]>
Commit | Line | Data |
---|---|---|
df431c87 | 1 | |
17ec8c1f | 2 | policy_module(locallogin, 1.9.0) |
df431c87 | 3 | |
07efe969 CP |
4 | ######################################## |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
f0574fa9 | 9 | type local_login_t; |
15722ec9 | 10 | domain_interactive_fd(local_login_t) |
4b3b46d7 CP |
11 | auth_login_pgm_domain(local_login_t) |
12 | auth_login_entry_type(local_login_t) | |
07efe969 | 13 | |
98a8ead4 CP |
14 | type local_login_lock_t; |
15 | files_lock_file(local_login_lock_t) | |
16 | ||
07efe969 | 17 | type local_login_tmp_t; |
c3cf6693 | 18 | files_tmp_file(local_login_tmp_t) |
a3cf80d8 | 19 | files_poly_parent(local_login_tmp_t) |
07efe969 | 20 | |
5d7e8ba6 CP |
21 | type sulogin_t; |
22 | type sulogin_exec_t; | |
1815bad1 CP |
23 | domain_obj_id_change_exemption(sulogin_t) |
24 | domain_subj_id_change_exemption(sulogin_t) | |
25 | domain_role_change_exemption(sulogin_t) | |
15722ec9 | 26 | domain_interactive_fd(sulogin_t) |
3f67f722 CP |
27 | init_domain(sulogin_t, sulogin_exec_t) |
28 | init_system_domain(sulogin_t, sulogin_exec_t) | |
5d7e8ba6 CP |
29 | role system_r types sulogin_t; |
30 | ||
07efe969 CP |
31 | ######################################## |
32 | # | |
5d7e8ba6 | 33 | # Local login local policy |
07efe969 CP |
34 | # |
35 | ||
9d3bdc25 CP |
36 | allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; |
37 | allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
07efe969 | 38 | allow local_login_t self:process { setrlimit setexec }; |
f1470e5e | 39 | allow local_login_t self:fd use; |
ef659a47 CP |
40 | allow local_login_t self:fifo_file rw_fifo_file_perms; |
41 | allow local_login_t self:sock_file read_sock_file_perms; | |
80048ca5 CP |
42 | allow local_login_t self:unix_dgram_socket create_socket_perms; |
43 | allow local_login_t self:unix_stream_socket create_stream_socket_perms; | |
f1470e5e CP |
44 | allow local_login_t self:unix_dgram_socket sendto; |
45 | allow local_login_t self:unix_stream_socket connectto; | |
80048ca5 CP |
46 | allow local_login_t self:shm create_shm_perms; |
47 | allow local_login_t self:sem create_sem_perms; | |
48 | allow local_login_t self:msgq create_msgq_perms; | |
f1470e5e | 49 | allow local_login_t self:msg { send receive }; |
d9845ae9 | 50 | allow local_login_t self:key { search write link }; |
07efe969 | 51 | |
c0868a7a | 52 | allow local_login_t local_login_lock_t:file manage_file_perms; |
3f67f722 | 53 | files_lock_filetrans(local_login_t, local_login_lock_t, file) |
98a8ead4 | 54 | |
c0868a7a CP |
55 | allow local_login_t local_login_tmp_t:dir manage_dir_perms; |
56 | allow local_login_t local_login_tmp_t:file manage_file_perms; | |
103fe280 | 57 | files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) |
07efe969 CP |
58 | |
59 | kernel_read_system_state(local_login_t) | |
445522dc | 60 | kernel_read_kernel_sysctls(local_login_t) |
a5e2133b CP |
61 | kernel_search_key(local_login_t) |
62 | kernel_link_key(local_login_t) | |
d35c621e | 63 | |
207c4763 CP |
64 | dev_setattr_mouse_dev(local_login_t) |
65 | dev_getattr_mouse_dev(local_login_t) | |
66 | dev_getattr_power_mgmt_dev(local_login_t) | |
67 | dev_setattr_power_mgmt_dev(local_login_t) | |
68 | dev_getattr_sound_dev(local_login_t) | |
69 | dev_setattr_sound_dev(local_login_t) | |
70 | dev_dontaudit_getattr_apm_bios_dev(local_login_t) | |
71 | dev_dontaudit_setattr_apm_bios_dev(local_login_t) | |
fd89e19f | 72 | dev_dontaudit_read_framebuffer(local_login_t) |
207c4763 CP |
73 | dev_dontaudit_setattr_framebuffer_dev(local_login_t) |
74 | dev_dontaudit_getattr_generic_blk_files(local_login_t) | |
75 | dev_dontaudit_setattr_generic_blk_files(local_login_t) | |
76 | dev_dontaudit_getattr_generic_chr_files(local_login_t) | |
77 | dev_dontaudit_setattr_generic_chr_files(local_login_t) | |
78 | dev_dontaudit_setattr_generic_symlinks(local_login_t) | |
79 | dev_dontaudit_getattr_misc_dev(local_login_t) | |
80 | dev_dontaudit_setattr_misc_dev(local_login_t) | |
81 | dev_dontaudit_getattr_scanner_dev(local_login_t) | |
82 | dev_dontaudit_setattr_scanner_dev(local_login_t) | |
ebdc3b79 | 83 | dev_dontaudit_search_sysfs(local_login_t) |
fd89e19f CP |
84 | dev_dontaudit_getattr_video_dev(local_login_t) |
85 | dev_dontaudit_setattr_video_dev(local_login_t) | |
d35c621e | 86 | |
ab940a4c CP |
87 | fs_search_auto_mountpoints(local_login_t) |
88 | ||
1815bad1 CP |
89 | storage_dontaudit_getattr_fixed_disk_dev(local_login_t) |
90 | storage_dontaudit_setattr_fixed_disk_dev(local_login_t) | |
91 | storage_dontaudit_getattr_removable_dev(local_login_t) | |
92 | storage_dontaudit_setattr_removable_dev(local_login_t) | |
07efe969 | 93 | |
0fd9dc55 | 94 | term_use_all_user_ttys(local_login_t) |
1815bad1 | 95 | term_use_unallocated_ttys(local_login_t) |
0fd9dc55 CP |
96 | term_relabel_unallocated_ttys(local_login_t) |
97 | term_relabel_all_user_ttys(local_login_t) | |
98 | term_setattr_all_user_ttys(local_login_t) | |
99 | term_setattr_unallocated_ttys(local_login_t) | |
1e5c2a41 | 100 | |
c9428d33 | 101 | auth_rw_login_records(local_login_t) |
c9428d33 | 102 | auth_rw_faillog(local_login_t) |
2b592aa4 | 103 | auth_manage_pam_pid(local_login_t) |
c9428d33 | 104 | auth_manage_pam_console_data(local_login_t) |
d8636fc9 | 105 | auth_domtrans_pam_console(local_login_t) |
07efe969 | 106 | |
ae9e2716 | 107 | corecmd_list_bin(local_login_t) |
1815bad1 | 108 | corecmd_read_bin_symlinks(local_login_t) |
ae9e2716 | 109 | # cjp: these are probably not needed: |
1815bad1 CP |
110 | corecmd_read_bin_files(local_login_t) |
111 | corecmd_read_bin_pipes(local_login_t) | |
112 | corecmd_read_bin_sockets(local_login_t) | |
ae9e2716 | 113 | |
c9428d33 | 114 | domain_read_all_entry_files(local_login_t) |
f1470e5e | 115 | |
8fd36732 | 116 | files_read_etc_files(local_login_t) |
c9428d33 CP |
117 | files_read_etc_runtime_files(local_login_t) |
118 | files_read_usr_files(local_login_t) | |
ebdc3b79 | 119 | files_list_mnt(local_login_t) |
ae9e2716 CP |
120 | files_list_world_readable(local_login_t) |
121 | files_read_world_readable_files(local_login_t) | |
122 | files_read_world_readable_symlinks(local_login_t) | |
123 | files_read_world_readable_pipes(local_login_t) | |
124 | files_read_world_readable_sockets(local_login_t) | |
125 | # for when /var/mail is a symlink | |
9e04f5c5 | 126 | files_read_var_symlinks(local_login_t) |
07efe969 | 127 | |
1c1ac67f | 128 | init_dontaudit_use_fds(local_login_t) |
daa0e0b0 | 129 | |
daa0e0b0 CP |
130 | miscfiles_read_localization(local_login_t) |
131 | ||
c9428d33 CP |
132 | userdom_spec_domtrans_all_users(local_login_t) |
133 | userdom_signal_all_users(local_login_t) | |
296273a7 | 134 | userdom_search_user_home_content(local_login_t) |
103fe280 | 135 | userdom_use_unpriv_users_fds(local_login_t) |
a77e6524 | 136 | userdom_sigchld_all_users(local_login_t) |
fe3a1eb8 | 137 | userdom_create_all_users_keys(local_login_t) |
07efe969 | 138 | |
12cf805e CP |
139 | ifdef(`distro_ubuntu',` |
140 | optional_policy(` | |
141 | unconfined_domain(local_login_t) | |
142 | ') | |
143 | ') | |
144 | ||
a42ca7eb CP |
145 | tunable_policy(`read_default_t',` |
146 | files_list_default(local_login_t) | |
147 | files_read_default_files(local_login_t) | |
148 | files_read_default_symlinks(local_login_t) | |
149 | files_read_default_sockets(local_login_t) | |
150 | files_read_default_pipes(local_login_t) | |
151 | ') | |
152 | ||
d35c621e CP |
153 | tunable_policy(`use_nfs_home_dirs',` |
154 | fs_read_nfs_files(local_login_t) | |
155 | fs_read_nfs_symlinks(local_login_t) | |
156 | ') | |
157 | ||
158 | tunable_policy(`use_samba_home_dirs',` | |
159 | fs_read_cifs_files(local_login_t) | |
160 | fs_read_cifs_symlinks(local_login_t) | |
161 | ') | |
162 | ||
134a799c | 163 | optional_policy(` |
350b6ab7 CP |
164 | alsa_domtrans(local_login_t) |
165 | ') | |
166 | ||
167 | optional_policy(` | |
296273a7 | 168 | dbus_system_bus_client(local_login_t) |
134a799c CP |
169 | |
170 | consolekit_dbus_chat(local_login_t) | |
171 | ') | |
172 | ||
bb7170f6 | 173 | optional_policy(` |
f862c35c CP |
174 | gpm_getattr_gpmctl(local_login_t) |
175 | gpm_setattr_gpmctl(local_login_t) | |
176 | ') | |
177 | ||
2cc4072c CP |
178 | optional_policy(` |
179 | # Search for mail spool file. | |
180 | mta_getattr_spool(local_login_t) | |
181 | ') | |
182 | ||
bb7170f6 | 183 | optional_policy(` |
ab940a4c | 184 | nis_use_ypbind(local_login_t) |
d115b247 CP |
185 | ') |
186 | ||
bb7170f6 | 187 | optional_policy(` |
1815bad1 | 188 | nscd_socket_use(local_login_t) |
493d6c4a CP |
189 | ') |
190 | ||
bb7170f6 | 191 | optional_policy(` |
350b6ab7 | 192 | unconfined_domain(local_login_t) |
ebdc3b79 CP |
193 | ') |
194 | ||
bb7170f6 | 195 | optional_policy(` |
350b6ab7 | 196 | usermanage_read_crack_db(local_login_t) |
a524921a CP |
197 | ') |
198 | ||
134a799c CP |
199 | optional_policy(` |
200 | xserver_read_xdm_tmp_files(local_login_t) | |
201 | xserver_rw_xdm_tmp_files(local_login_t) | |
202 | ') | |
203 | ||
5d7e8ba6 CP |
204 | ################################# |
205 | # | |
206 | # Sulogin local policy | |
207 | # | |
208 | ||
9d3bdc25 | 209 | allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
5d7e8ba6 | 210 | allow sulogin_t self:fd use; |
80048ca5 CP |
211 | allow sulogin_t self:fifo_file rw_file_perms; |
212 | allow sulogin_t self:unix_dgram_socket create_socket_perms; | |
213 | allow sulogin_t self:unix_stream_socket create_stream_socket_perms; | |
5d7e8ba6 CP |
214 | allow sulogin_t self:unix_dgram_socket sendto; |
215 | allow sulogin_t self:unix_stream_socket connectto; | |
80048ca5 CP |
216 | allow sulogin_t self:shm create_shm_perms; |
217 | allow sulogin_t self:sem create_sem_perms; | |
0fd9dc55 | 218 | allow sulogin_t self:msgq create_msgq_perms; |
5d7e8ba6 CP |
219 | allow sulogin_t self:msg { send receive }; |
220 | ||
221 | kernel_read_system_state(sulogin_t) | |
222 | ||
ab940a4c | 223 | fs_search_auto_mountpoints(sulogin_t) |
4d851fe9 | 224 | fs_rw_tmpfs_chr_files(sulogin_t) |
5d7e8ba6 | 225 | |
8fd36732 | 226 | files_read_etc_files(sulogin_t) |
3b857eae | 227 | # because file systems are not mounted: |
9e04f5c5 | 228 | files_dontaudit_search_isid_type_dirs(sulogin_t) |
5d7e8ba6 | 229 | |
1815bad1 | 230 | init_getpgid_script(sulogin_t) |
ab940a4c | 231 | |
c9428d33 | 232 | logging_send_syslog_msg(sulogin_t) |
5d7e8ba6 | 233 | |
5e0da6a0 CP |
234 | seutil_read_config(sulogin_t) |
235 | seutil_read_default_contexts(sulogin_t) | |
5d7e8ba6 | 236 | |
c9428d33 | 237 | auth_read_shadow(sulogin_t) |
5d7e8ba6 | 238 | |
103fe280 | 239 | userdom_use_unpriv_users_fds(sulogin_t) |
e9c6cda7 | 240 | |
296273a7 CP |
241 | userdom_search_user_home_dirs(sulogin_t) |
242 | userdom_use_user_ptys(sulogin_t) | |
e9c6cda7 CP |
243 | |
244 | sysadm_shell_domtrans(sulogin_t) | |
dc771ff4 | 245 | |
5d7e8ba6 | 246 | # suse and debian do not use pam with sulogin... |
0e15cdfb CP |
247 | ifdef(`distro_suse', `define(`sulogin_no_pam')') |
248 | ifdef(`distro_debian', `define(`sulogin_no_pam')') | |
5d7e8ba6 | 249 | |
254bbc7b | 250 | ifdef(`sulogin_no_pam', ` |
0c73cd25 | 251 | allow sulogin_t self:capability sys_tty_config; |
1815bad1 | 252 | init_getpgid(sulogin_t) |
5d7e8ba6 | 253 | ', ` |
0c73cd25 | 254 | allow sulogin_t self:process setexec; |
5e0da6a0 CP |
255 | selinux_get_fs_mount(sulogin_t) |
256 | selinux_validate_context(sulogin_t) | |
257 | selinux_compute_access_vector(sulogin_t) | |
258 | selinux_compute_create_context(sulogin_t) | |
259 | selinux_compute_relabel_context(sulogin_t) | |
260 | selinux_compute_user_contexts(sulogin_t) | |
5d7e8ba6 CP |
261 | ') |
262 | ||
bb7170f6 | 263 | optional_policy(` |
ab940a4c | 264 | nis_use_ypbind(sulogin_t) |
5d7e8ba6 | 265 | ') |
a524921a | 266 | |
bb7170f6 | 267 | optional_policy(` |
1815bad1 | 268 | nscd_socket_use(sulogin_t) |
a524921a | 269 | ') |