1 policy_module(locallogin, 1.10.2)
3 ########################################
9 domain_interactive_fd(local_login_t)
10 auth_login_pgm_domain(local_login_t)
11 auth_login_entry_type(local_login_t)
13 type local_login_lock_t;
14 files_lock_file(local_login_lock_t)
16 type local_login_tmp_t;
17 files_tmp_file(local_login_tmp_t)
18 files_poly_parent(local_login_tmp_t)
22 domain_obj_id_change_exemption(sulogin_t)
23 domain_subj_id_change_exemption(sulogin_t)
24 domain_role_change_exemption(sulogin_t)
25 domain_interactive_fd(sulogin_t)
26 init_domain(sulogin_t, sulogin_exec_t)
27 init_system_domain(sulogin_t, sulogin_exec_t)
28 role system_r types sulogin_t;
30 ########################################
32 # Local login local policy
35 allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config };
36 allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
37 allow local_login_t self:fd use;
38 allow local_login_t self:fifo_file rw_fifo_file_perms;
39 allow local_login_t self:sock_file read_sock_file_perms;
40 allow local_login_t self:unix_dgram_socket create_socket_perms;
41 allow local_login_t self:unix_stream_socket create_stream_socket_perms;
42 allow local_login_t self:unix_dgram_socket sendto;
43 allow local_login_t self:unix_stream_socket connectto;
44 allow local_login_t self:shm create_shm_perms;
45 allow local_login_t self:sem create_sem_perms;
46 allow local_login_t self:msgq create_msgq_perms;
47 allow local_login_t self:msg { send receive };
48 allow local_login_t self:key { search write link };
50 allow local_login_t local_login_lock_t:file manage_file_perms;
51 files_lock_filetrans(local_login_t, local_login_lock_t, file)
53 allow local_login_t local_login_tmp_t:dir manage_dir_perms;
54 allow local_login_t local_login_tmp_t:file manage_file_perms;
55 files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
57 kernel_read_system_state(local_login_t)
58 kernel_read_kernel_sysctls(local_login_t)
59 kernel_search_key(local_login_t)
60 kernel_link_key(local_login_t)
62 corecmd_list_bin(local_login_t)
63 corecmd_read_bin_symlinks(local_login_t)
64 # cjp: these are probably not needed:
65 corecmd_read_bin_files(local_login_t)
66 corecmd_read_bin_pipes(local_login_t)
67 corecmd_read_bin_sockets(local_login_t)
69 dev_setattr_mouse_dev(local_login_t)
70 dev_getattr_mouse_dev(local_login_t)
71 dev_getattr_power_mgmt_dev(local_login_t)
72 dev_setattr_power_mgmt_dev(local_login_t)
73 dev_getattr_sound_dev(local_login_t)
74 dev_setattr_sound_dev(local_login_t)
75 dev_rw_generic_usb_dev(local_login_t)
76 dev_read_video_dev(local_login_t)
77 dev_dontaudit_getattr_apm_bios_dev(local_login_t)
78 dev_dontaudit_setattr_apm_bios_dev(local_login_t)
79 dev_dontaudit_read_framebuffer(local_login_t)
80 dev_dontaudit_setattr_framebuffer_dev(local_login_t)
81 dev_dontaudit_getattr_generic_blk_files(local_login_t)
82 dev_dontaudit_setattr_generic_blk_files(local_login_t)
83 dev_dontaudit_getattr_generic_chr_files(local_login_t)
84 dev_dontaudit_setattr_generic_chr_files(local_login_t)
85 dev_dontaudit_setattr_generic_symlinks(local_login_t)
86 dev_dontaudit_getattr_misc_dev(local_login_t)
87 dev_dontaudit_setattr_misc_dev(local_login_t)
88 dev_dontaudit_getattr_scanner_dev(local_login_t)
89 dev_dontaudit_setattr_scanner_dev(local_login_t)
90 dev_dontaudit_search_sysfs(local_login_t)
91 dev_dontaudit_getattr_video_dev(local_login_t)
92 dev_dontaudit_setattr_video_dev(local_login_t)
94 domain_read_all_entry_files(local_login_t)
96 files_read_etc_files(local_login_t)
97 files_read_etc_runtime_files(local_login_t)
98 files_read_usr_files(local_login_t)
99 files_list_mnt(local_login_t)
100 files_list_world_readable(local_login_t)
101 files_read_world_readable_files(local_login_t)
102 files_read_world_readable_symlinks(local_login_t)
103 files_read_world_readable_pipes(local_login_t)
104 files_read_world_readable_sockets(local_login_t)
105 # for when /var/mail is a symlink
106 files_read_var_symlinks(local_login_t)
108 fs_search_auto_mountpoints(local_login_t)
110 storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
111 storage_dontaudit_setattr_fixed_disk_dev(local_login_t)
112 storage_dontaudit_getattr_removable_dev(local_login_t)
113 storage_dontaudit_setattr_removable_dev(local_login_t)
115 term_use_all_ttys(local_login_t)
116 term_use_unallocated_ttys(local_login_t)
117 term_relabel_unallocated_ttys(local_login_t)
118 term_relabel_all_ttys(local_login_t)
119 term_setattr_all_ttys(local_login_t)
120 term_setattr_unallocated_ttys(local_login_t)
122 auth_rw_login_records(local_login_t)
123 auth_rw_faillog(local_login_t)
124 auth_manage_pam_pid(local_login_t)
125 auth_manage_pam_console_data(local_login_t)
126 auth_domtrans_pam_console(local_login_t)
128 init_dontaudit_use_fds(local_login_t)
129 init_stream_connect(local_login_t)
131 miscfiles_read_localization(local_login_t)
133 userdom_spec_domtrans_all_users(local_login_t)
134 userdom_signal_all_users(local_login_t)
135 userdom_search_user_home_content(local_login_t)
136 userdom_use_unpriv_users_fds(local_login_t)
137 userdom_sigchld_all_users(local_login_t)
138 userdom_create_all_users_keys(local_login_t)
140 ifdef(`distro_ubuntu',`
142 unconfined_domain(local_login_t)
146 tunable_policy(`console_login',`
147 # Able to relabel /dev/console to user tty types.
148 term_relabel_console(local_login_t)
151 tunable_policy(`use_nfs_home_dirs',`
152 fs_read_nfs_files(local_login_t)
153 fs_read_nfs_symlinks(local_login_t)
156 tunable_policy(`use_samba_home_dirs',`
157 fs_read_cifs_files(local_login_t)
158 fs_read_cifs_symlinks(local_login_t)
161 tunable_policy(`allow_console_login',`
162 term_use_console(local_login_t)
163 term_relabel_console(local_login_t)
164 term_setattr_console(local_login_t)
168 alsa_domtrans(local_login_t)
172 dbus_system_bus_client(local_login_t)
174 consolekit_dbus_chat(local_login_t)
178 gpm_getattr_gpmctl(local_login_t)
179 gpm_setattr_gpmctl(local_login_t)
183 # Search for mail spool file.
184 mta_getattr_spool(local_login_t)
188 nis_use_ypbind(local_login_t)
192 nscd_socket_use(local_login_t)
196 unconfined_shell_domtrans(local_login_t)
200 usermanage_read_crack_db(local_login_t)
204 xserver_read_xdm_tmp_files(local_login_t)
205 xserver_rw_xdm_tmp_files(local_login_t)
208 #################################
210 # Sulogin local policy
213 allow sulogin_t self:capability dac_override;
214 allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
215 allow sulogin_t self:fd use;
216 allow sulogin_t self:fifo_file rw_fifo_file_perms;
217 allow sulogin_t self:unix_dgram_socket create_socket_perms;
218 allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
219 allow sulogin_t self:unix_dgram_socket sendto;
220 allow sulogin_t self:unix_stream_socket connectto;
221 allow sulogin_t self:shm create_shm_perms;
222 allow sulogin_t self:sem create_sem_perms;
223 allow sulogin_t self:msgq create_msgq_perms;
224 allow sulogin_t self:msg { send receive };
226 kernel_read_system_state(sulogin_t)
228 fs_search_auto_mountpoints(sulogin_t)
229 fs_rw_tmpfs_chr_files(sulogin_t)
231 files_read_etc_files(sulogin_t)
232 # because file systems are not mounted:
233 files_dontaudit_search_isid_type_dirs(sulogin_t)
235 auth_read_shadow(sulogin_t)
236 auth_use_nsswitch(sulogin_t)
238 init_getpgid_script(sulogin_t)
240 logging_send_syslog_msg(sulogin_t)
242 seutil_read_config(sulogin_t)
243 seutil_read_default_contexts(sulogin_t)
245 userdom_use_unpriv_users_fds(sulogin_t)
247 userdom_search_user_home_dirs(sulogin_t)
248 userdom_use_user_ptys(sulogin_t)
250 term_use_console(sulogin_t)
251 term_use_unallocated_ttys(sulogin_t)
254 sysadm_shell_domtrans(sulogin_t)
257 unconfined_shell_domtrans(sulogin_t)
261 # suse and debian do not use pam with sulogin...
262 ifdef(`distro_suse', `define(`sulogin_no_pam')')
263 ifdef(`distro_debian', `define(`sulogin_no_pam')')
265 allow sulogin_t self:capability sys_tty_config;
266 ifdef(`sulogin_no_pam', `
267 init_getpgid(sulogin_t)
269 allow sulogin_t self:process setexec;
270 selinux_get_fs_mount(sulogin_t)
271 selinux_validate_context(sulogin_t)
272 selinux_compute_access_vector(sulogin_t)
273 selinux_compute_create_context(sulogin_t)
274 selinux_compute_relabel_context(sulogin_t)
275 selinux_compute_user_contexts(sulogin_t)