]>
Commit | Line | Data |
---|---|---|
e181fe05 | 1 | |
29af4c13 | 2 | policy_module(authlogin, 2.2.0) |
960373dd | 3 | |
3ba13bbf CP |
4 | ######################################## |
5 | # | |
6 | # Declarations | |
7 | # | |
7bba9d31 CP |
8 | |
9 | attribute can_read_shadow_passwords; | |
10 | attribute can_write_shadow_passwords; | |
11 | attribute can_relabelto_shadow_passwords; | |
12 | ||
30425aa8 CP |
13 | type auth_cache_t; |
14 | logging_log_file(auth_cache_t) | |
15 | ||
296273a7 | 16 | type chkpwd_t, can_read_shadow_passwords; |
3ba13bbf | 17 | type chkpwd_exec_t; |
296273a7 CP |
18 | typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; |
19 | typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t }; | |
20 | application_domain(chkpwd_t, chkpwd_exec_t) | |
21 | role system_r types chkpwd_t; | |
3ba13bbf CP |
22 | |
23 | type faillog_t; | |
c9428d33 | 24 | logging_log_file(faillog_t) |
3ba13bbf | 25 | |
b4cd1533 | 26 | type lastlog_t; |
c9428d33 | 27 | logging_log_file(lastlog_t) |
b4cd1533 | 28 | |
e070dd2d | 29 | type login_exec_t; |
d46cfe45 | 30 | application_executable_file(login_exec_t) |
3ba13bbf | 31 | |
f0574fa9 | 32 | type pam_console_t; |
07d6e32f | 33 | type pam_console_exec_t; |
3f67f722 | 34 | init_system_domain(pam_console_t, pam_console_exec_t) |
75a10baf CP |
35 | role system_r types pam_console_t; |
36 | ||
493d6c4a | 37 | type pam_t; |
c9428d33 | 38 | domain_type(pam_t) |
3ce6cb4a | 39 | role system_r types pam_t; |
3ba13bbf | 40 | |
07d6e32f | 41 | type pam_exec_t; |
3f67f722 | 42 | domain_entry_file(pam_t, pam_exec_t) |
07d6e32f | 43 | |
3ba13bbf | 44 | type pam_tmp_t; |
c9428d33 | 45 | files_tmp_file(pam_tmp_t) |
3ba13bbf | 46 | |
493d6c4a | 47 | type pam_var_console_t; |
8fd36732 | 48 | files_type(pam_var_console_t) |
3ba13bbf CP |
49 | |
50 | type pam_var_run_t; | |
c9428d33 | 51 | files_pid_file(pam_var_run_t) |
3ba13bbf CP |
52 | |
53 | type shadow_t; | |
6f11d6b8 | 54 | files_security_file(shadow_t) |
3ba13bbf | 55 | neverallow ~can_read_shadow_passwords shadow_t:file read; |
a1f94a34 CP |
56 | neverallow ~can_write_shadow_passwords shadow_t:file { create write }; |
57 | neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; | |
3ba13bbf | 58 | |
7d4161cd CP |
59 | type updpwd_t; |
60 | type updpwd_exec_t; | |
61 | domain_type(updpwd_t) | |
3f67f722 | 62 | domain_entry_file(updpwd_t, updpwd_exec_t) |
df28a0c4 | 63 | domain_obj_id_change_exemption(updpwd_t) |
7d4161cd CP |
64 | role system_r types updpwd_t; |
65 | ||
493d6c4a | 66 | type utempter_t; |
3ba13bbf | 67 | type utempter_exec_t; |
3f67f722 | 68 | application_domain(utempter_t, utempter_exec_t) |
3ba13bbf | 69 | |
7b062eac CP |
70 | # |
71 | # var_auth_t is the type of /var/lib/auth, usually | |
72 | # used for auth data in pam_able | |
73 | # | |
74 | type var_auth_t; | |
75 | files_type(var_auth_t) | |
76 | ||
b4cd1533 | 77 | type wtmp_t; |
c9428d33 | 78 | logging_log_file(wtmp_t) |
3ba13bbf | 79 | |
296273a7 CP |
80 | ######################################## |
81 | # | |
82 | # Check password local policy | |
83 | # | |
84 | ||
85 | allow chkpwd_t self:capability { dac_override setuid }; | |
86 | dontaudit chkpwd_t self:capability sys_tty_config; | |
87 | allow chkpwd_t self:process getattr; | |
88 | ||
89 | allow chkpwd_t shadow_t:file read_file_perms; | |
90 | files_list_etc(chkpwd_t) | |
91 | ||
92 | # is_selinux_enabled | |
93 | kernel_read_system_state(chkpwd_t) | |
94 | ||
95 | domain_dontaudit_use_interactive_fds(chkpwd_t) | |
96 | ||
97 | dev_read_rand(chkpwd_t) | |
98 | dev_read_urand(chkpwd_t) | |
99 | ||
100 | files_read_etc_files(chkpwd_t) | |
101 | # for nscd | |
102 | files_dontaudit_search_var(chkpwd_t) | |
103 | ||
104 | fs_dontaudit_getattr_xattr_fs(chkpwd_t) | |
105 | ||
153ed875 | 106 | term_dontaudit_use_console(chkpwd_t) |
296273a7 CP |
107 | term_dontaudit_use_unallocated_ttys(chkpwd_t) |
108 | term_dontaudit_use_generic_ptys(chkpwd_t) | |
153ed875 | 109 | term_dontaudit_use_all_ptys(chkpwd_t) |
296273a7 CP |
110 | |
111 | auth_use_nsswitch(chkpwd_t) | |
112 | ||
113 | logging_send_audit_msgs(chkpwd_t) | |
114 | logging_send_syslog_msg(chkpwd_t) | |
115 | ||
116 | miscfiles_read_localization(chkpwd_t) | |
117 | ||
118 | seutil_read_config(chkpwd_t) | |
119 | seutil_dontaudit_use_newrole_fds(chkpwd_t) | |
120 | ||
121 | userdom_use_user_terminals(chkpwd_t) | |
122 | ||
123 | ifdef(`distro_ubuntu',` | |
124 | optional_policy(` | |
125 | unconfined_domain(chkpwd_t) | |
126 | ') | |
127 | ') | |
128 | ||
153ed875 CP |
129 | optional_policy(` |
130 | # apache leaks file descriptors | |
131 | apache_dontaudit_rw_tcp_sockets(chkpwd_t) | |
132 | ') | |
133 | ||
296273a7 CP |
134 | optional_policy(` |
135 | kerberos_use(chkpwd_t) | |
136 | ') | |
5b4ff3a1 | 137 | |
153ed875 CP |
138 | optional_policy(` |
139 | nis_authenticate(chkpwd_t) | |
140 | ') | |
141 | ||
3ba13bbf CP |
142 | ######################################## |
143 | # | |
3ce6cb4a | 144 | # PAM local policy |
3ba13bbf | 145 | # |
3ce6cb4a | 146 | |
9d3bdc25 | 147 | allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
3ce6cb4a CP |
148 | dontaudit pam_t self:capability sys_tty_config; |
149 | ||
150 | allow pam_t self:fd use; | |
dd822947 CP |
151 | allow pam_t self:fifo_file rw_file_perms; |
152 | allow pam_t self:unix_dgram_socket create_socket_perms; | |
153 | allow pam_t self:unix_stream_socket rw_stream_socket_perms; | |
3ce6cb4a CP |
154 | allow pam_t self:unix_dgram_socket sendto; |
155 | allow pam_t self:unix_stream_socket connectto; | |
dd822947 CP |
156 | allow pam_t self:shm create_shm_perms; |
157 | allow pam_t self:sem create_sem_perms; | |
158 | allow pam_t self:msgq create_msgq_perms; | |
3ce6cb4a CP |
159 | allow pam_t self:msg { send receive }; |
160 | ||
3f67f722 CP |
161 | delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) |
162 | read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) | |
ba1a545f | 163 | files_list_pids(pam_t) |
3ce6cb4a | 164 | |
ba1a545f CP |
165 | allow pam_t pam_tmp_t:dir manage_dir_perms; |
166 | allow pam_t pam_tmp_t:file manage_file_perms; | |
103fe280 | 167 | files_tmp_filetrans(pam_t, pam_tmp_t, { file dir }) |
3ce6cb4a | 168 | |
7d4161cd CP |
169 | auth_use_nsswitch(pam_t) |
170 | ||
3ce6cb4a CP |
171 | kernel_read_system_state(pam_t) |
172 | ||
2acba7bb CP |
173 | files_read_etc_files(pam_t) |
174 | ||
ab940a4c CP |
175 | fs_search_auto_mountpoints(pam_t) |
176 | ||
7d4161cd CP |
177 | miscfiles_read_localization(pam_t) |
178 | ||
c3c753f7 CP |
179 | term_use_all_ttys(pam_t) |
180 | term_use_all_ptys(pam_t) | |
3ce6cb4a | 181 | |
68228b33 | 182 | init_dontaudit_rw_utmp(pam_t) |
3ce6cb4a | 183 | |
c9428d33 | 184 | logging_send_syslog_msg(pam_t) |
3ce6cb4a | 185 | |
12cf805e CP |
186 | ifdef(`distro_ubuntu',` |
187 | optional_policy(` | |
188 | unconfined_domain(pam_t) | |
189 | ') | |
190 | ') | |
191 | ||
bb7170f6 | 192 | optional_policy(` |
1c1ac67f | 193 | locallogin_use_fds(pam_t) |
3ce6cb4a CP |
194 | ') |
195 | ||
75a10baf CP |
196 | ######################################## |
197 | # | |
198 | # PAM console local policy | |
199 | # | |
200 | ||
201 | allow pam_console_t self:capability { chown fowner fsetid }; | |
202 | dontaudit pam_console_t self:capability sys_tty_config; | |
203 | ||
204 | allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; | |
205 | ||
206 | # for /var/run/console.lock checking | |
3f67f722 CP |
207 | read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t) |
208 | read_lnk_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t) | |
77f6e2cd | 209 | dontaudit pam_console_t pam_var_console_t:file write; |
75a10baf | 210 | |
445522dc | 211 | kernel_read_kernel_sysctls(pam_console_t) |
1c1ac67f | 212 | kernel_use_fds(pam_console_t) |
0907bda1 CP |
213 | # Read /proc/meminfo |
214 | kernel_read_system_state(pam_console_t) | |
75a10baf | 215 | |
d35c621e | 216 | dev_read_sysfs(pam_console_t) |
207c4763 CP |
217 | dev_getattr_apm_bios_dev(pam_console_t) |
218 | dev_setattr_apm_bios_dev(pam_console_t) | |
02bcb8b3 CP |
219 | dev_getattr_dri_dev(pam_console_t) |
220 | dev_setattr_dri_dev(pam_console_t) | |
7d4161cd CP |
221 | dev_getattr_input_dev(pam_console_t) |
222 | dev_setattr_input_dev(pam_console_t) | |
207c4763 CP |
223 | dev_getattr_framebuffer_dev(pam_console_t) |
224 | dev_setattr_framebuffer_dev(pam_console_t) | |
72492557 CP |
225 | dev_getattr_generic_usb_dev(pam_console_t) |
226 | dev_setattr_generic_usb_dev(pam_console_t) | |
207c4763 CP |
227 | dev_getattr_misc_dev(pam_console_t) |
228 | dev_setattr_misc_dev(pam_console_t) | |
229 | dev_getattr_mouse_dev(pam_console_t) | |
230 | dev_setattr_mouse_dev(pam_console_t) | |
231 | dev_getattr_power_mgmt_dev(pam_console_t) | |
232 | dev_setattr_power_mgmt_dev(pam_console_t) | |
7d4161cd CP |
233 | dev_getattr_printer_dev(pam_console_t) |
234 | dev_setattr_printer_dev(pam_console_t) | |
207c4763 CP |
235 | dev_getattr_scanner_dev(pam_console_t) |
236 | dev_setattr_scanner_dev(pam_console_t) | |
237 | dev_getattr_sound_dev(pam_console_t) | |
238 | dev_setattr_sound_dev(pam_console_t) | |
7a2f20a3 CP |
239 | dev_getattr_video_dev(pam_console_t) |
240 | dev_setattr_video_dev(pam_console_t) | |
cf6a7d89 CP |
241 | dev_getattr_xserver_misc_dev(pam_console_t) |
242 | dev_setattr_xserver_misc_dev(pam_console_t) | |
85a0f967 | 243 | dev_read_urand(pam_console_t) |
d35c621e | 244 | |
2acba7bb CP |
245 | files_read_etc_files(pam_console_t) |
246 | files_search_pids(pam_console_t) | |
247 | files_list_mnt(pam_console_t) | |
248 | files_dontaudit_search_isid_type_dirs(pam_console_t) | |
249 | # read /etc/mtab | |
250 | files_read_etc_runtime_files(pam_console_t) | |
251 | ||
252 | fs_list_auto_mountpoints(pam_console_t) | |
253 | fs_list_noxattr_fs(pam_console_t) | |
254 | fs_getattr_all_fs(pam_console_t) | |
255 | ||
f8233ab7 CP |
256 | mls_file_read_all_levels(pam_console_t) |
257 | mls_file_write_all_levels(pam_console_t) | |
85a0f967 | 258 | |
1815bad1 CP |
259 | storage_getattr_fixed_disk_dev(pam_console_t) |
260 | storage_setattr_fixed_disk_dev(pam_console_t) | |
261 | storage_getattr_removable_dev(pam_console_t) | |
262 | storage_setattr_removable_dev(pam_console_t) | |
263 | storage_getattr_scsi_generic_dev(pam_console_t) | |
264 | storage_setattr_scsi_generic_dev(pam_console_t) | |
75a10baf | 265 | |
0fd9dc55 | 266 | term_use_console(pam_console_t) |
c3c753f7 CP |
267 | term_use_all_ttys(pam_console_t) |
268 | term_use_all_ptys(pam_console_t) | |
0907bda1 | 269 | term_setattr_console(pam_console_t) |
0fd9dc55 CP |
270 | term_getattr_unallocated_ttys(pam_console_t) |
271 | term_setattr_unallocated_ttys(pam_console_t) | |
46551033 | 272 | term_use_unallocated_ttys(pam_console_t) |
75a10baf | 273 | |
77f6e2cd CP |
274 | auth_use_nsswitch(pam_console_t) |
275 | ||
15722ec9 | 276 | domain_use_interactive_fds(pam_console_t) |
75a10baf | 277 | |
1c1ac67f | 278 | init_use_fds(pam_console_t) |
1815bad1 | 279 | init_use_script_ptys(pam_console_t) |
d35c621e | 280 | |
c9428d33 | 281 | logging_send_syslog_msg(pam_console_t) |
75a10baf | 282 | |
85a0f967 | 283 | miscfiles_read_localization(pam_console_t) |
a5e2133b | 284 | miscfiles_read_certs(pam_console_t) |
f0574fa9 | 285 | |
5e0da6a0 | 286 | seutil_read_file_contexts(pam_console_t) |
75a10baf | 287 | |
15722ec9 | 288 | userdom_dontaudit_use_unpriv_user_fds(pam_console_t) |
dc771ff4 | 289 | |
12cf805e CP |
290 | ifdef(`distro_ubuntu',` |
291 | optional_policy(` | |
292 | unconfined_domain(pam_console_t) | |
293 | ') | |
294 | ') | |
295 | ||
bb7170f6 | 296 | optional_policy(` |
f862c35c CP |
297 | gpm_getattr_gpmctl(pam_console_t) |
298 | gpm_setattr_gpmctl(pam_console_t) | |
299 | ') | |
300 | ||
bb7170f6 | 301 | optional_policy(` |
1c1ac67f | 302 | hotplug_use_fds(pam_console_t) |
c9428d33 | 303 | hotplug_dontaudit_search_config(pam_console_t) |
1e5c2a41 CP |
304 | ') |
305 | ||
bb7170f6 | 306 | optional_policy(` |
8fd36732 | 307 | seutil_sigchld_newrole(pam_console_t) |
75a10baf CP |
308 | ') |
309 | ||
bb7170f6 | 310 | optional_policy(` |
c9428d33 | 311 | udev_read_db(pam_console_t) |
75a10baf CP |
312 | ') |
313 | ||
3b914745 CP |
314 | optional_policy(` |
315 | xserver_read_xdm_pid(pam_console_t) | |
7d4161cd | 316 | xserver_dontaudit_write_log(pam_console_t) |
75a10baf | 317 | ') |
75a10baf | 318 | |
7d4161cd CP |
319 | ######################################## |
320 | # | |
321 | # updpwd local policy | |
322 | # | |
323 | ||
df28a0c4 | 324 | allow updpwd_t self:capability { chown dac_override }; |
7d4161cd | 325 | allow updpwd_t self:process setfscreate; |
0b36a214 | 326 | allow updpwd_t self:fifo_file rw_fifo_file_perms; |
7d4161cd CP |
327 | allow updpwd_t self:unix_stream_socket create_stream_socket_perms; |
328 | allow updpwd_t self:unix_dgram_socket create_socket_perms; | |
329 | ||
330 | kernel_read_system_state(updpwd_t) | |
331 | ||
df28a0c4 CP |
332 | dev_read_urand(updpwd_t) |
333 | ||
7d4161cd CP |
334 | files_manage_etc_files(updpwd_t) |
335 | ||
7d4161cd CP |
336 | term_dontaudit_use_console(updpwd_t) |
337 | term_dontaudit_use_unallocated_ttys(updpwd_t) | |
338 | ||
339 | auth_manage_shadow(updpwd_t) | |
340 | auth_use_nsswitch(updpwd_t) | |
341 | ||
7d4161cd CP |
342 | logging_send_syslog_msg(updpwd_t) |
343 | ||
344 | miscfiles_read_localization(updpwd_t) | |
345 | ||
296273a7 CP |
346 | userdom_use_user_terminals(updpwd_t) |
347 | ||
12cf805e CP |
348 | ifdef(`distro_ubuntu',` |
349 | optional_policy(` | |
350 | unconfined_domain(updpwd_t) | |
351 | ') | |
352 | ') | |
353 | ||
3ce6cb4a CP |
354 | ######################################## |
355 | # | |
356 | # Utempter local policy | |
357 | # | |
358 | ||
359 | allow utempter_t self:capability setgid; | |
0fd9dc55 | 360 | allow utempter_t self:unix_stream_socket create_stream_socket_perms; |
3ce6cb4a | 361 | |
dd822947 | 362 | allow utempter_t wtmp_t:file rw_file_perms; |
3ce6cb4a | 363 | |
77f6e2cd CP |
364 | dev_read_urand(utempter_t) |
365 | ||
2acba7bb CP |
366 | files_read_etc_files(utempter_t) |
367 | ||
c3c753f7 CP |
368 | term_getattr_all_ttys(utempter_t) |
369 | term_getattr_all_ptys(utempter_t) | |
370 | term_dontaudit_use_all_ttys(utempter_t) | |
371 | term_dontaudit_use_all_ptys(utempter_t) | |
0fd9dc55 | 372 | term_dontaudit_use_ptmx(utempter_t) |
3ce6cb4a | 373 | |
68228b33 | 374 | init_rw_utmp(utempter_t) |
3ce6cb4a | 375 | |
15722ec9 | 376 | domain_use_interactive_fds(utempter_t) |
3ce6cb4a | 377 | |
c9428d33 | 378 | logging_search_logs(utempter_t) |
3ce6cb4a | 379 | |
296273a7 | 380 | userdom_use_user_terminals(utempter_t) |
3ce6cb4a | 381 | # Allow utemper to write to /tmp/.xses-* |
296273a7 | 382 | userdom_write_user_tmp_files(utempter_t) |
3ce6cb4a | 383 | |
12cf805e CP |
384 | ifdef(`distro_ubuntu',` |
385 | optional_policy(` | |
386 | unconfined_domain(utempter_t) | |
387 | ') | |
388 | ') | |
389 | ||
bb7170f6 | 390 | optional_policy(` |
1815bad1 | 391 | nscd_socket_use(utempter_t) |
493d6c4a CP |
392 | ') |
393 | ||
bb7170f6 | 394 | optional_policy(` |
1f6524ae CP |
395 | xserver_use_xdm_fds(utempter_t) |
396 | xserver_rw_xdm_pipes(utempter_t) | |
3ce6cb4a | 397 | ') |