgs(chkpwd_t)
logging_send_syslog_msg(chkpwd_t)

miscfiles_read_localization(chkpwd_t)

seutil_read_config(chkpwd_t)
seutil_dontaudit_use_newrole_fds(chkpwd_t)

userdom_dontaudit_use_user_ttys(chkpwd_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(chkpwd_t)
	')
')

optional_policy(`
	# apache leaks file descriptors
	apache_dontaudit_rw_tcp_sockets(chkpwd_t)
')

optional_policy(`
	kerberos_use(chkpwd_t)
')

optional_policy(`
	nis_authenticate(chkpwd_t)
')

########################################
#
# PAM local policy
#

allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
dontaudit pam_t self:capability sys_tty_config;

allow pam_t self:fd use;
allow pam_t self:fifo_file rw_file_perms;
allow pam_t self:unix_dgram_socket create_socket_perms;
allow pam_t self:unix_stream_socket rw_stream_socket_perms;
allow pam_t self:unix_dgram_socket sendto;
allow pam_t self:unix_stream_socket connectto;
allow pam_t self:shm create_shm_perms;
allow pam_t self:sem create_sem_perms;
allow pam_t self:msgq create_msgq_perms;
allow pam_t self:msg { send receive };

delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
files_list_pids(pam_t)

allow pam_t pam_tmp_t:dir manage_dir_perms;
allow pam_t pam_tmp_t:file manage_file_perms;
files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })

auth_use_nsswitch(pam_t)

kernel_read_system_state(pam_t)

files_read_etc_files(pam_t)

fs_search_auto_mountpoints(pam_t)

miscfiles_read_localization(pam_t)

term_use_all_ttys(pam_t)
term_use_all_ptys(pam_t)

init_dontaudit_rw_utmp(pam_t)

logging_send_syslog_msg(pam_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(pam_t)
	')
')

optional_policy(`
	locallogin_use_fds(pam_t)
')

########################################
#
# PAM console local policy
#

allow pam_console_t self:capability { chown fowner fsetid };
dontaudit pam_console_t self:capability sys_tty_config;

allow pam_console_t self:process { sigchld sigkill sigstop signull signal };

# for /var/run/console.lock checking
read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
read_lnk_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
dontaudit pam_console_t pam_var_console_t:file write;

kernel_read_kernel_sysctls(pam_console_t)
kernel_use_fds(pam_console_t)
# Read /proc/meminfo
kernel_read_system_state(pam_console_t)

dev_read_sysfs(pam_console_t)
dev_getattr_apm_bios_dev(pam_console_t)
dev_setattr_apm_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
dev_getattr_input_dev(pam_console_t)
dev_setattr_input_dev(pam_console_t)
dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_generic_usb_dev(pam_console_t)
dev_setattr_generic_usb_dev(pam_console_t)
dev_getattr_misc_dev(pam_console_t)
dev_setattr_misc_dev(pam_console_t)
dev_getattr_mouse_dev(pam_console_t)
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
dev_getattr_printer_dev(pam_console_t)
dev_setattr_printer_dev(pam_console_t)
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
dev_setattr_sound_dev(pam_console_t)
dev_getattr_video_dev(pam_console_t)
dev_setattr_video_dev(pam_console_t)
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
dev_read_urand(pam_console_t)

files_read_etc_files(pam_console_t)
files_search_pids(pam_console_t)
files_list_mnt(pam_console_t)
files_dontaudit_search_isid_type_dirs(pam_console_t)
# read /etc/mtab
files_read_etc_runtime_files(pam_console_t)

fs_list_auto_mountpoints(pam_console_t)
fs_list_noxattr_fs(pam_console_t)
fs_getattr_all_fs(pam_console_t)

mls_file_read_all_levels(pam_console_t)
mls_file_write_all_levels(pam_console_t)

storage_getattr_fixed_disk_dev(pam_console_t)
storage_setattr_fixed_disk_dev(pam_console_t)
storage_getattr_removable_dev(pam_console_t)
storage_setattr_removable_dev(pam_console_t)
storage_getattr_scsi_generic_dev(pam_console_t)
storage_setattr_scsi_generic_dev(pam_console_t)

term_use_console(pam_console_t)
term_use_all_ttys(pam_console_t)
term_use_all_ptys(pam_console_t)
term_setattr_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
term_use_unallocated_ttys(pam_console_t)

auth_use_nsswitch(pam_console_t)

domain_use_interactive_fds(pam_console_t)

init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)

logging_send_syslog_msg(pam_console_t)

miscfiles_read_localization(pam_console_t)
miscfiles_read_generic_certs(pam_console_t)

seutil_read_file_contexts(pam_console_t)

userdom_dontaudit_use_unpriv_user_fds(pam_console_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(pam_console_t)
	')
')

optional_policy(`
	gpm_getattr_gpmctl(pam_console_t)
	gpm_setattr_gpmctl(pam_console_t)
')

optional_policy(`
	hotplug_use_fds(pam_console_t)
	hotplug_dontaudit_search_config(pam_console_t)
')

optional_policy(`
	seutil_sigchld_newrole(pam_console_t)
')

optional_policy(`
	udev_read_db(pam_console_t)
')

optional_policy(`
	xserver_read_xdm_pid(pam_console_t)
	xserver_dontaudit_write_log(pam_console_t)
')

########################################
#
# updpwd local policy
#

allow updpwd_t self:capability { chown dac_override };
allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
allow updpwd_t self:unix_dgram_socket create_socket_perms;

kernel_read_system_state(updpwd_t)

dev_read_urand(updpwd_t)

files_manage_etc_files(updpwd_t)
auth_manage_passwd(updpwd_t)

term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)

auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)

logging_send_syslog_msg(updpwd_t)

miscfiles_read_localization(updpwd_t)

userdom_use_inherited_user_terminals(updpwd_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(updpwd_t)
	')
')

########################################
#
# Utempter local policy
#

allow utempter_t self:capability setgid;
allow utempter_t self:unix_stream_socket create_stream_socket_perms;

allow utempter_t wtmp_t:file rw_file_perms;

dev_read_urand(utempter_t)

files_read_etc_files(utempter_t)

term_getattr_all_ttys(utempter_t)
term_getattr_all_ptys(utempter_t)
term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)

auth_use_nsswitch(utempter_t)

init_rw_utmp(utempter_t)

domain_use_interactive_fds(utempter_t)

logging_search_logs(utempter_t)

userdom_use_inherited_user_terminals(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(utempter_t)
	')
')

optional_policy(`
	xserver_use_xdm_fds(utempter_t)
	xserver_rw_xdm_pipes(utempter_t)
')

tunable_policy(`allow_polyinstantiation',`
	files_polyinstantiate_all(polydomain)
')

optional_policy(`
	tunable_policy(`allow_polyinstantiation',`
		namespace_init_domtrans(polydomain)
	')
')


auth_read_passwd(nsswitch_domain)

# read /etc/nsswitch.conf
files_read_etc_files(nsswitch_domain)

sysnet_dns_name_resolve(nsswitch_domain)

tunable_policy(`authlogin_nsswitch_use_ldap',`
	files_list_var_lib(nsswitch_domain)

	miscfiles_read_generic_certs(nsswitch_domain)
	sysnet_use_ldap(nsswitch_domain)
')

optional_policy(`
	tunable_policy(`authlogin_nsswitch_use_ldap',`
		dirsrv_stream_connect(nsswitch_domain)
	')
')

optional_policy(`
	tunable_policy(`authlogin_nsswitch_use_ldap',`
		ldap_stream_connect(nsswitch_domain)
	')
')

optional_policy(`
	likewise_stream_connect_lsassd(nsswitch_domain)
')

# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
optional_policy(`
	kerberos_use(nsswitch_domain)
')

optional_policy(`
	nis_use_ypbind(nsswitch_domain)
')

optional_policy(`
	nscd_use(nsswitch_domain)
')

optional_policy(`
	nslcd_stream_connect(nsswitch_domain)
')

optional_policy(`
	sssd_stream_connect(nsswitch_domain)
')

optional_policy(`
	samba_stream_connect_winbind(nsswitch_domain)
	samba_read_var_files(nsswitch_domain)
	samba_dontaudit_write_var_files(nsswitch_domain)
')
Commit	Line	Data
219e9a4f	1	policy_module(authlogin, 2.2.1)
960373dd	2
3ba13bbf CP	3	########################################
	4	#
	5	# Declarations
	6	#
7bba9d31	7
b82eab39 DW	8	## <desc>
	9	## <p>
	10	## Allow users to login using a radius server
	11	## </p>
	12	## </desc>
	13	gen_tunable(authlogin_radius, false)
	14
685dcdde DW	15	## <desc>
	16	## <p>
	17	## Allow users to login using a sssd server
	18	## </p>
	19	## </desc>
cafbe02a	20	gen_tunable(authlogin_nsswitch_use_ldap, false)
685dcdde	21
7bba9d31 CP	22	attribute can_read_shadow_passwords;
	23	attribute can_write_shadow_passwords;
	24	attribute can_relabelto_shadow_passwords;
3eaa9939	25	attribute polydomain;
11578593	26	attribute nsswitch_domain;<
7bba9d31	27
30425aa8 CP	28	type auth_cache_t;
	29	logging_log_file(auth_cache_t)
	30
11578593 DW	31	type auth_home_t;
	32	userdom_user_home_content(auth_home_t)
	33
296273a7	34	type chkpwd_t, can_read_shadow_passwords;
3ba13bbf	35	type chkpwd_exec_t;
296273a7	36	typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
83e254b2	37	typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t };
296273a7 CP	38	application_domain(chkpwd_t, chkpwd_exec_t)
296273a7 CP	39	role system_r types chkpwd_t;
3ba13bbf CP	40
3ba13bbf CP	41	type faillog_t;
c9428d33	42	logging_log_file(faillog_t)
ae0426c7	43	mls_trusted_object(faillog_t)
3ba13bbf	44
b4cd1533	45	type lastlog_t;
c9428d33	46	logging_log_file(lastlog_t)
b4cd1533	47
e070dd2d	48	type login_exec_t;
d46cfe45	49	application_executable_file(login_exec_t)
3ba13bbf	50
f0574fa9	51	type pam_console_t;
07d6e32f	52	type pam_console_exec_t;
3f67f722	53	init_system_domain(pam_console_t, pam_console_exec_t)
75a10baf CP	54	role system_r types pam_console_t;
75a10baf CP	55
493d6c4a	56	type pam_t;
c9428d33	57	domain_type(pam_t)
3ce6cb4a	58	role system_r types pam_t;
3ba13bbf	59
07d6e32f	60	type pam_exec_t;
3f67f722	61	domain_entry_file(pam_t, pam_exec_t)
07d6e32f	62
3ba13bbf	63	type pam_tmp_t;
c9428d33	64	files_tmp_file(pam_tmp_t)
3ba13bbf	65
493d6c4a	66	type pam_var_console_t;
947d0c53	67	files_pid_file(pam_var_console_t)
3ba13bbf CP	68
3ba13bbf CP	69	type pam_var_run_t;
c9428d33	70	files_pid_file(pam_var_run_t)
3ba13bbf CP	71
3ba13bbf CP	72	type shadow_t;
6f11d6b8	73	files_security_file(shadow_t)
3ba13bbf	74	neverallow ~can_read_shadow_passwords shadow_t:file read;
a1f94a34 CP	75	neverallow ~can_write_shadow_passwords shadow_t:file { create write };
a1f94a34 CP	76	neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
3ba13bbf	77
9cb77bf5	78	type passwd_file_t;
	79	files_type(passwd_file_t)
	80
7d4161cd CP	81	type updpwd_t;
	82	type updpwd_exec_t;
	83	domain_type(updpwd_t)
3f67f722	84	domain_entry_file(updpwd_t, updpwd_exec_t)
df28a0c4	85	domain_obj_id_change_exemption(updpwd_t)
7d4161cd CP	86	role system_r types updpwd_t;
7d4161cd CP	87
493d6c4a	88	type utempter_t;
3ba13bbf	89	type utempter_exec_t;
3f67f722	90	application_domain(utempter_t, utempter_exec_t)
3ba13bbf	91
7b062eac CP	92	#
	93	# var_auth_t is the type of /var/lib/auth, usually
	94	# used for auth data in pam_able
	95	#
	96	type var_auth_t;
	97	files_type(var_auth_t)
	98
b4cd1533	99	type wtmp_t;
c9428d33	100	logging_log_file(wtmp_t)
3ba13bbf	101
296273a7 CP	102	########################################
	103	#
	104	# Check password local policy
	105	#
	106
	107	allow chkpwd_t self:capability { dac_override setuid };
	108	dontaudit chkpwd_t self:capability sys_tty_config;
3eaa9939	109	allow chkpwd_t self:process { getattr signal };
296273a7 CP	110
	111	allow chkpwd_t shadow_t:file read_file_perms;
	112	files_list_etc(chkpwd_t)
	113
baa87c93	114	kernel_read_crypto_sysctls(chkpwd_t)
296273a7 CP	115	# is_selinux_enabled
	116	kernel_read_system_state(chkpwd_t)
	117
	118	domain_dontaudit_use_interactive_fds(chkpwd_t)
	119
	120	dev_read_rand(chkpwd_t)
	121	dev_read_urand(chkpwd_t)
	122
	123	files_read_etc_files(chkpwd_t)
	124	# for nscd
	125	files_dontaudit_search_var(chkpwd_t)
30d41f14 DW	126	files_read_usr_symlinks(chkpwd_t)
30d41f14 DW	127	files_list_tmp(chkpwd_t)
296273a7 CP	128
	129	fs_dontaudit_getattr_xattr_fs(chkpwd_t)
	130
153ed875	131	term_dontaudit_use_console(chkpwd_t)
296273a7 CP	132	term_dontaudit_use_unallocated_ttys(chkpwd_t)
296273a7 CP	133	term_dontaudit_use_generic_ptys(chkpwd_t)
153ed875	134	term_dontaudit_use_all_ptys(chkpwd_t)
296273a7 CP	135
	136	auth_use_nsswitch(chkpwd_t)
	137
	138	logging_send_audit_msgs(chkpwd_t)
	139	logging_send_syslog_msg(chkpwd_t)
	140
	141	miscfiles_read_localization(chkpwd_t)
	142
	143	seutil_read_config(chkpwd_t)
	144	seutil_dontaudit_use_newrole_fds(chkpwd_t)
	145
6d51b2fc	146	userdom_dontaudit_use_user_ttys(chkpwd_t)
296273a7 CP	147
	148	ifdef(`distro_ubuntu',`
	149	optional_policy(`
	150	unconfined_domain(chkpwd_t)
	151	')
	152	')
	153
153ed875 CP	154	optional_policy(`
	155	# apache leaks file descriptors
	156	apache_dontaudit_rw_tcp_sockets(chkpwd_t)
	157	')
	158
296273a7 CP	159	optional_policy(`
	160	kerberos_use(chkpwd_t)
	161	')
5b4ff3a1	162
153ed875 CP	163	optional_policy(`
	164	nis_authenticate(chkpwd_t)
	165	')
	166
3ba13bbf CP	167	########################################
3ba13bbf CP	168	#
3ce6cb4a	169	# PAM local policy
3ba13bbf	170	#
3ce6cb4a	171
9d3bdc25	172	allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
3ce6cb4a CP	173	dontaudit pam_t self:capability sys_tty_config;
	174
	175	allow pam_t self:fd use;
dd822947	176	allow pam_t self:fifo_file rw_file_perms;
9262d3c9	177	allow pam_t self:unix_dgram_socket create_socket_perms;
dd822947	178	allow pam_t self:unix_stream_socket rw_stream_socket_perms;
3ce6cb4a CP	179	allow pam_t self:unix_dgram_socket sendto;
3ce6cb4a CP	180	allow pam_t self:unix_stream_socket connectto;
dd822947 CP	181	allow pam_t self:shm create_shm_perms;
	182	allow pam_t self:sem create_sem_perms;
	183	allow pam_t self:msgq create_msgq_perms;
3ce6cb4a CP	184	allow pam_t self:msg { send receive };
3ce6cb4a CP	185
3f67f722 CP	186	delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
3f67f722 CP	187	read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
ba1a545f	188	files_list_pids(pam_t)
3ce6cb4a	189
ba1a545f CP	190	allow pam_t pam_tmp_t:dir manage_dir_perms;
ba1a545f CP	191	allow pam_t pam_tmp_t:file manage_file_perms;
103fe280	192	files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
3ce6cb4a	193
7d4161cd CP	194	auth_use_nsswitch(pam_t)
7d4161cd CP	195
3ce6cb4a CP	196	kernel_read_system_state(pam_t)
3ce6cb4a CP	197
2acba7bb CP	198	files_read_etc_files(pam_t)
2acba7bb CP	199
ab940a4c CP	200	fs_search_auto_mountpoints(pam_t)
ab940a4c CP	201
7d4161cd CP	202	miscfiles_read_localization(pam_t)
7d4161cd CP	203
c3c753f7 CP	204	term_use_all_ttys(pam_t)
c3c753f7 CP	205	term_use_all_ptys(pam_t)
3ce6cb4a	206
68228b33	207	init_dontaudit_rw_utmp(pam_t)
3ce6cb4a	208
c9428d33	209	logging_send_syslog_msg(pam_t)
3ce6cb4a	210
12cf805e CP	211	ifdef(`distro_ubuntu',`
	212	optional_policy(`
	213	unconfined_domain(pam_t)
	214	')
	215	')
	216
bb7170f6	217	optional_policy(`
1c1ac67f	218	locallogin_use_fds(pam_t)
3ce6cb4a CP	219	')
3ce6cb4a CP	220
75a10baf CP	221	########################################
	222	#
	223	# PAM console local policy
	224	#
	225
	226	allow pam_console_t self:capability { chown fowner fsetid };
	227	dontaudit pam_console_t self:capability sys_tty_config;
	228
	229	allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
	230
	231	# for /var/run/console.lock checking
3f67f722 CP	232	read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
3f67f722 CP	233	read_lnk_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
77f6e2cd	234	dontaudit pam_console_t pam_var_console_t:file write;
75a10baf	235
445522dc	236	kernel_read_kernel_sysctls(pam_console_t)
1c1ac67f	237	kernel_use_fds(pam_console_t)
0907bda1 CP	238	# Read /proc/meminfo
0907bda1 CP	239	kernel_read_system_state(pam_console_t)
75a10baf	240
d35c621e	241	dev_read_sysfs(pam_console_t)
207c4763 CP	242	dev_getattr_apm_bios_dev(pam_console_t)
207c4763 CP	243	dev_setattr_apm_bios_dev(pam_console_t)
02bcb8b3 CP	244	dev_getattr_dri_dev(pam_console_t)
02bcb8b3 CP	245	dev_setattr_dri_dev(pam_console_t)
7d4161cd CP	246	dev_getattr_input_dev(pam_console_t)
7d4161cd CP	247	dev_setattr_input_dev(pam_console_t)
207c4763 CP	248	dev_getattr_framebuffer_dev(pam_console_t)
207c4763 CP	249	dev_setattr_framebuffer_dev(pam_console_t)
72492557 CP	250	dev_getattr_generic_usb_dev(pam_console_t)
72492557 CP	251	dev_setattr_generic_usb_dev(pam_console_t)
207c4763 CP	252	dev_getattr_misc_dev(pam_console_t)
	253	dev_setattr_misc_dev(pam_console_t)
	254	dev_getattr_mouse_dev(pam_console_t)
	255	dev_setattr_mouse_dev(pam_console_t)
	256	dev_getattr_power_mgmt_dev(pam_console_t)
	257	dev_setattr_power_mgmt_dev(pam_console_t)
7d4161cd CP	258	dev_getattr_printer_dev(pam_console_t)
7d4161cd CP	259	dev_setattr_printer_dev(pam_console_t)
207c4763 CP	260	dev_getattr_scanner_dev(pam_console_t)
	261	dev_setattr_scanner_dev(pam_console_t)
	262	dev_getattr_sound_dev(pam_console_t)
	263	dev_setattr_sound_dev(pam_console_t)
7a2f20a3 CP	264	dev_getattr_video_dev(pam_console_t)
7a2f20a3 CP	265	dev_setattr_video_dev(pam_console_t)
cf6a7d89 CP	266	dev_getattr_xserver_misc_dev(pam_console_t)
cf6a7d89 CP	267	dev_setattr_xserver_misc_dev(pam_console_t)
85a0f967	268	dev_read_urand(pam_console_t)
d35c621e	269
2acba7bb CP	270	files_read_etc_files(pam_console_t)
	271	files_search_pids(pam_console_t)
	272	files_list_mnt(pam_console_t)
	273	files_dontaudit_search_isid_type_dirs(pam_console_t)
	274	# read /etc/mtab
	275	files_read_etc_runtime_files(pam_console_t)
	276
	277	fs_list_auto_mountpoints(pam_console_t)
	278	fs_list_noxattr_fs(pam_console_t)
	279	fs_getattr_all_fs(pam_console_t)
	280
f8233ab7 CP	281	mls_file_read_all_levels(pam_console_t)
f8233ab7 CP	282	mls_file_write_all_levels(pam_console_t)
85a0f967	283
1815bad1 CP	284	storage_getattr_fixed_disk_dev(pam_console_t)
	285	storage_setattr_fixed_disk_dev(pam_console_t)
	286	storage_getattr_removable_dev(pam_console_t)
	287	storage_setattr_removable_dev(pam_console_t)
	288	storage_getattr_scsi_generic_dev(pam_console_t)
	289	storage_setattr_scsi_generic_dev(pam_console_t)
75a10baf	290
0fd9dc55	291	term_use_console(pam_console_t)
c3c753f7 CP	292	term_use_all_ttys(pam_console_t)
c3c753f7 CP	293	term_use_all_ptys(pam_console_t)
0907bda1	294	term_setattr_console(pam_console_t)
0fd9dc55 CP	295	term_getattr_unallocated_ttys(pam_console_t)
0fd9dc55 CP	296	term_setattr_unallocated_ttys(pam_console_t)
46551033	297	term_use_unallocated_ttys(pam_console_t)
75a10baf	298
77f6e2cd CP	299	auth_use_nsswitch(pam_console_t)
77f6e2cd CP	300
15722ec9	301	domain_use_interactive_fds(pam_console_t)
75a10baf	302
1c1ac67f	303	init_use_fds(pam_console_t)
1815bad1	304	init_use_script_ptys(pam_console_t)
d35c621e	305
c9428d33	306	logging_send_syslog_msg(pam_console_t)
75a10baf	307
85a0f967	308	miscfiles_read_localization(pam_console_t)
83406219	309	miscfiles_read_generic_certs(pam_console_t)
f0574fa9	310
5e0da6a0	311	seutil_read_file_contexts(pam_console_t)
75a10baf	312
15722ec9	313	userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
dc771ff4	314
12cf805e CP	315	ifdef(`distro_ubuntu',`
	316	optional_policy(`
	317	unconfined_domain(pam_console_t)
	318	')
	319	')
	320
bb7170f6	321	optional_policy(`
f862c35c CP	322	gpm_getattr_gpmctl(pam_console_t)
	323	gpm_setattr_gpmctl(pam_console_t)
	324	')
	325
bb7170f6	326	optional_policy(`
1c1ac67f	327	hotplug_use_fds(pam_console_t)
c9428d33	328	hotplug_dontaudit_search_config(pam_console_t)
1e5c2a41 CP	329	')
1e5c2a41 CP	330
bb7170f6	331	optional_policy(`
8fd36732	332	seutil_sigchld_newrole(pam_console_t)
75a10baf CP	333	')
75a10baf CP	334
bb7170f6	335	optional_policy(`
c9428d33	336	udev_read_db(pam_console_t)
75a10baf CP	337	')
75a10baf CP	338
3b914745 CP	339	optional_policy(`
3b914745 CP	340	xserver_read_xdm_pid(pam_console_t)
7d4161cd	341	xserver_dontaudit_write_log(pam_console_t)
75a10baf	342	')
75a10baf	343
7d4161cd CP	344	########################################
	345	#
	346	# updpwd local policy
	347	#
	348
df28a0c4	349	allow updpwd_t self:capability { chown dac_override };
7d4161cd	350	allow updpwd_t self:process setfscreate;
0b36a214	351	allow updpwd_t self:fifo_file rw_fifo_file_perms;
7d4161cd CP	352	allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
	353	allow updpwd_t self:unix_dgram_socket create_socket_perms;
	354
	355	kernel_read_system_state(updpwd_t)
	356
df28a0c4 CP	357	dev_read_urand(updpwd_t)
df28a0c4 CP	358
7d4161cd	359	files_manage_etc_files(updpwd_t)
9cb77bf5	360	auth_manage_passwd(updpwd_t)
7d4161cd	361
7d4161cd CP	362	term_dontaudit_use_console(updpwd_t)
	363	term_dontaudit_use_unallocated_ttys(updpwd_t)
	364
	365	auth_manage_shadow(updpwd_t)
	366	auth_use_nsswitch(updpwd_t)
	367
7d4161cd CP	368	logging_send_syslog_msg(updpwd_t)
	369
	370	miscfiles_read_localization(updpwd_t)
	371
af2d8802	372	userdom_use_inherited_user_terminals(updpwd_t)
296273a7	373
12cf805e CP	374	ifdef(`distro_ubuntu',`
	375	optional_policy(`
	376	unconfined_domain(updpwd_t)
	377	')
	378	')
	379
3ce6cb4a CP	380	########################################
	381	#
	382	# Utempter local policy
	383	#
	384
	385	allow utempter_t self:capability setgid;
0fd9dc55	386	allow utempter_t self:unix_stream_socket create_stream_socket_perms;
3ce6cb4a	387
dd822947	388	allow utempter_t wtmp_t:file rw_file_perms;
3ce6cb4a	389
77f6e2cd CP	390	dev_read_urand(utempter_t)
77f6e2cd CP	391
2acba7bb CP	392	files_read_etc_files(utempter_t)
2acba7bb CP	393
c3c753f7 CP	394	term_getattr_all_ttys(utempter_t)
	395	term_getattr_all_ptys(utempter_t)
	396	term_dontaudit_use_all_ttys(utempter_t)
	397	term_dontaudit_use_all_ptys(utempter_t)
0fd9dc55	398	term_dontaudit_use_ptmx(utempter_t)
3ce6cb4a	399
8ee9e8d0 DW	400	auth_use_nsswitch(utempter_t)
8ee9e8d0 DW	401
68228b33	402	init_rw_utmp(utempter_t)
3ce6cb4a	403
15722ec9	404	domain_use_interactive_fds(utempter_t)
3ce6cb4a	405
c9428d33	406	logging_search_logs(utempter_t)
3ce6cb4a	407
af2d8802	408	userdom_use_inherited_user_terminals(utempter_t)
3ce6cb4a	409	# Allow utemper to write to /tmp/.xses-*
296273a7	410	userdom_write_user_tmp_files(utempter_t)
3ce6cb4a	411
12cf805e CP	412	ifdef(`distro_ubuntu',`
	413	optional_policy(`
	414	unconfined_domain(utempter_t)
	415	')
	416	')
	417
bb7170f6	418	optional_policy(`
1f6524ae CP	419	xserver_use_xdm_fds(utempter_t)
1f6524ae CP	420	xserver_rw_xdm_pipes(utempter_t)
3ce6cb4a	421	')
3eaa9939 DW	422
	423	tunable_policy(`allow_polyinstantiation',`
	424	files_polyinstantiate_all(polydomain)
1a49cc1d	425	')
bd1bea03	426
1a49cc1d	427	optional_policy(`
bd1bea03	428	tunable_policy(`allow_polyinstantiation',`
1a49cc1d	429	namespace_init_domtrans(polydomain)
bd1bea03	430	')
3eaa9939	431	')
ae68f77d	432
9cb77bf5	433
	434	auth_read_passwd(nsswitch_domain)
	435
ae68f77d DW	436	# read /etc/nsswitch.conf
	437	files_read_etc_files(nsswitch_domain)
	438
	439	sysnet_dns_name_resolve(nsswitch_domain)
	440
	441	tunable_policy(`authlogin_nsswitch_use_ldap',`
	442	files_list_var_lib(nsswitch_domain)
	443
	444	miscfiles_read_generic_certs(nsswitch_domain)
	445	sysnet_use_ldap(nsswitch_domain)
	446	')
	447
	448	optional_policy(`
	449	tunable_policy(`authlogin_nsswitch_use_ldap',`
	450	dirsrv_stream_connect(nsswitch_domain)
	451	')
	452	')
	453
	454	optional_policy(`
	455	tunable_policy(`authlogin_nsswitch_use_ldap',`
	456	ldap_stream_connect(nsswitch_domain)
	457	')
	458	')
	459
	460	optional_policy(`
	461	likewise_stream_connect_lsassd(nsswitch_domain)
	462	')
	463
	464	# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
	465	optional_policy(`
	466	kerberos_use(nsswitch_domain)
	467	')
	468
	469	optional_policy(`
	470	nis_use_ypbind(nsswitch_domain)
	471	')
	472
	473	optional_policy(`
	474	nscd_use(nsswitch_domain)
	475	')
	476
	477	optional_policy(`
	478	nslcd_stream_connect(nsswitch_domain)
	479	')
	480
	481	optional_policy(`
	482	sssd_stream_connect(nsswitch_domain)
	483	')
	484
	485	optional_policy(`
	486	samba_stream_connect_winbind(nsswitch_domain)
	487	samba_read_var_files(nsswitch_domain)
	488	samba_dontaudit_write_var_files(nsswitch_domain)
	489	')