policy/modules/system/locallogin.te

   1 policy_module(locallogin, 1.10.2)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type local_login_t;
   9 domain_interactive_fd(local_login_t)
  10 auth_login_pgm_domain(local_login_t)
  11 auth_login_entry_type(local_login_t)
  12
  13 type local_login_lock_t;
  14 files_lock_file(local_login_lock_t)
  15
  16 type local_login_tmp_t;
  17 files_tmp_file(local_login_tmp_t)
  18 files_poly_parent(local_login_tmp_t)
  19
  20 type sulogin_t;
  21 type sulogin_exec_t;
  22 domain_obj_id_change_exemption(sulogin_t)
  23 domain_subj_id_change_exemption(sulogin_t)
  24 domain_role_change_exemption(sulogin_t)
  25 domain_interactive_fd(sulogin_t)
  26 init_domain(sulogin_t, sulogin_exec_t)
  27 init_system_domain(sulogin_t, sulogin_exec_t)
  28 role system_r types sulogin_t;
  29
  30 ########################################
  31 #
  32 # Local login local policy
  33 #
  34
  35 allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config };
  36 allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
  37 allow local_login_t self:fd use;
  38 allow local_login_t self:fifo_file rw_fifo_file_perms;
  39 allow local_login_t self:sock_file read_sock_file_perms;
  40 allow local_login_t self:unix_dgram_socket create_socket_perms;
  41 allow local_login_t self:unix_stream_socket create_stream_socket_perms;
  42 allow local_login_t self:unix_dgram_socket sendto;
  43 allow local_login_t self:unix_stream_socket connectto;
  44 allow local_login_t self:shm create_shm_perms;
  45 allow local_login_t self:sem create_sem_perms;
  46 allow local_login_t self:msgq create_msgq_perms;
  47 allow local_login_t self:msg { send receive };
  48 allow local_login_t self:key { search write link };
  49
  50 allow local_login_t local_login_lock_t:file manage_file_perms;
  51 files_lock_filetrans(local_login_t, local_login_lock_t, file)
  52
  53 allow local_login_t local_login_tmp_t:dir manage_dir_perms;
  54 allow local_login_t local_login_tmp_t:file manage_file_perms;
  55 files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
  56
  57 kernel_read_system_state(local_login_t)
  58 kernel_read_kernel_sysctls(local_login_t)
  59 kernel_search_key(local_login_t)
  60 kernel_link_key(local_login_t)
  61
  62 corecmd_list_bin(local_login_t)
  63 corecmd_read_bin_symlinks(local_login_t)
  64 # cjp: these are probably not needed:
  65 corecmd_read_bin_files(local_login_t)
  66 corecmd_read_bin_pipes(local_login_t)
  67 corecmd_read_bin_sockets(local_login_t)
  68
  69 dev_setattr_mouse_dev(local_login_t)
  70 dev_getattr_mouse_dev(local_login_t)
  71 dev_getattr_power_mgmt_dev(local_login_t)
  72 dev_setattr_power_mgmt_dev(local_login_t)
  73 dev_getattr_sound_dev(local_login_t)
  74 dev_setattr_sound_dev(local_login_t)
  75 dev_rw_generic_usb_dev(local_login_t)
  76 dev_read_video_dev(local_login_t)
  77 dev_dontaudit_getattr_apm_bios_dev(local_login_t)
  78 dev_dontaudit_setattr_apm_bios_dev(local_login_t)
  79 dev_dontaudit_read_framebuffer(local_login_t)
  80 dev_dontaudit_setattr_framebuffer_dev(local_login_t)
  81 dev_dontaudit_getattr_generic_blk_files(local_login_t)
  82 dev_dontaudit_setattr_generic_blk_files(local_login_t)
  83 dev_dontaudit_getattr_generic_chr_files(local_login_t)
  84 dev_dontaudit_setattr_generic_chr_files(local_login_t)
  85 dev_dontaudit_setattr_generic_symlinks(local_login_t)
  86 dev_dontaudit_getattr_misc_dev(local_login_t)
  87 dev_dontaudit_setattr_misc_dev(local_login_t)
  88 dev_dontaudit_getattr_scanner_dev(local_login_t)
  89 dev_dontaudit_setattr_scanner_dev(local_login_t)
  90 dev_dontaudit_search_sysfs(local_login_t)
  91 dev_dontaudit_getattr_video_dev(local_login_t)
  92 dev_dontaudit_setattr_video_dev(local_login_t)
  93
  94 domain_read_all_entry_files(local_login_t)
  95
  96 files_read_etc_files(local_login_t)
  97 files_read_etc_runtime_files(local_login_t)
  98 files_read_usr_files(local_login_t)
  99 files_list_mnt(local_login_t)
 100 files_list_world_readable(local_login_t)
 101 files_read_world_readable_files(local_login_t)
 102 files_read_world_readable_symlinks(local_login_t)
 103 files_read_world_readable_pipes(local_login_t)
 104 files_read_world_readable_sockets(local_login_t)
 105 # for when /var/mail is a symlink
 106 files_read_var_symlinks(local_login_t)
 107
 108 fs_search_auto_mountpoints(local_login_t)
 109
 110 storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
 111 storage_dontaudit_setattr_fixed_disk_dev(local_login_t)
 112 storage_dontaudit_getattr_removable_dev(local_login_t)
 113 storage_dontaudit_setattr_removable_dev(local_login_t)
 114
 115 term_use_all_ttys(local_login_t)
 116 term_use_unallocated_ttys(local_login_t)
 117 term_relabel_unallocated_ttys(local_login_t)
 118 term_relabel_all_ttys(local_login_t)
 119 term_setattr_all_ttys(local_login_t)
 120 term_setattr_unallocated_ttys(local_login_t)
 121
 122 auth_rw_login_records(local_login_t)
 123 auth_rw_faillog(local_login_t)
 124 auth_manage_pam_pid(local_login_t)
 125 auth_manage_pam_console_data(local_login_t)
 126 auth_domtrans_pam_console(local_login_t)
 127
 128 init_dontaudit_use_fds(local_login_t)
 129 init_stream_connect(local_login_t)
 130
 131 miscfiles_read_localization(local_login_t)
 132
 133 userdom_spec_domtrans_all_users(local_login_t)
 134 userdom_signal_all_users(local_login_t)
 135 userdom_search_user_home_content(local_login_t)
 136 userdom_use_unpriv_users_fds(local_login_t)
 137 userdom_sigchld_all_users(local_login_t)
 138 userdom_create_all_users_keys(local_login_t)
 139
 140 ifdef(`distro_ubuntu',`
 141         optional_policy(`
 142                 unconfined_domain(local_login_t)
 143         ')
 144 ')
 145
 146 tunable_policy(`console_login',`
 147         # Able to relabel /dev/console to user tty types.
 148         term_relabel_console(local_login_t)
 149 ')
 150
 151 tunable_policy(`use_nfs_home_dirs',`
 152         fs_read_nfs_files(local_login_t)
 153         fs_read_nfs_symlinks(local_login_t)
 154 ')
 155
 156 tunable_policy(`use_samba_home_dirs',`
 157         fs_read_cifs_files(local_login_t)
 158         fs_read_cifs_symlinks(local_login_t)
 159 ')
 160
 161 tunable_policy(`allow_console_login',`
 162      term_use_console(local_login_t)
 163      term_relabel_console(local_login_t)
 164      term_setattr_console(local_login_t)
 165 ')
 166
 167 optional_policy(`
 168         alsa_domtrans(local_login_t)
 169 ')
 170
 171 optional_policy(`
 172         dbus_system_bus_client(local_login_t)
 173
 174         consolekit_dbus_chat(local_login_t)
 175 ')
 176
 177 optional_policy(`
 178         gpm_getattr_gpmctl(local_login_t)
 179         gpm_setattr_gpmctl(local_login_t)
 180 ')
 181
 182 optional_policy(`
 183         # Search for mail spool file.
 184         mta_getattr_spool(local_login_t)
 185 ')
 186
 187 optional_policy(`
 188         nis_use_ypbind(local_login_t)
 189 ')
 190
 191 optional_policy(`
 192         nscd_socket_use(local_login_t)
 193 ')
 194
 195 optional_policy(`
 196         unconfined_shell_domtrans(local_login_t)
 197 ')
 198
 199 optional_policy(`
 200         usermanage_read_crack_db(local_login_t)
 201 ')
 202
 203 optional_policy(`
 204         xserver_read_xdm_tmp_files(local_login_t)
 205         xserver_rw_xdm_tmp_files(local_login_t)
 206 ')
 207
 208 #################################
 209 #
 210 # Sulogin local policy
 211 #
 212
 213 allow sulogin_t self:capability dac_override;
 214 allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 215 allow sulogin_t self:fd use;
 216 allow sulogin_t self:fifo_file rw_fifo_file_perms;
 217 allow sulogin_t self:unix_dgram_socket create_socket_perms;
 218 allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
 219 allow sulogin_t self:unix_dgram_socket sendto;
 220 allow sulogin_t self:unix_stream_socket connectto;
 221 allow sulogin_t self:shm create_shm_perms;
 222 allow sulogin_t self:sem create_sem_perms;
 223 allow sulogin_t self:msgq create_msgq_perms;
 224 allow sulogin_t self:msg { send receive };
 225
 226 kernel_read_system_state(sulogin_t)
 227
 228 fs_search_auto_mountpoints(sulogin_t)
 229 fs_rw_tmpfs_chr_files(sulogin_t)
 230
 231 files_read_etc_files(sulogin_t)
 232 # because file systems are not mounted:
 233 files_dontaudit_search_isid_type_dirs(sulogin_t)
 234
 235 auth_read_shadow(sulogin_t)
 236 auth_use_nsswitch(sulogin_t)
 237
 238 init_getpgid_script(sulogin_t)
 239
 240 logging_send_syslog_msg(sulogin_t)
 241
 242 seutil_read_config(sulogin_t)
 243 seutil_read_default_contexts(sulogin_t)
 244
 245 userdom_use_unpriv_users_fds(sulogin_t)
 246
 247 userdom_search_user_home_dirs(sulogin_t)
 248 userdom_use_user_ptys(sulogin_t)
 249
 250 term_use_console(sulogin_t)
 251 term_use_unallocated_ttys(sulogin_t)
 252
 253 ifdef(`enable_mls',`
 254         sysadm_shell_domtrans(sulogin_t)
 255 ',`
 256         optional_policy(`
 257                 unconfined_shell_domtrans(sulogin_t)
 258         ')
 259 ')
 260
 261 # suse and debian do not use pam with sulogin...
 262 ifdef(`distro_suse', `define(`sulogin_no_pam')')
 263 ifdef(`distro_debian', `define(`sulogin_no_pam')')
 264
 265 allow sulogin_t self:capability sys_tty_config;
 266 ifdef(`sulogin_no_pam', `
 267         init_getpgid(sulogin_t)
 268 ', `
 269         allow sulogin_t self:process setexec;
 270         selinux_get_fs_mount(sulogin_t)
 271         selinux_validate_context(sulogin_t)
 272         selinux_compute_access_vector(sulogin_t)
 273         selinux_compute_create_context(sulogin_t)
 274         selinux_compute_relabel_context(sulogin_t)
 275         selinux_compute_user_contexts(sulogin_t)
 276 ')