[people/stevee/selinux-policy.git] / policy / modules / system / authlogin.te


policy_module(authlogin, 2.2.0)

########################################
#
# Declarations
#

attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;

type auth_cache_t;
logging_log_file(auth_cache_t)

type chkpwd_t, can_read_shadow_passwords;
type chkpwd_exec_t;
typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
application_domain(chkpwd_t, chkpwd_exec_t)
role system_r types chkpwd_t;

type faillog_t;
logging_log_file(faillog_t)

type lastlog_t;
logging_log_file(lastlog_t)

type login_exec_t;
application_executable_file(login_exec_t)

type pam_console_t;
type pam_console_exec_t;
init_system_domain(pam_console_t, pam_console_exec_t)
role system_r types pam_console_t;

type pam_t;
domain_type(pam_t)
role system_r types pam_t;

type pam_exec_t;
domain_entry_file(pam_t, pam_exec_t)

type pam_tmp_t;
files_tmp_file(pam_tmp_t)

type pam_var_console_t;
files_type(pam_var_console_t)

type pam_var_run_t;
files_pid_file(pam_var_run_t)

type shadow_t;
files_security_file(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;

type updpwd_t;
type updpwd_exec_t;
domain_type(updpwd_t)
domain_entry_file(updpwd_t, updpwd_exec_t)
domain_obj_id_change_exemption(updpwd_t)
role system_r types updpwd_t;

type utempter_t;
type utempter_exec_t;
application_domain(utempter_t, utempter_exec_t)

#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
#
type var_auth_t;
files_type(var_auth_t)

type wtmp_t;
logging_log_file(wtmp_t)

########################################
#
# Check password local policy
#

allow chkpwd_t self:capability { dac_override setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
allow chkpwd_t self:process getattr;

allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)

# is_selinux_enabled
kernel_read_system_state(chkpwd_t)

domain_dontaudit_use_interactive_fds(chkpwd_t)

dev_read_rand(chkpwd_t)
dev_read_urand(chkpwd_t)

files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)

fs_dontaudit_getattr_xattr_fs(chkpwd_t)

term_dontaudit_use_console(chkpwd_t)
term_dontaudit_use_unallocated_ttys(chkpwd_t)
term_dontaudit_use_generic_ptys(chkpwd_t)
term_dontaudit_use_all_ptys(chkpwd_t)

auth_use_nsswitch(chkpwd_t)

logging_send_audit_msgs(chkpwd_t)
logging_send_syslog_msg(chkpwd_t)

miscfiles_read_localization(chkpwd_t)

seutil_read_config(chkpwd_t)
seutil_dontaudit_use_newrole_fds(chkpwd_t)

userdom_use_user_terminals(chkpwd_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(chkpwd_t)
	')
')

optional_policy(`
	# apache leaks file descriptors
	apache_dontaudit_rw_tcp_sockets(chkpwd_t)
')

optional_policy(`
	kerberos_use(chkpwd_t)
')

optional_policy(`
	nis_authenticate(chkpwd_t)
')

########################################
#
# PAM local policy
#

allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
dontaudit pam_t self:capability sys_tty_config;

allow pam_t self:fd use;
allow pam_t self:fifo_file rw_file_perms;
allow pam_t self:unix_dgram_socket create_socket_perms; 
allow pam_t self:unix_stream_socket rw_stream_socket_perms;
allow pam_t self:unix_dgram_socket sendto;
allow pam_t self:unix_stream_socket connectto;
allow pam_t self:shm create_shm_perms;
allow pam_t self:sem create_sem_perms;
allow pam_t self:msgq create_msgq_perms;
allow pam_t self:msg { send receive };

delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
files_list_pids(pam_t)

allow pam_t pam_tmp_t:dir manage_dir_perms;
allow pam_t pam_tmp_t:file manage_file_perms;
files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })

auth_use_nsswitch(pam_t)

kernel_read_system_state(pam_t)

files_read_etc_files(pam_t)

fs_search_auto_mountpoints(pam_t)

miscfiles_read_localization(pam_t)

term_use_all_ttys(pam_t)
term_use_all_ptys(pam_t)

init_dontaudit_rw_utmp(pam_t)

logging_send_syslog_msg(pam_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(pam_t)
	')
')

optional_policy(`
	locallogin_use_fds(pam_t)
')

########################################
#
# PAM console local policy
#

allow pam_console_t self:capability { chown fowner fsetid };
dontaudit pam_console_t self:capability sys_tty_config;

allow pam_console_t self:process { sigchld sigkill sigstop signull signal };

# for /var/run/console.lock checking
read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
read_lnk_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
dontaudit pam_console_t pam_var_console_t:file write;

kernel_read_kernel_sysctls(pam_console_t)
kernel_use_fds(pam_console_t)
# Read /proc/meminfo
kernel_read_system_state(pam_console_t)

dev_read_sysfs(pam_console_t)
dev_getattr_apm_bios_dev(pam_console_t)
dev_setattr_apm_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
dev_getattr_input_dev(pam_console_t)
dev_setattr_input_dev(pam_console_t)
dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_generic_usb_dev(pam_console_t)
dev_setattr_generic_usb_dev(pam_console_t)
dev_getattr_misc_dev(pam_console_t)
dev_setattr_misc_dev(pam_console_t)
dev_getattr_mouse_dev(pam_console_t)
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
dev_getattr_printer_dev(pam_console_t)
dev_setattr_printer_dev(pam_console_t)
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
dev_setattr_sound_dev(pam_console_t)
dev_getattr_video_dev(pam_console_t)
dev_setattr_video_dev(pam_console_t)
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
dev_read_urand(pam_console_t)

files_read_etc_files(pam_console_t)
files_search_pids(pam_console_t)
files_list_mnt(pam_console_t)
files_dontaudit_search_isid_type_dirs(pam_console_t)
# read /etc/mtab
files_read_etc_runtime_files(pam_console_t)

fs_list_auto_mountpoints(pam_console_t)
fs_list_noxattr_fs(pam_console_t)
fs_getattr_all_fs(pam_console_t)

mls_file_read_all_levels(pam_console_t)
mls_file_write_all_levels(pam_console_t)

storage_getattr_fixed_disk_dev(pam_console_t)
storage_setattr_fixed_disk_dev(pam_console_t)
storage_getattr_removable_dev(pam_console_t)
storage_setattr_removable_dev(pam_console_t)
storage_getattr_scsi_generic_dev(pam_console_t)
storage_setattr_scsi_generic_dev(pam_console_t)

term_use_console(pam_console_t)
term_use_all_ttys(pam_console_t)
term_use_all_ptys(pam_console_t)
term_setattr_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
term_use_unallocated_ttys(pam_console_t)

auth_use_nsswitch(pam_console_t)

domain_use_interactive_fds(pam_console_t)

init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)

logging_send_syslog_msg(pam_console_t)

miscfiles_read_localization(pam_console_t)
miscfiles_read_certs(pam_console_t)

seutil_read_file_contexts(pam_console_t)

userdom_dontaudit_use_unpriv_user_fds(pam_console_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(pam_console_t)
	')
')

optional_policy(`
	gpm_getattr_gpmctl(pam_console_t)
	gpm_setattr_gpmctl(pam_console_t)
')

optional_policy(`
	hotplug_use_fds(pam_console_t)
	hotplug_dontaudit_search_config(pam_console_t)
')

optional_policy(`
	seutil_sigchld_newrole(pam_console_t)
')

optional_policy(`
	udev_read_db(pam_console_t)
')

optional_policy(`
	xserver_read_xdm_pid(pam_console_t)
	xserver_dontaudit_write_log(pam_console_t)
')

########################################
#
# updpwd local policy
#

allow updpwd_t self:capability { chown dac_override };
allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
allow updpwd_t self:unix_dgram_socket create_socket_perms;

kernel_read_system_state(updpwd_t)

dev_read_urand(updpwd_t)

files_manage_etc_files(updpwd_t)

term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)

auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)

logging_send_syslog_msg(updpwd_t)

miscfiles_read_localization(updpwd_t)

userdom_use_user_terminals(updpwd_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(updpwd_t)
	')
')

########################################
#
# Utempter local policy
#

allow utempter_t self:capability setgid;
allow utempter_t self:unix_stream_socket create_stream_socket_perms;

allow utempter_t wtmp_t:file rw_file_perms;

dev_read_urand(utempter_t)

files_read_etc_files(utempter_t)

term_getattr_all_ttys(utempter_t)
term_getattr_all_ptys(utempter_t)
term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)

init_rw_utmp(utempter_t)

domain_use_interactive_fds(utempter_t)

logging_search_logs(utempter_t)

userdom_use_user_terminals(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(utempter_t)
	')
')

optional_policy(`
	nscd_socket_use(utempter_t)
')

optional_policy(`
	xserver_use_xdm_fds(utempter_t)
	xserver_rw_xdm_pipes(utempter_t)
')
Commit	Line	Data
e181fe05	1
29af4c13	2	policy_module(authlogin, 2.2.0)
960373dd	3
3ba13bbf CP	4	########################################
	5	#
	6	# Declarations
	7	#
7bba9d31 CP	8
	9	attribute can_read_shadow_passwords;
	10	attribute can_write_shadow_passwords;
	11	attribute can_relabelto_shadow_passwords;
	12
30425aa8 CP	13	type auth_cache_t;
	14	logging_log_file(auth_cache_t)
	15
296273a7	16	type chkpwd_t, can_read_shadow_passwords;
3ba13bbf	17	type chkpwd_exec_t;
296273a7 CP	18	typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
	19	typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
	20	application_domain(chkpwd_t, chkpwd_exec_t)
	21	role system_r types chkpwd_t;
3ba13bbf CP	22
3ba13bbf CP	23	type faillog_t;
c9428d33	24	logging_log_file(faillog_t)
3ba13bbf	25
b4cd1533	26	type lastlog_t;
c9428d33	27	logging_log_file(lastlog_t)
b4cd1533	28
e070dd2d	29	type login_exec_t;
d46cfe45	30	application_executable_file(login_exec_t)
3ba13bbf	31
f0574fa9	32	type pam_console_t;
07d6e32f	33	type pam_console_exec_t;
3f67f722	34	init_system_domain(pam_console_t, pam_console_exec_t)
75a10baf CP	35	role system_r types pam_console_t;
75a10baf CP	36
493d6c4a	37	type pam_t;
c9428d33	38	domain_type(pam_t)
3ce6cb4a	39	role system_r types pam_t;
3ba13bbf	40
07d6e32f	41	type pam_exec_t;
3f67f722	42	domain_entry_file(pam_t, pam_exec_t)
07d6e32f	43
3ba13bbf	44	type pam_tmp_t;
c9428d33	45	files_tmp_file(pam_tmp_t)
3ba13bbf	46
493d6c4a	47	type pam_var_console_t;
8fd36732	48	files_type(pam_var_console_t)
3ba13bbf CP	49
3ba13bbf CP	50	type pam_var_run_t;
c9428d33	51	files_pid_file(pam_var_run_t)
3ba13bbf CP	52
3ba13bbf CP	53	type shadow_t;
6f11d6b8	54	files_security_file(shadow_t)
3ba13bbf	55	neverallow ~can_read_shadow_passwords shadow_t:file read;
a1f94a34 CP	56	neverallow ~can_write_shadow_passwords shadow_t:file { create write };
a1f94a34 CP	57	neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
3ba13bbf	58
7d4161cd CP	59	type updpwd_t;
	60	type updpwd_exec_t;
	61	domain_type(updpwd_t)
3f67f722	62	domain_entry_file(updpwd_t, updpwd_exec_t)
df28a0c4	63	domain_obj_id_change_exemption(updpwd_t)
7d4161cd CP	64	role system_r types updpwd_t;
7d4161cd CP	65
493d6c4a	66	type utempter_t;
3ba13bbf	67	type utempter_exec_t;
3f67f722	68	application_domain(utempter_t, utempter_exec_t)
3ba13bbf	69
7b062eac CP	70	#
	71	# var_auth_t is the type of /var/lib/auth, usually
	72	# used for auth data in pam_able
	73	#
	74	type var_auth_t;
	75	files_type(var_auth_t)
	76
b4cd1533	77	type wtmp_t;
c9428d33	78	logging_log_file(wtmp_t)
3ba13bbf	79
296273a7 CP	80	########################################
	81	#
	82	# Check password local policy
	83	#
	84
	85	allow chkpwd_t self:capability { dac_override setuid };
	86	dontaudit chkpwd_t self:capability sys_tty_config;
	87	allow chkpwd_t self:process getattr;
	88
	89	allow chkpwd_t shadow_t:file read_file_perms;
	90	files_list_etc(chkpwd_t)
	91
	92	# is_selinux_enabled
	93	kernel_read_system_state(chkpwd_t)
	94
	95	domain_dontaudit_use_interactive_fds(chkpwd_t)
	96
	97	dev_read_rand(chkpwd_t)
	98	dev_read_urand(chkpwd_t)
	99
	100	files_read_etc_files(chkpwd_t)
	101	# for nscd
	102	files_dontaudit_search_var(chkpwd_t)
	103
	104	fs_dontaudit_getattr_xattr_fs(chkpwd_t)
	105
153ed875	106	term_dontaudit_use_console(chkpwd_t)
296273a7 CP	107	term_dontaudit_use_unallocated_ttys(chkpwd_t)
296273a7 CP	108	term_dontaudit_use_generic_ptys(chkpwd_t)
153ed875	109	term_dontaudit_use_all_ptys(chkpwd_t)
296273a7 CP	110
	111	auth_use_nsswitch(chkpwd_t)
	112
	113	logging_send_audit_msgs(chkpwd_t)
	114	logging_send_syslog_msg(chkpwd_t)
	115
	116	miscfiles_read_localization(chkpwd_t)
	117
	118	seutil_read_config(chkpwd_t)
	119	seutil_dontaudit_use_newrole_fds(chkpwd_t)
	120
	121	userdom_use_user_terminals(chkpwd_t)
	122
	123	ifdef(`distro_ubuntu',`
	124	optional_policy(`
	125	unconfined_domain(chkpwd_t)
	126	')
	127	')
	128
153ed875 CP	129	optional_policy(`
	130	# apache leaks file descriptors
	131	apache_dontaudit_rw_tcp_sockets(chkpwd_t)
	132	')
	133
296273a7 CP	134	optional_policy(`
	135	kerberos_use(chkpwd_t)
	136	')
5b4ff3a1	137
153ed875 CP	138	optional_policy(`
	139	nis_authenticate(chkpwd_t)
	140	')
	141
3ba13bbf CP	142	########################################
3ba13bbf CP	143	#
3ce6cb4a	144	# PAM local policy
3ba13bbf	145	#
3ce6cb4a	146
9d3bdc25	147	allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
3ce6cb4a CP	148	dontaudit pam_t self:capability sys_tty_config;
	149
	150	allow pam_t self:fd use;
dd822947 CP	151	allow pam_t self:fifo_file rw_file_perms;
	152	allow pam_t self:unix_dgram_socket create_socket_perms;
	153	allow pam_t self:unix_stream_socket rw_stream_socket_perms;
3ce6cb4a CP	154	allow pam_t self:unix_dgram_socket sendto;
3ce6cb4a CP	155	allow pam_t self:unix_stream_socket connectto;
dd822947 CP	156	allow pam_t self:shm create_shm_perms;
	157	allow pam_t self:sem create_sem_perms;
	158	allow pam_t self:msgq create_msgq_perms;
3ce6cb4a CP	159	allow pam_t self:msg { send receive };
3ce6cb4a CP	160
3f67f722 CP	161	delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
3f67f722 CP	162	read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
ba1a545f	163	files_list_pids(pam_t)
3ce6cb4a	164
ba1a545f CP	165	allow pam_t pam_tmp_t:dir manage_dir_perms;
ba1a545f CP	166	allow pam_t pam_tmp_t:file manage_file_perms;
103fe280	167	files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
3ce6cb4a	168
7d4161cd CP	169	auth_use_nsswitch(pam_t)
7d4161cd CP	170
3ce6cb4a CP	171	kernel_read_system_state(pam_t)
3ce6cb4a CP	172
2acba7bb CP	173	files_read_etc_files(pam_t)
2acba7bb CP	174
ab940a4c CP	175	fs_search_auto_mountpoints(pam_t)
ab940a4c CP	176
7d4161cd CP	177	miscfiles_read_localization(pam_t)
7d4161cd CP	178
c3c753f7 CP	179	term_use_all_ttys(pam_t)
c3c753f7 CP	180	term_use_all_ptys(pam_t)
3ce6cb4a	181
68228b33	182	init_dontaudit_rw_utmp(pam_t)
3ce6cb4a	183
c9428d33	184	logging_send_syslog_msg(pam_t)
3ce6cb4a	185
12cf805e CP	186	ifdef(`distro_ubuntu',`
	187	optional_policy(`
	188	unconfined_domain(pam_t)
	189	')
	190	')
	191
bb7170f6	192	optional_policy(`
1c1ac67f	193	locallogin_use_fds(pam_t)
3ce6cb4a CP	194	')
3ce6cb4a CP	195
75a10baf CP	196	########################################
	197	#
	198	# PAM console local policy
	199	#
	200
	201	allow pam_console_t self:capability { chown fowner fsetid };
	202	dontaudit pam_console_t self:capability sys_tty_config;
	203
	204	allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
	205
	206	# for /var/run/console.lock checking
3f67f722 CP	207	read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
3f67f722 CP	208	read_lnk_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
77f6e2cd	209	dontaudit pam_console_t pam_var_console_t:file write;
75a10baf	210
445522dc	211	kernel_read_kernel_sysctls(pam_console_t)
1c1ac67f	212	kernel_use_fds(pam_console_t)
0907bda1 CP	213	# Read /proc/meminfo
0907bda1 CP	214	kernel_read_system_state(pam_console_t)
75a10baf	215
d35c621e	216	dev_read_sysfs(pam_console_t)
207c4763 CP	217	dev_getattr_apm_bios_dev(pam_console_t)
207c4763 CP	218	dev_setattr_apm_bios_dev(pam_console_t)
02bcb8b3 CP	219	dev_getattr_dri_dev(pam_console_t)
02bcb8b3 CP	220	dev_setattr_dri_dev(pam_console_t)
7d4161cd CP	221	dev_getattr_input_dev(pam_console_t)
7d4161cd CP	222	dev_setattr_input_dev(pam_console_t)
207c4763 CP	223	dev_getattr_framebuffer_dev(pam_console_t)
207c4763 CP	224	dev_setattr_framebuffer_dev(pam_console_t)
72492557 CP	225	dev_getattr_generic_usb_dev(pam_console_t)
72492557 CP	226	dev_setattr_generic_usb_dev(pam_console_t)
207c4763 CP	227	dev_getattr_misc_dev(pam_console_t)
	228	dev_setattr_misc_dev(pam_console_t)
	229	dev_getattr_mouse_dev(pam_console_t)
	230	dev_setattr_mouse_dev(pam_console_t)
	231	dev_getattr_power_mgmt_dev(pam_console_t)
	232	dev_setattr_power_mgmt_dev(pam_console_t)
7d4161cd CP	233	dev_getattr_printer_dev(pam_console_t)
7d4161cd CP	234	dev_setattr_printer_dev(pam_console_t)
207c4763 CP	235	dev_getattr_scanner_dev(pam_console_t)
	236	dev_setattr_scanner_dev(pam_console_t)
	237	dev_getattr_sound_dev(pam_console_t)
	238	dev_setattr_sound_dev(pam_console_t)
7a2f20a3 CP	239	dev_getattr_video_dev(pam_console_t)
7a2f20a3 CP	240	dev_setattr_video_dev(pam_console_t)
cf6a7d89 CP	241	dev_getattr_xserver_misc_dev(pam_console_t)
cf6a7d89 CP	242	dev_setattr_xserver_misc_dev(pam_console_t)
85a0f967	243	dev_read_urand(pam_console_t)
d35c621e	244
2acba7bb CP	245	files_read_etc_files(pam_console_t)
	246	files_search_pids(pam_console_t)
	247	files_list_mnt(pam_console_t)
	248	files_dontaudit_search_isid_type_dirs(pam_console_t)
	249	# read /etc/mtab
	250	files_read_etc_runtime_files(pam_console_t)
	251
	252	fs_list_auto_mountpoints(pam_console_t)
	253	fs_list_noxattr_fs(pam_console_t)
	254	fs_getattr_all_fs(pam_console_t)
	255
f8233ab7 CP	256	mls_file_read_all_levels(pam_console_t)
f8233ab7 CP	257	mls_file_write_all_levels(pam_console_t)
85a0f967	258
1815bad1 CP	259	storage_getattr_fixed_disk_dev(pam_console_t)
	260	storage_setattr_fixed_disk_dev(pam_console_t)
	261	storage_getattr_removable_dev(pam_console_t)
	262	storage_setattr_removable_dev(pam_console_t)
	263	storage_getattr_scsi_generic_dev(pam_console_t)
	264	storage_setattr_scsi_generic_dev(pam_console_t)
75a10baf	265
0fd9dc55	266	term_use_console(pam_console_t)
c3c753f7 CP	267	term_use_all_ttys(pam_console_t)
c3c753f7 CP	268	term_use_all_ptys(pam_console_t)
0907bda1	269	term_setattr_console(pam_console_t)
0fd9dc55 CP	270	term_getattr_unallocated_ttys(pam_console_t)
0fd9dc55 CP	271	term_setattr_unallocated_ttys(pam_console_t)
46551033	272	term_use_unallocated_ttys(pam_console_t)
75a10baf	273
77f6e2cd CP	274	auth_use_nsswitch(pam_console_t)
77f6e2cd CP	275
15722ec9	276	domain_use_interactive_fds(pam_console_t)
75a10baf	277
1c1ac67f	278	init_use_fds(pam_console_t)
1815bad1	279	init_use_script_ptys(pam_console_t)
d35c621e	280
c9428d33	281	logging_send_syslog_msg(pam_console_t)
75a10baf	282
85a0f967	283	miscfiles_read_localization(pam_console_t)
a5e2133b	284	miscfiles_read_certs(pam_console_t)
f0574fa9	285
5e0da6a0	286	seutil_read_file_contexts(pam_console_t)
75a10baf	287
15722ec9	288	userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
dc771ff4	289
12cf805e CP	290	ifdef(`distro_ubuntu',`
	291	optional_policy(`
	292	unconfined_domain(pam_console_t)
	293	')
	294	')
	295
bb7170f6	296	optional_policy(`
f862c35c CP	297	gpm_getattr_gpmctl(pam_console_t)
	298	gpm_setattr_gpmctl(pam_console_t)
	299	')
	300
bb7170f6	301	optional_policy(`
1c1ac67f	302	hotplug_use_fds(pam_console_t)
c9428d33	303	hotplug_dontaudit_search_config(pam_console_t)
1e5c2a41 CP	304	')
1e5c2a41 CP	305
bb7170f6	306	optional_policy(`
8fd36732	307	seutil_sigchld_newrole(pam_console_t)
75a10baf CP	308	')
75a10baf CP	309
bb7170f6	310	optional_policy(`
c9428d33	311	udev_read_db(pam_console_t)
75a10baf CP	312	')
75a10baf CP	313
3b914745 CP	314	optional_policy(`
3b914745 CP	315	xserver_read_xdm_pid(pam_console_t)
7d4161cd	316	xserver_dontaudit_write_log(pam_console_t)
75a10baf	317	')
75a10baf	318
7d4161cd CP	319	########################################
	320	#
	321	# updpwd local policy
	322	#
	323
df28a0c4	324	allow updpwd_t self:capability { chown dac_override };
7d4161cd	325	allow updpwd_t self:process setfscreate;
0b36a214	326	allow updpwd_t self:fifo_file rw_fifo_file_perms;
7d4161cd CP	327	allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
	328	allow updpwd_t self:unix_dgram_socket create_socket_perms;
	329
	330	kernel_read_system_state(updpwd_t)
	331
df28a0c4 CP	332	dev_read_urand(updpwd_t)
df28a0c4 CP	333
7d4161cd CP	334	files_manage_etc_files(updpwd_t)
7d4161cd CP	335
7d4161cd CP	336	term_dontaudit_use_console(updpwd_t)
	337	term_dontaudit_use_unallocated_ttys(updpwd_t)
	338
	339	auth_manage_shadow(updpwd_t)
	340	auth_use_nsswitch(updpwd_t)
	341
7d4161cd CP	342	logging_send_syslog_msg(updpwd_t)
	343
	344	miscfiles_read_localization(updpwd_t)
	345
296273a7 CP	346	userdom_use_user_terminals(updpwd_t)
296273a7 CP	347
12cf805e CP	348	ifdef(`distro_ubuntu',`
	349	optional_policy(`
	350	unconfined_domain(updpwd_t)
	351	')
	352	')
	353
3ce6cb4a CP	354	########################################
	355	#
	356	# Utempter local policy
	357	#
	358
	359	allow utempter_t self:capability setgid;
0fd9dc55	360	allow utempter_t self:unix_stream_socket create_stream_socket_perms;
3ce6cb4a	361
dd822947	362	allow utempter_t wtmp_t:file rw_file_perms;
3ce6cb4a	363
77f6e2cd CP	364	dev_read_urand(utempter_t)
77f6e2cd CP	365
2acba7bb CP	366	files_read_etc_files(utempter_t)
2acba7bb CP	367
c3c753f7 CP	368	term_getattr_all_ttys(utempter_t)
	369	term_getattr_all_ptys(utempter_t)
	370	term_dontaudit_use_all_ttys(utempter_t)
	371	term_dontaudit_use_all_ptys(utempter_t)
0fd9dc55	372	term_dontaudit_use_ptmx(utempter_t)
3ce6cb4a	373
68228b33	374	init_rw_utmp(utempter_t)
3ce6cb4a	375
15722ec9	376	domain_use_interactive_fds(utempter_t)
3ce6cb4a	377
c9428d33	378	logging_search_logs(utempter_t)
3ce6cb4a	379
296273a7	380	userdom_use_user_terminals(utempter_t)
3ce6cb4a	381	# Allow utemper to write to /tmp/.xses-*
296273a7	382	userdom_write_user_tmp_files(utempter_t)
3ce6cb4a	383
12cf805e CP	384	ifdef(`distro_ubuntu',`
	385	optional_policy(`
	386	unconfined_domain(utempter_t)
	387	')
	388	')
	389
bb7170f6	390	optional_policy(`
1815bad1	391	nscd_socket_use(utempter_t)
493d6c4a CP	392	')
493d6c4a CP	393
bb7170f6	394	optional_policy(`
1f6524ae CP	395	xserver_use_xdm_fds(utempter_t)
1f6524ae CP	396	xserver_rw_xdm_pipes(utempter_t)
3ce6cb4a	397	')