policy/modules/admin/usermanage.te

   1
   2 policy_module(usermanage,1.7.1)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type admin_passwd_exec_t;
  10 files_type(admin_passwd_exec_t)
  11
  12 type chfn_t;
  13 type chfn_exec_t;
  14 domain_obj_id_change_exemption(chfn_t)
  15 application_domain(chfn_t,chfn_exec_t)
  16 role system_r types chfn_t;
  17
  18 type crack_t;
  19 type crack_exec_t;
  20 application_domain(crack_t,crack_exec_t)
  21 role system_r types crack_t;
  22
  23 type crack_db_t;
  24 files_type(crack_db_t)
  25
  26 type crack_tmp_t;
  27 files_tmp_file(crack_tmp_t)
  28
  29 type groupadd_t;
  30 type groupadd_exec_t;
  31 domain_obj_id_change_exemption(groupadd_t)
  32 init_system_domain(groupadd_t,groupadd_exec_t)
  33 role system_r types groupadd_t;
  34
  35 type passwd_t;
  36 type passwd_exec_t;
  37 domain_obj_id_change_exemption(passwd_t)
  38 application_domain(passwd_t,passwd_exec_t)
  39 role system_r types passwd_t;
  40
  41 type sysadm_passwd_t;
  42 domain_obj_id_change_exemption(sysadm_passwd_t)
  43 application_domain(sysadm_passwd_t,admin_passwd_exec_t)
  44 role system_r types sysadm_passwd_t;
  45
  46 type sysadm_passwd_tmp_t;
  47 files_tmp_file(sysadm_passwd_tmp_t)
  48
  49 type useradd_t;
  50 type useradd_exec_t;
  51 domain_obj_id_change_exemption(useradd_t)
  52 init_system_domain(useradd_t,useradd_exec_t)
  53 role system_r types useradd_t;
  54
  55 ########################################
  56 #
  57 # Chfn local policy
  58 #
  59
  60 allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
  61 allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
  62 allow chfn_t self:process { setrlimit setfscreate };
  63 allow chfn_t self:fd use;
  64 allow chfn_t self:fifo_file rw_fifo_file_perms;
  65 allow chfn_t self:sock_file read_sock_file_perms;
  66 allow chfn_t self:shm create_shm_perms;
  67 allow chfn_t self:sem create_sem_perms;
  68 allow chfn_t self:msgq create_msgq_perms;
  69 allow chfn_t self:msg { send receive };
  70 allow chfn_t self:unix_dgram_socket create_socket_perms;
  71 allow chfn_t self:unix_stream_socket create_stream_socket_perms;
  72 allow chfn_t self:unix_dgram_socket sendto;
  73 allow chfn_t self:unix_stream_socket connectto;
  74
  75 kernel_read_system_state(chfn_t)
  76 kernel_read_kernel_sysctls(chfn_t)
  77
  78 selinux_get_fs_mount(chfn_t)
  79 selinux_validate_context(chfn_t)
  80 selinux_compute_access_vector(chfn_t)
  81 selinux_compute_create_context(chfn_t)
  82 selinux_compute_relabel_context(chfn_t)
  83 selinux_compute_user_contexts(chfn_t)
  84
  85 term_use_all_user_ttys(chfn_t)
  86 term_use_all_user_ptys(chfn_t)
  87
  88 fs_getattr_xattr_fs(chfn_t)
  89 fs_search_auto_mountpoints(chfn_t)
  90
  91 # for SSP
  92 dev_read_urand(chfn_t)
  93
  94 auth_domtrans_chk_passwd(chfn_t)
  95 auth_dontaudit_read_shadow(chfn_t)
  96
  97 # allow checking if a shell is executable
  98 corecmd_check_exec_shell(chfn_t)
  99
 100 domain_use_interactive_fds(chfn_t)
 101
 102 files_manage_etc_files(chfn_t)
 103 files_read_etc_runtime_files(chfn_t)
 104 files_dontaudit_search_var(chfn_t)
 105 files_dontaudit_search_home(chfn_t)
 106
 107 # /usr/bin/passwd asks for w access to utmp, but it will operate
 108 # correctly without it.  Do not audit write denials to utmp.
 109 init_dontaudit_rw_utmp(chfn_t)
 110
 111 libs_use_ld_so(chfn_t)
 112 libs_use_shared_libs(chfn_t)
 113
 114 miscfiles_read_localization(chfn_t)
 115
 116 logging_send_syslog_msg(chfn_t)
 117
 118 # uses unix_chkpwd for checking passwords
 119 seutil_dontaudit_search_config(chfn_t)
 120
 121 userdom_use_unpriv_users_fds(chfn_t)
 122 # user generally runs this from their home directory, so do not audit a search
 123 # on user home dir
 124 userdom_dontaudit_search_all_users_home_content(chfn_t)
 125
 126 optional_policy(`
 127         nis_use_ypbind(chfn_t)
 128 ')
 129
 130 optional_policy(`
 131         nscd_socket_use(chfn_t)
 132 ')
 133
 134 ########################################
 135 #
 136 # Crack local policy
 137 #
 138
 139 allow crack_t self:process { sigkill sigstop signull signal };
 140 allow crack_t self:fifo_file rw_fifo_file_perms;
 141
 142 manage_files_pattern(crack_t,crack_db_t,crack_db_t)
 143 manage_lnk_files_pattern(crack_t,crack_db_t,crack_db_t)
 144 files_search_var(crack_t)
 145
 146 manage_dirs_pattern(crack_t,crack_tmp_t,crack_tmp_t)
 147 manage_files_pattern(crack_t,crack_tmp_t,crack_tmp_t)
 148 files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
 149
 150 kernel_read_system_state(crack_t)
 151
 152 # for SSP
 153 dev_read_urand(crack_t)
 154
 155 fs_getattr_xattr_fs(crack_t)
 156
 157 files_read_etc_files(crack_t)
 158 files_read_etc_runtime_files(crack_t)
 159 # for dictionaries
 160 files_read_usr_files(crack_t)
 161
 162 corecmd_exec_bin(crack_t)
 163
 164 libs_use_ld_so(crack_t)
 165 libs_use_shared_libs(crack_t)
 166
 167 logging_send_syslog_msg(crack_t)
 168
 169 userdom_dontaudit_search_sysadm_home_dirs(crack_t)
 170
 171 optional_policy(`
 172         cron_system_entry(crack_t,crack_exec_t)
 173 ')
 174
 175 ########################################
 176 #
 177 # Groupadd local policy
 178 #
 179
 180 allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
 181 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 182 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 183 allow groupadd_t self:process { setrlimit setfscreate };
 184 allow groupadd_t self:fd use;
 185 allow groupadd_t self:fifo_file rw_fifo_file_perms;
 186 allow groupadd_t self:shm create_shm_perms;
 187 allow groupadd_t self:sem create_sem_perms;
 188 allow groupadd_t self:msgq create_msgq_perms;
 189 allow groupadd_t self:msg { send receive };
 190 allow groupadd_t self:unix_dgram_socket create_socket_perms;
 191 allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
 192 allow groupadd_t self:unix_dgram_socket sendto;
 193 allow groupadd_t self:unix_stream_socket connectto;
 194 allow groupadd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 195
 196 fs_getattr_xattr_fs(groupadd_t)
 197 fs_search_auto_mountpoints(groupadd_t)
 198
 199 # Allow access to context for shadow file
 200 selinux_get_fs_mount(groupadd_t)
 201 selinux_validate_context(groupadd_t)
 202 selinux_compute_access_vector(groupadd_t)
 203 selinux_compute_create_context(groupadd_t)
 204 selinux_compute_relabel_context(groupadd_t)
 205 selinux_compute_user_contexts(groupadd_t)
 206
 207 term_use_all_user_ttys(groupadd_t)
 208 term_use_all_user_ptys(groupadd_t)
 209
 210 init_use_fds(groupadd_t)
 211 init_read_utmp(groupadd_t)
 212 init_dontaudit_write_utmp(groupadd_t)
 213
 214 domain_use_interactive_fds(groupadd_t)
 215
 216 files_manage_etc_files(groupadd_t)
 217 files_relabel_etc_files(groupadd_t)
 218 files_read_etc_runtime_files(groupadd_t)
 219
 220 libs_use_ld_so(groupadd_t)
 221 libs_use_shared_libs(groupadd_t)
 222
 223 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 224 corecmd_exec_bin(groupadd_t)
 225
 226 logging_send_syslog_msg(groupadd_t)
 227
 228 miscfiles_read_localization(groupadd_t)
 229
 230 auth_manage_shadow(groupadd_t)
 231 auth_relabel_shadow(groupadd_t)
 232 auth_etc_filetrans_shadow(groupadd_t)
 233 auth_rw_lastlog(groupadd_t)
 234 auth_use_nsswitch(groupadd_t)
 235
 236 seutil_read_config(groupadd_t)
 237
 238 userdom_use_unpriv_users_fds(groupadd_t)
 239 # for when /root is the cwd
 240 userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
 241
 242 optional_policy(`
 243         dpkg_use_fds(groupadd_t)
 244         dpkg_rw_pipes(groupadd_t)
 245 ')
 246
 247 optional_policy(`
 248         rpm_use_fds(groupadd_t)
 249         rpm_rw_pipes(groupadd_t)
 250 ')
 251
 252 ########################################
 253 #
 254 # Passwd local policy
 255 #
 256
 257 allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
 258 allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 259 allow passwd_t self:process { setrlimit setfscreate };
 260 allow passwd_t self:fd use;
 261 allow passwd_t self:fifo_file rw_fifo_file_perms;
 262 allow passwd_t self:sock_file read_sock_file_perms;
 263 allow passwd_t self:unix_dgram_socket create_socket_perms;
 264 allow passwd_t self:unix_stream_socket create_stream_socket_perms;
 265 allow passwd_t self:unix_dgram_socket sendto;
 266 allow passwd_t self:unix_stream_socket connectto;
 267 allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 268 allow passwd_t self:shm create_shm_perms;
 269 allow passwd_t self:sem create_sem_perms;
 270 allow passwd_t self:msgq create_msgq_perms;
 271 allow passwd_t self:msg { send receive };
 272
 273 allow passwd_t crack_db_t:dir list_dir_perms;
 274 read_files_pattern(passwd_t,crack_db_t,crack_db_t)
 275
 276 kernel_read_kernel_sysctls(passwd_t)
 277
 278 # for SSP
 279 dev_read_urand(passwd_t)
 280
 281 fs_getattr_xattr_fs(passwd_t)
 282 fs_search_auto_mountpoints(passwd_t)
 283
 284 mls_file_write_all_levels(passwd_t)
 285 mls_file_downgrade(passwd_t)
 286
 287 selinux_get_fs_mount(passwd_t)
 288 selinux_validate_context(passwd_t)
 289 selinux_compute_access_vector(passwd_t)
 290 selinux_compute_create_context(passwd_t)
 291 selinux_compute_relabel_context(passwd_t)
 292 selinux_compute_user_contexts(passwd_t)
 293
 294 term_use_all_user_ttys(passwd_t)
 295 term_use_all_user_ptys(passwd_t)
 296
 297 auth_manage_shadow(passwd_t)
 298 auth_relabel_shadow(passwd_t)
 299 auth_etc_filetrans_shadow(passwd_t)
 300
 301 # allow checking if a shell is executable
 302 corecmd_check_exec_shell(passwd_t)
 303
 304 domain_use_interactive_fds(passwd_t)
 305
 306 files_read_etc_runtime_files(passwd_t)
 307 files_manage_etc_files(passwd_t)
 308 files_search_var(passwd_t)
 309 files_dontaudit_search_pids(passwd_t)
 310 files_relabel_etc_files(passwd_t)
 311
 312 # /usr/bin/passwd asks for w access to utmp, but it will operate
 313 # correctly without it.  Do not audit write denials to utmp.
 314 init_dontaudit_rw_utmp(passwd_t)
 315
 316 libs_use_ld_so(passwd_t)
 317 libs_use_shared_libs(passwd_t)
 318
 319 logging_send_syslog_msg(passwd_t)
 320
 321 miscfiles_read_localization(passwd_t)
 322
 323 seutil_dontaudit_search_config(passwd_t)
 324
 325 userdom_use_unpriv_users_fds(passwd_t)
 326 # make sure that getcon succeeds
 327 userdom_getattr_all_users(passwd_t)
 328 userdom_read_all_users_state(passwd_t)
 329 # user generally runs this from their home directory, so do not audit a search
 330 # on user home dir
 331 userdom_dontaudit_search_all_users_home_content(passwd_t)
 332
 333 optional_policy(`
 334         nis_use_ypbind(passwd_t)
 335 ')
 336
 337 optional_policy(`
 338         nscd_socket_use(passwd_t)
 339 ')
 340
 341 ########################################
 342 #
 343 # Password admin local policy
 344 #
 345
 346 allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
 347 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 348 allow sysadm_passwd_t self:process { setrlimit setfscreate };
 349 allow sysadm_passwd_t self:fd use;
 350 allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
 351 allow sysadm_passwd_t self:sock_file read_sock_file_perms;
 352 allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
 353 allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
 354 allow sysadm_passwd_t self:unix_dgram_socket sendto;
 355 allow sysadm_passwd_t self:unix_stream_socket connectto;
 356 allow sysadm_passwd_t self:shm create_shm_perms;
 357 allow sysadm_passwd_t self:sem create_sem_perms;
 358 allow sysadm_passwd_t self:msgq create_msgq_perms;
 359 allow sysadm_passwd_t self:msg { send receive };
 360
 361 # allow vipw to create temporary files under /var/tmp/vi.recover
 362 manage_dirs_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t)
 363 manage_files_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t)
 364 files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
 365 files_search_var(sysadm_passwd_t)
 366 files_dontaudit_search_home(sysadm_passwd_t)
 367
 368 kernel_read_kernel_sysctls(sysadm_passwd_t)
 369 # for /proc/meminfo
 370 kernel_read_system_state(sysadm_passwd_t)
 371
 372 selinux_get_fs_mount(sysadm_passwd_t)
 373 selinux_validate_context(sysadm_passwd_t)
 374 selinux_compute_access_vector(sysadm_passwd_t)
 375 selinux_compute_create_context(sysadm_passwd_t)
 376 selinux_compute_relabel_context(sysadm_passwd_t)
 377 selinux_compute_user_contexts(sysadm_passwd_t)
 378
 379 # for SSP
 380 dev_read_urand(sysadm_passwd_t)
 381
 382 fs_getattr_xattr_fs(sysadm_passwd_t)
 383 fs_search_auto_mountpoints(sysadm_passwd_t)
 384
 385 term_use_all_user_ttys(sysadm_passwd_t)
 386 term_use_all_user_ptys(sysadm_passwd_t)
 387
 388 auth_manage_shadow(sysadm_passwd_t)
 389 auth_relabel_shadow(sysadm_passwd_t)
 390 auth_etc_filetrans_shadow(sysadm_passwd_t)
 391
 392 # allow vipw to exec the editor
 393 corecmd_exec_bin(sysadm_passwd_t)
 394 corecmd_exec_shell(sysadm_passwd_t)
 395 files_read_usr_files(sysadm_passwd_t)
 396
 397 domain_use_interactive_fds(sysadm_passwd_t)
 398
 399 files_manage_etc_files(sysadm_passwd_t)
 400 files_relabel_etc_files(sysadm_passwd_t)
 401 files_read_etc_runtime_files(sysadm_passwd_t)
 402 # for nscd lookups
 403 files_dontaudit_search_pids(sysadm_passwd_t)
 404
 405 # /usr/bin/passwd asks for w access to utmp, but it will operate
 406 # correctly without it.  Do not audit write denials to utmp.
 407 init_dontaudit_rw_utmp(sysadm_passwd_t)
 408
 409 libs_use_ld_so(sysadm_passwd_t)
 410 libs_use_shared_libs(sysadm_passwd_t)
 411
 412 miscfiles_read_localization(sysadm_passwd_t)
 413
 414 logging_send_syslog_msg(sysadm_passwd_t)
 415
 416 seutil_dontaudit_search_config(sysadm_passwd_t)
 417
 418 userdom_use_unpriv_users_fds(sysadm_passwd_t)
 419 # user generally runs this from their home directory, so do not audit a search
 420 # on user home dir
 421 userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
 422
 423 optional_policy(`
 424         nis_use_ypbind(sysadm_passwd_t)
 425 ')
 426
 427 optional_policy(`
 428         nscd_socket_use(sysadm_passwd_t)
 429 ')
 430
 431 ########################################
 432 #
 433 # Useradd local policy
 434 #
 435
 436 allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write };
 437 dontaudit useradd_t self:capability sys_tty_config;
 438 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 439 allow useradd_t self:process setfscreate;
 440 allow useradd_t self:fd use;
 441 allow useradd_t self:fifo_file rw_fifo_file_perms;
 442 allow useradd_t self:shm create_shm_perms;
 443 allow useradd_t self:sem create_sem_perms;
 444 allow useradd_t self:msgq create_msgq_perms;
 445 allow useradd_t self:msg { send receive };
 446 allow useradd_t self:unix_dgram_socket create_socket_perms;
 447 allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 448 allow useradd_t self:unix_dgram_socket sendto;
 449 allow useradd_t self:unix_stream_socket connectto;
 450 allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 451
 452 # for getting the number of groups
 453 kernel_read_kernel_sysctls(useradd_t)
 454
 455 corecmd_exec_shell(useradd_t)
 456 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 457 corecmd_exec_bin(useradd_t)
 458
 459 domain_use_interactive_fds(useradd_t)
 460
 461 files_manage_etc_files(useradd_t)
 462 files_search_var_lib(useradd_t)
 463 files_relabel_etc_files(useradd_t)
 464 files_read_etc_runtime_files(useradd_t)
 465
 466 fs_search_auto_mountpoints(useradd_t)
 467 fs_getattr_xattr_fs(useradd_t)
 468
 469 mls_file_upgrade(useradd_t)
 470
 471 # Allow access to context for shadow file
 472 selinux_get_fs_mount(useradd_t)
 473 selinux_validate_context(useradd_t)
 474 selinux_compute_access_vector(useradd_t)
 475 selinux_compute_create_context(useradd_t)
 476 selinux_compute_relabel_context(useradd_t)
 477 selinux_compute_user_contexts(useradd_t)
 478
 479 term_use_all_user_ttys(useradd_t)
 480 term_use_all_user_ptys(useradd_t)
 481
 482 auth_manage_shadow(useradd_t)
 483 auth_relabel_shadow(useradd_t)
 484 auth_etc_filetrans_shadow(useradd_t)
 485 auth_rw_lastlog(useradd_t)
 486 auth_rw_faillog(useradd_t)
 487 auth_use_nsswitch(useradd_t)
 488
 489 init_use_fds(useradd_t)
 490 init_rw_utmp(useradd_t)
 491
 492 libs_use_ld_so(useradd_t)
 493 libs_use_shared_libs(useradd_t)
 494
 495 logging_send_syslog_msg(useradd_t)
 496
 497 miscfiles_read_localization(useradd_t)
 498
 499 seutil_read_config(useradd_t)
 500 seutil_read_file_contexts(useradd_t)
 501 seutil_read_default_contexts(useradd_t)
 502 seutil_domtrans_semanage(useradd_t)
 503 seutil_domtrans_setfiles(useradd_t)
 504
 505 userdom_use_unpriv_users_fds(useradd_t)
 506 # for when /root is the cwd
 507 userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
 508 # Add/remove user home directories
 509 userdom_home_filetrans_generic_user_home_dir(useradd_t)
 510 userdom_manage_all_users_home_content_dirs(useradd_t)
 511 userdom_manage_all_users_home_content_files(useradd_t)
 512 userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
 513
 514 mta_manage_spool(useradd_t)
 515
 516 optional_policy(`
 517         dpkg_use_fds(useradd_t)
 518         dpkg_rw_pipes(useradd_t)
 519 ')
 520
 521 optional_policy(`
 522         rpm_use_fds(useradd_t)
 523         rpm_rw_pipes(useradd_t)
 524 ')