[people/stevee/selinux-policy.git] / policy / modules / system / locallogin.te


policy_module(locallogin, 1.9.0)

########################################
#
# Declarations
#

type local_login_t;
domain_interactive_fd(local_login_t)
auth_login_pgm_domain(local_login_t)
auth_login_entry_type(local_login_t)

type local_login_lock_t;
files_lock_file(local_login_lock_t)

type local_login_tmp_t;
files_tmp_file(local_login_tmp_t)
files_poly_parent(local_login_tmp_t)

type sulogin_t;
type sulogin_exec_t;
domain_obj_id_change_exemption(sulogin_t)
domain_subj_id_change_exemption(sulogin_t)
domain_role_change_exemption(sulogin_t)
domain_interactive_fd(sulogin_t)
init_domain(sulogin_t, sulogin_exec_t)
init_system_domain(sulogin_t, sulogin_exec_t)
role system_r types sulogin_t;

########################################
#
# Local login local policy
#

allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow local_login_t self:process { setrlimit setexec };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
allow local_login_t self:unix_dgram_socket create_socket_perms;
allow local_login_t self:unix_stream_socket create_stream_socket_perms;
allow local_login_t self:unix_dgram_socket sendto;
allow local_login_t self:unix_stream_socket connectto;
allow local_login_t self:shm create_shm_perms;
allow local_login_t self:sem create_sem_perms;
allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive };
allow local_login_t self:key { search write link };

allow local_login_t local_login_lock_t:file manage_file_perms;
files_lock_filetrans(local_login_t, local_login_lock_t, file)

allow local_login_t local_login_tmp_t:dir manage_dir_perms;
allow local_login_t local_login_tmp_t:file manage_file_perms;
files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })

kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctls(local_login_t)
kernel_search_key(local_login_t)
kernel_link_key(local_login_t)

dev_setattr_mouse_dev(local_login_t)
dev_getattr_mouse_dev(local_login_t)
dev_getattr_power_mgmt_dev(local_login_t)
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
dev_dontaudit_setattr_framebuffer_dev(local_login_t)
dev_dontaudit_getattr_generic_blk_files(local_login_t)
dev_dontaudit_setattr_generic_blk_files(local_login_t)
dev_dontaudit_getattr_generic_chr_files(local_login_t)
dev_dontaudit_setattr_generic_chr_files(local_login_t)
dev_dontaudit_setattr_generic_symlinks(local_login_t)
dev_dontaudit_getattr_misc_dev(local_login_t)
dev_dontaudit_setattr_misc_dev(local_login_t)
dev_dontaudit_getattr_scanner_dev(local_login_t)
dev_dontaudit_setattr_scanner_dev(local_login_t)
dev_dontaudit_search_sysfs(local_login_t)
dev_dontaudit_getattr_video_dev(local_login_t)
dev_dontaudit_setattr_video_dev(local_login_t)

fs_search_auto_mountpoints(local_login_t)

storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
storage_dontaudit_setattr_fixed_disk_dev(local_login_t)
storage_dontaudit_getattr_removable_dev(local_login_t)
storage_dontaudit_setattr_removable_dev(local_login_t)

term_use_all_user_ttys(local_login_t)
term_use_unallocated_ttys(local_login_t)
term_relabel_unallocated_ttys(local_login_t)
term_relabel_all_user_ttys(local_login_t)
term_setattr_all_user_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t)

auth_rw_login_records(local_login_t)
auth_rw_faillog(local_login_t)
auth_manage_pam_pid(local_login_t)
auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)

corecmd_list_bin(local_login_t)
corecmd_read_bin_symlinks(local_login_t)
# cjp: these are probably not needed:
corecmd_read_bin_files(local_login_t)
corecmd_read_bin_pipes(local_login_t)
corecmd_read_bin_sockets(local_login_t)

domain_read_all_entry_files(local_login_t)

files_read_etc_files(local_login_t)
files_read_etc_runtime_files(local_login_t)
files_read_usr_files(local_login_t)
files_list_mnt(local_login_t)
files_list_world_readable(local_login_t)
files_read_world_readable_files(local_login_t)
files_read_world_readable_symlinks(local_login_t)
files_read_world_readable_pipes(local_login_t)
files_read_world_readable_sockets(local_login_t)
# for when /var/mail is a symlink
files_read_var_symlinks(local_login_t)

init_dontaudit_use_fds(local_login_t)

miscfiles_read_localization(local_login_t)

userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t)
userdom_search_user_home_content(local_login_t)
userdom_use_unpriv_users_fds(local_login_t)
userdom_sigchld_all_users(local_login_t)
userdom_create_all_users_keys(local_login_t)

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(local_login_t)
	')
')

tunable_policy(`read_default_t',`
	files_list_default(local_login_t)
	files_read_default_files(local_login_t)
	files_read_default_symlinks(local_login_t)
	files_read_default_sockets(local_login_t)
	files_read_default_pipes(local_login_t)
')

tunable_policy(`use_nfs_home_dirs',`
	fs_read_nfs_files(local_login_t)
	fs_read_nfs_symlinks(local_login_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_read_cifs_files(local_login_t)
	fs_read_cifs_symlinks(local_login_t)
')

optional_policy(`
	alsa_domtrans(local_login_t)
')

optional_policy(`
	dbus_system_bus_client(local_login_t)

	consolekit_dbus_chat(local_login_t)
')

optional_policy(`
	gpm_getattr_gpmctl(local_login_t)
	gpm_setattr_gpmctl(local_login_t)
')

optional_policy(`
	# Search for mail spool file.
	mta_getattr_spool(local_login_t)
')

optional_policy(`
	nis_use_ypbind(local_login_t)
')

optional_policy(`
	nscd_socket_use(local_login_t)
')

optional_policy(`
	unconfined_domain(local_login_t)
')

optional_policy(`
	usermanage_read_crack_db(local_login_t)
')

optional_policy(`
	xserver_read_xdm_tmp_files(local_login_t)
	xserver_rw_xdm_tmp_files(local_login_t)
')

#################################
# 
# Sulogin local policy
#

allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_file_perms;
allow sulogin_t self:unix_dgram_socket create_socket_perms;
allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
allow sulogin_t self:unix_dgram_socket sendto;
allow sulogin_t self:unix_stream_socket connectto;
allow sulogin_t self:shm create_shm_perms;
allow sulogin_t self:sem create_sem_perms;
allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };

kernel_read_system_state(sulogin_t)

fs_search_auto_mountpoints(sulogin_t)
fs_rw_tmpfs_chr_files(sulogin_t)

files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dirs(sulogin_t)

init_getpgid_script(sulogin_t)

logging_send_syslog_msg(sulogin_t)

seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)

auth_read_shadow(sulogin_t)

userdom_use_unpriv_users_fds(sulogin_t)

userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)

sysadm_shell_domtrans(sulogin_t)

# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')

ifdef(`sulogin_no_pam', `
	allow sulogin_t self:capability sys_tty_config;
	init_getpgid(sulogin_t)
', `
	allow sulogin_t self:process setexec;
	selinux_get_fs_mount(sulogin_t)
	selinux_validate_context(sulogin_t)
	selinux_compute_access_vector(sulogin_t)
	selinux_compute_create_context(sulogin_t)
	selinux_compute_relabel_context(sulogin_t)
	selinux_compute_user_contexts(sulogin_t)
')

optional_policy(`
	nis_use_ypbind(sulogin_t)
')

optional_policy(`
	nscd_socket_use(sulogin_t)
')
Commit	Line	Data
df431c87	1
17ec8c1f	2	policy_module(locallogin, 1.9.0)
df431c87	3
07efe969 CP	4	########################################
	5	#
	6	# Declarations
	7	#
	8
f0574fa9	9	type local_login_t;
15722ec9	10	domain_interactive_fd(local_login_t)
4b3b46d7 CP	11	auth_login_pgm_domain(local_login_t)
4b3b46d7 CP	12	auth_login_entry_type(local_login_t)
07efe969	13
98a8ead4 CP	14	type local_login_lock_t;
	15	files_lock_file(local_login_lock_t)
	16
07efe969	17	type local_login_tmp_t;
c3cf6693	18	files_tmp_file(local_login_tmp_t)
a3cf80d8	19	files_poly_parent(local_login_tmp_t)
07efe969	20
5d7e8ba6 CP	21	type sulogin_t;
5d7e8ba6 CP	22	type sulogin_exec_t;
1815bad1 CP	23	domain_obj_id_change_exemption(sulogin_t)
	24	domain_subj_id_change_exemption(sulogin_t)
	25	domain_role_change_exemption(sulogin_t)
15722ec9	26	domain_interactive_fd(sulogin_t)
3f67f722 CP	27	init_domain(sulogin_t, sulogin_exec_t)
3f67f722 CP	28	init_system_domain(sulogin_t, sulogin_exec_t)
5d7e8ba6 CP	29	role system_r types sulogin_t;
5d7e8ba6 CP	30
07efe969 CP	31	########################################
07efe969 CP	32	#
5d7e8ba6	33	# Local login local policy
07efe969 CP	34	#
07efe969 CP	35
9d3bdc25 CP	36	allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
9d3bdc25 CP	37	allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
07efe969	38	allow local_login_t self:process { setrlimit setexec };
f1470e5e	39	allow local_login_t self:fd use;
ef659a47 CP	40	allow local_login_t self:fifo_file rw_fifo_file_perms;
ef659a47 CP	41	allow local_login_t self:sock_file read_sock_file_perms;
80048ca5 CP	42	allow local_login_t self:unix_dgram_socket create_socket_perms;
80048ca5 CP	43	allow local_login_t self:unix_stream_socket create_stream_socket_perms;
f1470e5e CP	44	allow local_login_t self:unix_dgram_socket sendto;
f1470e5e CP	45	allow local_login_t self:unix_stream_socket connectto;
80048ca5 CP	46	allow local_login_t self:shm create_shm_perms;
	47	allow local_login_t self:sem create_sem_perms;
	48	allow local_login_t self:msgq create_msgq_perms;
f1470e5e	49	allow local_login_t self:msg { send receive };
d9845ae9	50	allow local_login_t self:key { search write link };
07efe969	51
c0868a7a	52	allow local_login_t local_login_lock_t:file manage_file_perms;
3f67f722	53	files_lock_filetrans(local_login_t, local_login_lock_t, file)
98a8ead4	54
c0868a7a CP	55	allow local_login_t local_login_tmp_t:dir manage_dir_perms;
c0868a7a CP	56	allow local_login_t local_login_tmp_t:file manage_file_perms;
103fe280	57	files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
07efe969 CP	58
07efe969 CP	59	kernel_read_system_state(local_login_t)
445522dc	60	kernel_read_kernel_sysctls(local_login_t)
a5e2133b CP	61	kernel_search_key(local_login_t)
a5e2133b CP	62	kernel_link_key(local_login_t)
d35c621e	63
207c4763 CP	64	dev_setattr_mouse_dev(local_login_t)
	65	dev_getattr_mouse_dev(local_login_t)
	66	dev_getattr_power_mgmt_dev(local_login_t)
	67	dev_setattr_power_mgmt_dev(local_login_t)
	68	dev_getattr_sound_dev(local_login_t)
	69	dev_setattr_sound_dev(local_login_t)
	70	dev_dontaudit_getattr_apm_bios_dev(local_login_t)
	71	dev_dontaudit_setattr_apm_bios_dev(local_login_t)
fd89e19f	72	dev_dontaudit_read_framebuffer(local_login_t)
207c4763 CP	73	dev_dontaudit_setattr_framebuffer_dev(local_login_t)
	74	dev_dontaudit_getattr_generic_blk_files(local_login_t)
	75	dev_dontaudit_setattr_generic_blk_files(local_login_t)
	76	dev_dontaudit_getattr_generic_chr_files(local_login_t)
	77	dev_dontaudit_setattr_generic_chr_files(local_login_t)
	78	dev_dontaudit_setattr_generic_symlinks(local_login_t)
	79	dev_dontaudit_getattr_misc_dev(local_login_t)
	80	dev_dontaudit_setattr_misc_dev(local_login_t)
	81	dev_dontaudit_getattr_scanner_dev(local_login_t)
	82	dev_dontaudit_setattr_scanner_dev(local_login_t)
ebdc3b79	83	dev_dontaudit_search_sysfs(local_login_t)
fd89e19f CP	84	dev_dontaudit_getattr_video_dev(local_login_t)
fd89e19f CP	85	dev_dontaudit_setattr_video_dev(local_login_t)
d35c621e	86
ab940a4c CP	87	fs_search_auto_mountpoints(local_login_t)
ab940a4c CP	88
1815bad1 CP	89	storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
	90	storage_dontaudit_setattr_fixed_disk_dev(local_login_t)
	91	storage_dontaudit_getattr_removable_dev(local_login_t)
	92	storage_dontaudit_setattr_removable_dev(local_login_t)
07efe969	93
0fd9dc55	94	term_use_all_user_ttys(local_login_t)
1815bad1	95	term_use_unallocated_ttys(local_login_t)
0fd9dc55 CP	96	term_relabel_unallocated_ttys(local_login_t)
	97	term_relabel_all_user_ttys(local_login_t)
	98	term_setattr_all_user_ttys(local_login_t)
	99	term_setattr_unallocated_ttys(local_login_t)
1e5c2a41	100
c9428d33	101	auth_rw_login_records(local_login_t)
c9428d33	102	auth_rw_faillog(local_login_t)
2b592aa4	103	auth_manage_pam_pid(local_login_t)
c9428d33	104	auth_manage_pam_console_data(local_login_t)
d8636fc9	105	auth_domtrans_pam_console(local_login_t)
07efe969	106
ae9e2716	107	corecmd_list_bin(local_login_t)
1815bad1	108	corecmd_read_bin_symlinks(local_login_t)
ae9e2716	109	# cjp: these are probably not needed:
1815bad1 CP	110	corecmd_read_bin_files(local_login_t)
	111	corecmd_read_bin_pipes(local_login_t)
	112	corecmd_read_bin_sockets(local_login_t)
ae9e2716	113
c9428d33	114	domain_read_all_entry_files(local_login_t)
f1470e5e	115
8fd36732	116	files_read_etc_files(local_login_t)
c9428d33 CP	117	files_read_etc_runtime_files(local_login_t)
c9428d33 CP	118	files_read_usr_files(local_login_t)
ebdc3b79	119	files_list_mnt(local_login_t)
ae9e2716 CP	120	files_list_world_readable(local_login_t)
	121	files_read_world_readable_files(local_login_t)
	122	files_read_world_readable_symlinks(local_login_t)
	123	files_read_world_readable_pipes(local_login_t)
	124	files_read_world_readable_sockets(local_login_t)
	125	# for when /var/mail is a symlink
9e04f5c5	126	files_read_var_symlinks(local_login_t)
07efe969	127
1c1ac67f	128	init_dontaudit_use_fds(local_login_t)
daa0e0b0	129
daa0e0b0 CP	130	miscfiles_read_localization(local_login_t)
daa0e0b0 CP	131
c9428d33 CP	132	userdom_spec_domtrans_all_users(local_login_t)
c9428d33 CP	133	userdom_signal_all_users(local_login_t)
296273a7	134	userdom_search_user_home_content(local_login_t)
103fe280	135	userdom_use_unpriv_users_fds(local_login_t)
a77e6524	136	userdom_sigchld_all_users(local_login_t)
fe3a1eb8	137	userdom_create_all_users_keys(local_login_t)
07efe969	138
12cf805e CP	139	ifdef(`distro_ubuntu',`
	140	optional_policy(`
	141	unconfined_domain(local_login_t)
	142	')
	143	')
	144
a42ca7eb CP	145	tunable_policy(`read_default_t',`
	146	files_list_default(local_login_t)
	147	files_read_default_files(local_login_t)
	148	files_read_default_symlinks(local_login_t)
	149	files_read_default_sockets(local_login_t)
	150	files_read_default_pipes(local_login_t)
	151	')
	152
d35c621e CP	153	tunable_policy(`use_nfs_home_dirs',`
	154	fs_read_nfs_files(local_login_t)
	155	fs_read_nfs_symlinks(local_login_t)
	156	')
	157
	158	tunable_policy(`use_samba_home_dirs',`
	159	fs_read_cifs_files(local_login_t)
	160	fs_read_cifs_symlinks(local_login_t)
	161	')
	162
134a799c	163	optional_policy(`
350b6ab7 CP	164	alsa_domtrans(local_login_t)
	165	')
	166
	167	optional_policy(`
296273a7	168	dbus_system_bus_client(local_login_t)
134a799c CP	169
	170	consolekit_dbus_chat(local_login_t)
	171	')
	172
bb7170f6	173	optional_policy(`
f862c35c CP	174	gpm_getattr_gpmctl(local_login_t)
	175	gpm_setattr_gpmctl(local_login_t)
	176	')
	177
2cc4072c CP	178	optional_policy(`
	179	# Search for mail spool file.
	180	mta_getattr_spool(local_login_t)
	181	')
	182
bb7170f6	183	optional_policy(`
ab940a4c	184	nis_use_ypbind(local_login_t)
d115b247 CP	185	')
d115b247 CP	186
bb7170f6	187	optional_policy(`
1815bad1	188	nscd_socket_use(local_login_t)
493d6c4a CP	189	')
493d6c4a CP	190
bb7170f6	191	optional_policy(`
350b6ab7	192	unconfined_domain(local_login_t)
ebdc3b79 CP	193	')
ebdc3b79 CP	194
bb7170f6	195	optional_policy(`
350b6ab7	196	usermanage_read_crack_db(local_login_t)
a524921a CP	197	')
a524921a CP	198
134a799c CP	199	optional_policy(`
	200	xserver_read_xdm_tmp_files(local_login_t)
	201	xserver_rw_xdm_tmp_files(local_login_t)
	202	')
	203
5d7e8ba6 CP	204	#################################
	205	#
	206	# Sulogin local policy
	207	#
	208
9d3bdc25	209	allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
5d7e8ba6	210	allow sulogin_t self:fd use;
80048ca5 CP	211	allow sulogin_t self:fifo_file rw_file_perms;
	212	allow sulogin_t self:unix_dgram_socket create_socket_perms;
	213	allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
5d7e8ba6 CP	214	allow sulogin_t self:unix_dgram_socket sendto;
5d7e8ba6 CP	215	allow sulogin_t self:unix_stream_socket connectto;
80048ca5 CP	216	allow sulogin_t self:shm create_shm_perms;
80048ca5 CP	217	allow sulogin_t self:sem create_sem_perms;
0fd9dc55	218	allow sulogin_t self:msgq create_msgq_perms;
5d7e8ba6 CP	219	allow sulogin_t self:msg { send receive };
	220
	221	kernel_read_system_state(sulogin_t)
	222
ab940a4c	223	fs_search_auto_mountpoints(sulogin_t)
4d851fe9	224	fs_rw_tmpfs_chr_files(sulogin_t)
5d7e8ba6	225
8fd36732	226	files_read_etc_files(sulogin_t)
3b857eae	227	# because file systems are not mounted:
9e04f5c5	228	files_dontaudit_search_isid_type_dirs(sulogin_t)
5d7e8ba6	229
1815bad1	230	init_getpgid_script(sulogin_t)
ab940a4c	231
c9428d33	232	logging_send_syslog_msg(sulogin_t)
5d7e8ba6	233
5e0da6a0 CP	234	seutil_read_config(sulogin_t)
5e0da6a0 CP	235	seutil_read_default_contexts(sulogin_t)
5d7e8ba6	236
c9428d33	237	auth_read_shadow(sulogin_t)
5d7e8ba6	238
103fe280	239	userdom_use_unpriv_users_fds(sulogin_t)
e9c6cda7	240
296273a7 CP	241	userdom_search_user_home_dirs(sulogin_t)
296273a7 CP	242	userdom_use_user_ptys(sulogin_t)
e9c6cda7 CP	243
e9c6cda7 CP	244	sysadm_shell_domtrans(sulogin_t)
dc771ff4	245
5d7e8ba6	246	# suse and debian do not use pam with sulogin...
0e15cdfb CP	247	ifdef(`distro_suse', `define(`sulogin_no_pam')')
0e15cdfb CP	248	ifdef(`distro_debian', `define(`sulogin_no_pam')')
5d7e8ba6	249
254bbc7b	250	ifdef(`sulogin_no_pam', `
0c73cd25	251	allow sulogin_t self:capability sys_tty_config;
1815bad1	252	init_getpgid(sulogin_t)
5d7e8ba6	253	', `
0c73cd25	254	allow sulogin_t self:process setexec;
5e0da6a0 CP	255	selinux_get_fs_mount(sulogin_t)
	256	selinux_validate_context(sulogin_t)
	257	selinux_compute_access_vector(sulogin_t)
	258	selinux_compute_create_context(sulogin_t)
	259	selinux_compute_relabel_context(sulogin_t)
	260	selinux_compute_user_contexts(sulogin_t)
5d7e8ba6 CP	261	')
5d7e8ba6 CP	262
bb7170f6	263	optional_policy(`
ab940a4c	264	nis_use_ypbind(sulogin_t)
5d7e8ba6	265	')
a524921a	266
bb7170f6	267	optional_policy(`
1815bad1	268	nscd_socket_use(sulogin_t)
a524921a	269	')