]>
Commit | Line | Data |
---|---|---|
e181fe05 | 1 | |
75beb950 | 2 | policy_module(authlogin,1.3.14) |
960373dd | 3 | |
3ba13bbf CP |
4 | ######################################## |
5 | # | |
6 | # Declarations | |
7 | # | |
7bba9d31 CP |
8 | |
9 | attribute can_read_shadow_passwords; | |
10 | attribute can_write_shadow_passwords; | |
11 | attribute can_relabelto_shadow_passwords; | |
12 | ||
3ba13bbf | 13 | type chkpwd_exec_t; |
8fd36732 | 14 | files_type(chkpwd_exec_t) |
3ba13bbf CP |
15 | |
16 | type faillog_t; | |
c9428d33 | 17 | logging_log_file(faillog_t) |
3ba13bbf | 18 | |
b4cd1533 | 19 | type lastlog_t; |
c9428d33 | 20 | logging_log_file(lastlog_t) |
b4cd1533 | 21 | |
77f6e2cd CP |
22 | # real declaration moved to mls until |
23 | # range_transition works in loadable modules | |
24 | gen_require(` | |
25 | type login_exec_t; | |
26 | ') | |
8fd36732 | 27 | files_type(login_exec_t) |
3ba13bbf | 28 | |
f0574fa9 | 29 | type pam_console_t; |
07d6e32f | 30 | type pam_console_exec_t; |
c9428d33 | 31 | init_system_domain(pam_console_t,pam_console_exec_t) |
75a10baf CP |
32 | role system_r types pam_console_t; |
33 | ||
493d6c4a | 34 | type pam_t; |
c9428d33 | 35 | domain_type(pam_t) |
3ce6cb4a | 36 | role system_r types pam_t; |
3ba13bbf | 37 | |
07d6e32f | 38 | type pam_exec_t; |
c9428d33 | 39 | domain_entry_file(pam_t,pam_exec_t) |
07d6e32f | 40 | |
3ba13bbf | 41 | type pam_tmp_t; |
c9428d33 | 42 | files_tmp_file(pam_tmp_t) |
3ba13bbf | 43 | |
493d6c4a | 44 | type pam_var_console_t; |
8fd36732 | 45 | files_type(pam_var_console_t) |
3ba13bbf CP |
46 | |
47 | type pam_var_run_t; | |
c9428d33 | 48 | files_pid_file(pam_var_run_t) |
3ba13bbf CP |
49 | |
50 | type shadow_t; | |
6f11d6b8 | 51 | files_security_file(shadow_t) |
3ba13bbf | 52 | neverallow ~can_read_shadow_passwords shadow_t:file read; |
a1f94a34 CP |
53 | neverallow ~can_write_shadow_passwords shadow_t:file { create write }; |
54 | neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; | |
3ba13bbf | 55 | |
493d6c4a | 56 | type utempter_t; |
c9428d33 | 57 | domain_type(utempter_t) |
3ba13bbf CP |
58 | |
59 | type utempter_exec_t; | |
c9428d33 | 60 | domain_entry_file(utempter_t,utempter_exec_t) |
3ba13bbf | 61 | |
7b062eac CP |
62 | # |
63 | # var_auth_t is the type of /var/lib/auth, usually | |
64 | # used for auth data in pam_able | |
65 | # | |
66 | type var_auth_t; | |
67 | files_type(var_auth_t) | |
68 | ||
b4cd1533 | 69 | type wtmp_t; |
c9428d33 | 70 | logging_log_file(wtmp_t) |
3ba13bbf | 71 | |
5b4ff3a1 CP |
72 | # reorder to work around require-then-decare bug |
73 | authlogin_common_auth_domain_template(system) | |
74 | role system_r types system_chkpwd_t; | |
75 | ||
3ba13bbf CP |
76 | ######################################## |
77 | # | |
3ce6cb4a | 78 | # PAM local policy |
3ba13bbf | 79 | # |
3ce6cb4a | 80 | |
9d3bdc25 | 81 | allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
3ce6cb4a CP |
82 | dontaudit pam_t self:capability sys_tty_config; |
83 | ||
84 | allow pam_t self:fd use; | |
dd822947 CP |
85 | allow pam_t self:fifo_file rw_file_perms; |
86 | allow pam_t self:unix_dgram_socket create_socket_perms; | |
87 | allow pam_t self:unix_stream_socket rw_stream_socket_perms; | |
3ce6cb4a CP |
88 | allow pam_t self:unix_dgram_socket sendto; |
89 | allow pam_t self:unix_stream_socket connectto; | |
dd822947 CP |
90 | allow pam_t self:shm create_shm_perms; |
91 | allow pam_t self:sem create_sem_perms; | |
92 | allow pam_t self:msgq create_msgq_perms; | |
3ce6cb4a CP |
93 | allow pam_t self:msg { send receive }; |
94 | ||
95 | allow pam_t pam_var_run_t:dir { search getattr read write remove_name }; | |
96 | allow pam_t pam_var_run_t:file { getattr read unlink }; | |
ba1a545f | 97 | files_list_pids(pam_t) |
3ce6cb4a | 98 | |
ba1a545f CP |
99 | allow pam_t pam_tmp_t:dir manage_dir_perms; |
100 | allow pam_t pam_tmp_t:file manage_file_perms; | |
103fe280 | 101 | files_tmp_filetrans(pam_t, pam_tmp_t, { file dir }) |
3ce6cb4a CP |
102 | |
103 | kernel_read_system_state(pam_t) | |
104 | ||
ab940a4c CP |
105 | fs_search_auto_mountpoints(pam_t) |
106 | ||
0fd9dc55 CP |
107 | term_use_all_user_ttys(pam_t) |
108 | term_use_all_user_ptys(pam_t) | |
3ce6cb4a | 109 | |
68228b33 | 110 | init_dontaudit_rw_utmp(pam_t) |
3ce6cb4a | 111 | |
8fd36732 | 112 | files_read_etc_files(pam_t) |
3ce6cb4a | 113 | |
c9428d33 CP |
114 | libs_use_ld_so(pam_t) |
115 | libs_use_shared_libs(pam_t) | |
3ce6cb4a | 116 | |
c9428d33 | 117 | logging_send_syslog_msg(pam_t) |
3ce6cb4a | 118 | |
103fe280 | 119 | userdom_use_unpriv_users_fds(pam_t) |
dc771ff4 | 120 | |
bb7170f6 | 121 | optional_policy(` |
1c1ac67f | 122 | locallogin_use_fds(pam_t) |
3ce6cb4a CP |
123 | ') |
124 | ||
bb7170f6 | 125 | optional_policy(` |
ab940a4c | 126 | nis_use_ypbind(pam_t) |
3ce6cb4a CP |
127 | ') |
128 | ||
bb7170f6 | 129 | optional_policy(` |
1815bad1 | 130 | nscd_socket_use(pam_t) |
493d6c4a CP |
131 | ') |
132 | ||
75a10baf CP |
133 | ######################################## |
134 | # | |
135 | # PAM console local policy | |
136 | # | |
137 | ||
138 | allow pam_console_t self:capability { chown fowner fsetid }; | |
139 | dontaudit pam_console_t self:capability sys_tty_config; | |
140 | ||
141 | allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; | |
142 | ||
143 | # for /var/run/console.lock checking | |
ba1a545f CP |
144 | allow pam_console_t pam_var_console_t:dir list_dir_perms; |
145 | allow pam_console_t pam_var_console_t:lnk_file { getattr read }; | |
dd822947 | 146 | allow pam_console_t pam_var_console_t:file r_file_perms; |
77f6e2cd | 147 | dontaudit pam_console_t pam_var_console_t:file write; |
75a10baf | 148 | |
445522dc | 149 | kernel_read_kernel_sysctls(pam_console_t) |
1c1ac67f | 150 | kernel_use_fds(pam_console_t) |
0907bda1 CP |
151 | # Read /proc/meminfo |
152 | kernel_read_system_state(pam_console_t) | |
75a10baf | 153 | |
d35c621e | 154 | dev_read_sysfs(pam_console_t) |
207c4763 CP |
155 | dev_getattr_apm_bios_dev(pam_console_t) |
156 | dev_setattr_apm_bios_dev(pam_console_t) | |
02bcb8b3 CP |
157 | dev_getattr_dri_dev(pam_console_t) |
158 | dev_setattr_dri_dev(pam_console_t) | |
207c4763 CP |
159 | dev_getattr_framebuffer_dev(pam_console_t) |
160 | dev_setattr_framebuffer_dev(pam_console_t) | |
72492557 CP |
161 | dev_getattr_generic_usb_dev(pam_console_t) |
162 | dev_setattr_generic_usb_dev(pam_console_t) | |
207c4763 CP |
163 | dev_getattr_misc_dev(pam_console_t) |
164 | dev_setattr_misc_dev(pam_console_t) | |
165 | dev_getattr_mouse_dev(pam_console_t) | |
166 | dev_setattr_mouse_dev(pam_console_t) | |
167 | dev_getattr_power_mgmt_dev(pam_console_t) | |
168 | dev_setattr_power_mgmt_dev(pam_console_t) | |
169 | dev_getattr_scanner_dev(pam_console_t) | |
170 | dev_setattr_scanner_dev(pam_console_t) | |
171 | dev_getattr_sound_dev(pam_console_t) | |
172 | dev_setattr_sound_dev(pam_console_t) | |
7a2f20a3 CP |
173 | dev_getattr_video_dev(pam_console_t) |
174 | dev_setattr_video_dev(pam_console_t) | |
cf6a7d89 CP |
175 | dev_getattr_xserver_misc_dev(pam_console_t) |
176 | dev_setattr_xserver_misc_dev(pam_console_t) | |
85a0f967 | 177 | dev_read_urand(pam_console_t) |
d35c621e | 178 | |
75beb950 | 179 | fs_list_auto_mountpoints(pam_console_t) |
ab940a4c | 180 | |
85a0f967 CP |
181 | mls_file_read_up(pam_console_t) |
182 | mls_file_write_down(pam_console_t) | |
183 | ||
1815bad1 CP |
184 | storage_getattr_fixed_disk_dev(pam_console_t) |
185 | storage_setattr_fixed_disk_dev(pam_console_t) | |
186 | storage_getattr_removable_dev(pam_console_t) | |
187 | storage_setattr_removable_dev(pam_console_t) | |
188 | storage_getattr_scsi_generic_dev(pam_console_t) | |
189 | storage_setattr_scsi_generic_dev(pam_console_t) | |
75a10baf | 190 | |
0fd9dc55 | 191 | term_use_console(pam_console_t) |
e9935943 CP |
192 | term_use_all_user_ttys(pam_console_t) |
193 | term_use_all_user_ptys(pam_console_t) | |
0907bda1 | 194 | term_setattr_console(pam_console_t) |
0fd9dc55 CP |
195 | term_getattr_unallocated_ttys(pam_console_t) |
196 | term_setattr_unallocated_ttys(pam_console_t) | |
46551033 | 197 | term_use_unallocated_ttys(pam_console_t) |
75a10baf | 198 | |
77f6e2cd CP |
199 | auth_use_nsswitch(pam_console_t) |
200 | ||
15722ec9 | 201 | domain_use_interactive_fds(pam_console_t) |
75a10baf | 202 | |
8fd36732 | 203 | files_read_etc_files(pam_console_t) |
c9428d33 CP |
204 | files_search_pids(pam_console_t) |
205 | files_list_mnt(pam_console_t) | |
689f6ddb CP |
206 | # read /etc/mtab |
207 | files_read_etc_runtime_files(pam_console_t) | |
75a10baf | 208 | |
1c1ac67f | 209 | init_use_fds(pam_console_t) |
1815bad1 | 210 | init_use_script_ptys(pam_console_t) |
d35c621e | 211 | |
c9428d33 CP |
212 | libs_use_ld_so(pam_console_t) |
213 | libs_use_shared_libs(pam_console_t) | |
75a10baf | 214 | |
c9428d33 | 215 | logging_send_syslog_msg(pam_console_t) |
75a10baf | 216 | |
85a0f967 | 217 | miscfiles_read_localization(pam_console_t) |
a5e2133b | 218 | miscfiles_read_certs(pam_console_t) |
f0574fa9 | 219 | |
5e0da6a0 | 220 | seutil_read_file_contexts(pam_console_t) |
75a10baf | 221 | |
15722ec9 | 222 | userdom_dontaudit_use_unpriv_user_fds(pam_console_t) |
dc771ff4 | 223 | |
ba1a545f | 224 | ifdef(`targeted_policy',` |
1815bad1 CP |
225 | term_dontaudit_use_unallocated_ttys(pam_console_t) |
226 | term_dontaudit_use_generic_ptys(pam_console_t) | |
9e04f5c5 | 227 | files_dontaudit_read_root_files(pam_console_t) |
75a10baf CP |
228 | ') |
229 | ||
bb7170f6 | 230 | optional_policy(` |
f862c35c CP |
231 | gpm_getattr_gpmctl(pam_console_t) |
232 | gpm_setattr_gpmctl(pam_console_t) | |
233 | ') | |
234 | ||
bb7170f6 | 235 | optional_policy(` |
1c1ac67f | 236 | hotplug_use_fds(pam_console_t) |
c9428d33 | 237 | hotplug_dontaudit_search_config(pam_console_t) |
1e5c2a41 CP |
238 | ') |
239 | ||
bb7170f6 | 240 | optional_policy(` |
8fd36732 | 241 | seutil_sigchld_newrole(pam_console_t) |
75a10baf CP |
242 | ') |
243 | ||
bb7170f6 | 244 | optional_policy(` |
c9428d33 | 245 | udev_read_db(pam_console_t) |
75a10baf CP |
246 | ') |
247 | ||
3b914745 CP |
248 | optional_policy(` |
249 | xserver_read_xdm_pid(pam_console_t) | |
75a10baf | 250 | ') |
75a10baf | 251 | |
f66a1af9 CP |
252 | ######################################## |
253 | # | |
254 | # System check password local policy | |
255 | # | |
256 | ||
725926c5 | 257 | allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; |
f66a1af9 | 258 | |
5c162193 CP |
259 | allow system_chkpwd_t shadow_t:file { getattr read }; |
260 | ||
725926c5 CP |
261 | corecmd_search_sbin(system_chkpwd_t) |
262 | ||
15722ec9 | 263 | domain_dontaudit_use_interactive_fds(system_chkpwd_t) |
51f5c6a2 | 264 | |
1815bad1 CP |
265 | term_dontaudit_use_unallocated_ttys(system_chkpwd_t) |
266 | term_dontaudit_use_generic_ptys(system_chkpwd_t) | |
ebdc3b79 | 267 | |
1815bad1 | 268 | userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) |
ce6bf7cc | 269 | userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) |
5c162193 | 270 | |
3ce6cb4a CP |
271 | ######################################## |
272 | # | |
273 | # Utempter local policy | |
274 | # | |
275 | ||
276 | allow utempter_t self:capability setgid; | |
0fd9dc55 | 277 | allow utempter_t self:unix_stream_socket create_stream_socket_perms; |
3ce6cb4a | 278 | |
dd822947 | 279 | allow utempter_t wtmp_t:file rw_file_perms; |
3ce6cb4a | 280 | |
77f6e2cd CP |
281 | dev_read_urand(utempter_t) |
282 | ||
0fd9dc55 CP |
283 | term_getattr_all_user_ttys(utempter_t) |
284 | term_getattr_all_user_ptys(utempter_t) | |
285 | term_dontaudit_use_all_user_ttys(utempter_t) | |
286 | term_dontaudit_use_all_user_ptys(utempter_t) | |
287 | term_dontaudit_use_ptmx(utempter_t) | |
3ce6cb4a | 288 | |
68228b33 | 289 | init_rw_utmp(utempter_t) |
3ce6cb4a | 290 | |
8fd36732 | 291 | files_read_etc_files(utempter_t) |
3ce6cb4a | 292 | |
15722ec9 | 293 | domain_use_interactive_fds(utempter_t) |
3ce6cb4a | 294 | |
c9428d33 CP |
295 | libs_use_ld_so(utempter_t) |
296 | libs_use_shared_libs(utempter_t) | |
3ce6cb4a | 297 | |
c9428d33 | 298 | logging_search_logs(utempter_t) |
3ce6cb4a | 299 | |
3ce6cb4a | 300 | # Allow utemper to write to /tmp/.xses-* |
15722ec9 | 301 | userdom_write_unpriv_users_tmp_files(utempter_t) |
3ce6cb4a | 302 | |
bb7170f6 | 303 | optional_policy(` |
1815bad1 | 304 | nscd_socket_use(utempter_t) |
493d6c4a CP |
305 | ') |
306 | ||
bb7170f6 | 307 | optional_policy(` |
1f6524ae CP |
308 | xserver_use_xdm_fds(utempter_t) |
309 | xserver_rw_xdm_pipes(utempter_t) | |
3ce6cb4a | 310 | ') |