policy/modules/admin/usermanage.te

   1 policy_module(usermanage, 1.16.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type admin_passwd_exec_t;
   9 files_type(admin_passwd_exec_t)
  10
  11 type chfn_t;
  12 type chfn_exec_t;
  13 domain_obj_id_change_exemption(chfn_t)
  14 application_domain(chfn_t, chfn_exec_t)
  15 role system_r types chfn_t;
  16
  17 type crack_t;
  18 type crack_exec_t;
  19 application_domain(crack_t, crack_exec_t)
  20 role system_r types crack_t;
  21
  22 type crack_db_t;
  23 files_type(crack_db_t)
  24
  25 type crack_tmp_t;
  26 files_tmp_file(crack_tmp_t)
  27
  28 type groupadd_t;
  29 type groupadd_exec_t;
  30 domain_obj_id_change_exemption(groupadd_t)
  31 init_system_domain(groupadd_t, groupadd_exec_t)
  32
  33 type passwd_t;
  34 type passwd_exec_t;
  35 domain_obj_id_change_exemption(passwd_t)
  36 application_domain(passwd_t, passwd_exec_t)
  37 role system_r types passwd_t;
  38
  39 type sysadm_passwd_t;
  40 domain_obj_id_change_exemption(sysadm_passwd_t)
  41 application_domain(sysadm_passwd_t, admin_passwd_exec_t)
  42 role system_r types sysadm_passwd_t;
  43
  44 type sysadm_passwd_tmp_t;
  45 files_tmp_file(sysadm_passwd_tmp_t)
  46
  47 type useradd_t;
  48 type useradd_exec_t;
  49 domain_obj_id_change_exemption(useradd_t)
  50 init_system_domain(useradd_t, useradd_exec_t)
  51
  52 ########################################
  53 #
  54 # Chfn local policy
  55 #
  56
  57 allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
  58 allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
  59 allow chfn_t self:process { setrlimit setfscreate };
  60 allow chfn_t self:fd use;
  61 allow chfn_t self:fifo_file rw_fifo_file_perms;
  62 allow chfn_t self:sock_file read_sock_file_perms;
  63 allow chfn_t self:shm create_shm_perms;
  64 allow chfn_t self:sem create_sem_perms;
  65 allow chfn_t self:msgq create_msgq_perms;
  66 allow chfn_t self:msg { send receive };
  67 allow chfn_t self:unix_dgram_socket create_socket_perms;
  68 allow chfn_t self:unix_stream_socket create_stream_socket_perms;
  69 allow chfn_t self:unix_dgram_socket sendto;
  70 allow chfn_t self:unix_stream_socket connectto;
  71
  72 kernel_read_system_state(chfn_t)
  73 kernel_read_kernel_sysctls(chfn_t)
  74
  75 selinux_get_fs_mount(chfn_t)
  76 selinux_validate_context(chfn_t)
  77 selinux_compute_access_vector(chfn_t)
  78 selinux_compute_create_context(chfn_t)
  79 selinux_compute_relabel_context(chfn_t)
  80 selinux_compute_user_contexts(chfn_t)
  81
  82 term_use_all_ttys(chfn_t)
  83 term_use_all_ptys(chfn_t)
  84
  85 fs_getattr_xattr_fs(chfn_t)
  86 fs_search_auto_mountpoints(chfn_t)
  87
  88 # for SSP
  89 dev_read_urand(chfn_t)
  90
  91 auth_use_pam(chfn_t)
  92
  93 # allow checking if a shell is executable
  94 corecmd_check_exec_shell(chfn_t)
  95
  96 domain_use_interactive_fds(chfn_t)
  97
  98 files_manage_etc_files(chfn_t)
  99 files_read_etc_runtime_files(chfn_t)
 100 files_dontaudit_search_var(chfn_t)
 101 files_dontaudit_search_home(chfn_t)
 102
 103 # /usr/bin/passwd asks for w access to utmp, but it will operate
 104 # correctly without it.  Do not audit write denials to utmp.
 105 init_dontaudit_rw_utmp(chfn_t)
 106
 107 miscfiles_read_localization(chfn_t)
 108
 109 logging_send_syslog_msg(chfn_t)
 110
 111 # uses unix_chkpwd for checking passwords
 112 seutil_dontaudit_search_config(chfn_t)
 113
 114 userdom_use_unpriv_users_fds(chfn_t)
 115 # user generally runs this from their home directory, so do not audit a search
 116 # on user home dir
 117 userdom_dontaudit_search_user_home_content(chfn_t)
 118
 119 ########################################
 120 #
 121 # Crack local policy
 122 #
 123
 124 allow crack_t self:process signal_perms;
 125 allow crack_t self:fifo_file rw_fifo_file_perms;
 126
 127 manage_files_pattern(crack_t, crack_db_t, crack_db_t)
 128 manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t)
 129 files_search_var(crack_t)
 130
 131 manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t)
 132 manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t)
 133 files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
 134
 135 kernel_read_system_state(crack_t)
 136
 137 # for SSP
 138 dev_read_urand(crack_t)
 139
 140 fs_getattr_xattr_fs(crack_t)
 141
 142 files_read_etc_files(crack_t)
 143 files_read_etc_runtime_files(crack_t)
 144 # for dictionaries
 145 files_read_usr_files(crack_t)
 146
 147 corecmd_exec_bin(crack_t)
 148
 149 logging_send_syslog_msg(crack_t)
 150
 151 userdom_dontaudit_search_user_home_dirs(crack_t)
 152
 153 ifdef(`distro_debian',`
 154         # the package cracklib-runtime on Debian contains a daily maintenance
 155         # script /etc/cron.daily/cracklib-runtime, that calls
 156         # update-cracklib and that calls crack_mkdict, which is a shell script.
 157         corecmd_exec_shell(crack_t)
 158 ')
 159
 160 optional_policy(`
 161         cron_system_entry(crack_t, crack_exec_t)
 162 ')
 163
 164 ########################################
 165 #
 166 # Groupadd local policy
 167 #
 168
 169 allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
 170 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 171 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 172 allow groupadd_t self:process { setrlimit setfscreate };
 173 allow groupadd_t self:fd use;
 174 allow groupadd_t self:fifo_file rw_fifo_file_perms;
 175 allow groupadd_t self:shm create_shm_perms;
 176 allow groupadd_t self:sem create_sem_perms;
 177 allow groupadd_t self:msgq create_msgq_perms;
 178 allow groupadd_t self:msg { send receive };
 179 allow groupadd_t self:unix_dgram_socket create_socket_perms;
 180 allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
 181 allow groupadd_t self:unix_dgram_socket sendto;
 182 allow groupadd_t self:unix_stream_socket connectto;
 183
 184 fs_getattr_xattr_fs(groupadd_t)
 185 fs_search_auto_mountpoints(groupadd_t)
 186
 187 # Allow access to context for shadow file
 188 selinux_get_fs_mount(groupadd_t)
 189 selinux_validate_context(groupadd_t)
 190 selinux_compute_access_vector(groupadd_t)
 191 selinux_compute_create_context(groupadd_t)
 192 selinux_compute_relabel_context(groupadd_t)
 193 selinux_compute_user_contexts(groupadd_t)
 194
 195 term_use_all_terms(groupadd_t)
 196
 197 init_use_fds(groupadd_t)
 198 init_read_utmp(groupadd_t)
 199 init_dontaudit_write_utmp(groupadd_t)
 200
 201 domain_use_interactive_fds(groupadd_t)
 202
 203 files_manage_etc_files(groupadd_t)
 204 files_relabel_etc_files(groupadd_t)
 205 files_read_etc_runtime_files(groupadd_t)
 206 files_read_usr_symlinks(groupadd_t)
 207
 208 # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
 209 corecmd_exec_bin(groupadd_t)
 210
 211 logging_send_audit_msgs(groupadd_t)
 212 logging_send_syslog_msg(groupadd_t)
 213
 214 miscfiles_read_localization(groupadd_t)
 215
 216 auth_domtrans_chk_passwd(groupadd_t)
 217 auth_rw_lastlog(groupadd_t)
 218 auth_use_nsswitch(groupadd_t)
 219 # these may be unnecessary due to the above
 220 # domtrans_chk_passwd() call.
 221 auth_manage_shadow(groupadd_t)
 222 auth_relabel_shadow(groupadd_t)
 223 auth_etc_filetrans_shadow(groupadd_t)
 224
 225 seutil_read_config(groupadd_t)
 226
 227 userdom_use_unpriv_users_fds(groupadd_t)
 228 # for when /root is the cwd
 229 userdom_dontaudit_search_user_home_dirs(groupadd_t)
 230
 231 optional_policy(`
 232         dpkg_use_fds(groupadd_t)
 233         dpkg_rw_pipes(groupadd_t)
 234 ')
 235
 236 optional_policy(`
 237         nscd_domtrans(groupadd_t)
 238 ')
 239
 240 optional_policy(`
 241         puppet_rw_tmp(groupadd_t)
 242 ')
 243
 244 optional_policy(`
 245         rpm_use_fds(groupadd_t)
 246         rpm_rw_pipes(groupadd_t)
 247 ')
 248
 249 ########################################
 250 #
 251 # Passwd local policy
 252 #
 253
 254 allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
 255 dontaudit passwd_t self:capability sys_tty_config;
 256 allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 257 allow passwd_t self:process { setrlimit setfscreate };
 258 allow passwd_t self:fd use;
 259 allow passwd_t self:fifo_file rw_fifo_file_perms;
 260 allow passwd_t self:sock_file read_sock_file_perms;
 261 allow passwd_t self:unix_dgram_socket create_socket_perms;
 262 allow passwd_t self:unix_stream_socket create_stream_socket_perms;
 263 allow passwd_t self:unix_dgram_socket sendto;
 264 allow passwd_t self:unix_stream_socket connectto;
 265 allow passwd_t self:shm create_shm_perms;
 266 allow passwd_t self:sem create_sem_perms;
 267 allow passwd_t self:msgq create_msgq_perms;
 268 allow passwd_t self:msg { send receive };
 269
 270 allow passwd_t crack_db_t:dir list_dir_perms;
 271 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
 272
 273 kernel_read_kernel_sysctls(passwd_t)
 274
 275 # for SSP
 276 dev_read_urand(passwd_t)
 277
 278 fs_getattr_xattr_fs(passwd_t)
 279 fs_search_auto_mountpoints(passwd_t)
 280
 281 mls_file_write_all_levels(passwd_t)
 282 mls_file_downgrade(passwd_t)
 283
 284 selinux_get_fs_mount(passwd_t)
 285 selinux_validate_context(passwd_t)
 286 selinux_compute_access_vector(passwd_t)
 287 selinux_compute_create_context(passwd_t)
 288 selinux_compute_relabel_context(passwd_t)
 289 selinux_compute_user_contexts(passwd_t)
 290
 291 term_use_all_terms(passwd_t)
 292
 293 auth_manage_shadow(passwd_t)
 294 auth_relabel_shadow(passwd_t)
 295 auth_etc_filetrans_shadow(passwd_t)
 296 auth_use_pam(passwd_t)
 297
 298 # allow checking if a shell is executable
 299 corecmd_check_exec_shell(passwd_t)
 300 corecmd_exec_bin(passwd_t)
 301
 302 corenet_tcp_connect_kerberos_password_port(passwd_t)
 303
 304 domain_use_interactive_fds(passwd_t)
 305
 306 files_read_etc_runtime_files(passwd_t)
 307 files_manage_etc_files(passwd_t)
 308 files_search_var(passwd_t)
 309 files_dontaudit_search_pids(passwd_t)
 310 files_relabel_etc_files(passwd_t)
 311
 312 # /usr/bin/passwd asks for w access to utmp, but it will operate
 313 # correctly without it.  Do not audit write denials to utmp.
 314 init_dontaudit_rw_utmp(passwd_t)
 315 init_use_fds(passwd_t)
 316
 317 logging_send_audit_msgs(passwd_t)
 318 logging_send_syslog_msg(passwd_t)
 319
 320 miscfiles_read_localization(passwd_t)
 321
 322 seutil_dontaudit_search_config(passwd_t)
 323
 324 userdom_use_user_terminals(passwd_t)
 325 userdom_use_unpriv_users_fds(passwd_t)
 326 # make sure that getcon succeeds
 327 userdom_getattr_all_users(passwd_t)
 328 userdom_read_all_users_state(passwd_t)
 329 userdom_read_user_tmp_files(passwd_t)
 330 # user generally runs this from their home directory, so do not audit a search
 331 # on user home dir
 332 userdom_dontaudit_search_user_home_content(passwd_t)
 333 userdom_stream_connect(passwd_t)
 334
 335 optional_policy(`
 336         nscd_domtrans(passwd_t)
 337 ')
 338
 339 ########################################
 340 #
 341 # Password admin local policy
 342 #
 343
 344 allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
 345 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 346 allow sysadm_passwd_t self:process { setrlimit setfscreate };
 347 allow sysadm_passwd_t self:fd use;
 348 allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
 349 allow sysadm_passwd_t self:sock_file read_sock_file_perms;
 350 allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
 351 allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
 352 allow sysadm_passwd_t self:unix_dgram_socket sendto;
 353 allow sysadm_passwd_t self:unix_stream_socket connectto;
 354 allow sysadm_passwd_t self:shm create_shm_perms;
 355 allow sysadm_passwd_t self:sem create_sem_perms;
 356 allow sysadm_passwd_t self:msgq create_msgq_perms;
 357 allow sysadm_passwd_t self:msg { send receive };
 358
 359 # allow vipw to create temporary files under /var/tmp/vi.recover
 360 manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
 361 manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
 362 files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
 363 files_search_var(sysadm_passwd_t)
 364 files_dontaudit_search_home(sysadm_passwd_t)
 365
 366 kernel_read_kernel_sysctls(sysadm_passwd_t)
 367 # for /proc/meminfo
 368 kernel_read_system_state(sysadm_passwd_t)
 369
 370 selinux_get_fs_mount(sysadm_passwd_t)
 371 selinux_validate_context(sysadm_passwd_t)
 372 selinux_compute_access_vector(sysadm_passwd_t)
 373 selinux_compute_create_context(sysadm_passwd_t)
 374 selinux_compute_relabel_context(sysadm_passwd_t)
 375 selinux_compute_user_contexts(sysadm_passwd_t)
 376
 377 # for SSP
 378 dev_read_urand(sysadm_passwd_t)
 379
 380 fs_getattr_xattr_fs(sysadm_passwd_t)
 381 fs_search_auto_mountpoints(sysadm_passwd_t)
 382
 383 term_use_all_terms(sysadm_passwd_t)
 384
 385 auth_manage_shadow(sysadm_passwd_t)
 386 auth_relabel_shadow(sysadm_passwd_t)
 387 auth_etc_filetrans_shadow(sysadm_passwd_t)
 388 auth_use_nsswitch(sysadm_passwd_t)
 389
 390 # allow vipw to exec the editor
 391 corecmd_exec_bin(sysadm_passwd_t)
 392 corecmd_exec_shell(sysadm_passwd_t)
 393 files_read_usr_files(sysadm_passwd_t)
 394
 395 domain_use_interactive_fds(sysadm_passwd_t)
 396
 397 files_manage_etc_files(sysadm_passwd_t)
 398 files_relabel_etc_files(sysadm_passwd_t)
 399 files_read_etc_runtime_files(sysadm_passwd_t)
 400 # for nscd lookups
 401 files_dontaudit_search_pids(sysadm_passwd_t)
 402
 403 # /usr/bin/passwd asks for w access to utmp, but it will operate
 404 # correctly without it.  Do not audit write denials to utmp.
 405 init_dontaudit_rw_utmp(sysadm_passwd_t)
 406
 407 miscfiles_read_localization(sysadm_passwd_t)
 408
 409 logging_send_syslog_msg(sysadm_passwd_t)
 410
 411 seutil_dontaudit_search_config(sysadm_passwd_t)
 412
 413 userdom_use_unpriv_users_fds(sysadm_passwd_t)
 414 # user generally runs this from their home directory, so do not audit a search
 415 # on user home dir
 416 userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
 417
 418 optional_policy(`
 419         nscd_domtrans(sysadm_passwd_t)
 420 ')
 421
 422 ########################################
 423 #
 424 # Useradd local policy
 425 #
 426
 427 allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
 428 dontaudit useradd_t self:capability sys_tty_config;
 429 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 430 allow useradd_t self:process setfscreate;
 431 allow useradd_t self:fd use;
 432 allow useradd_t self:fifo_file rw_fifo_file_perms;
 433 allow useradd_t self:shm create_shm_perms;
 434 allow useradd_t self:sem create_sem_perms;
 435 allow useradd_t self:msgq create_msgq_perms;
 436 allow useradd_t self:msg { send receive };
 437 allow useradd_t self:unix_dgram_socket create_socket_perms;
 438 allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 439 allow useradd_t self:unix_dgram_socket sendto;
 440 allow useradd_t self:unix_stream_socket connectto;
 441
 442 # for getting the number of groups
 443 kernel_read_kernel_sysctls(useradd_t)
 444
 445 corecmd_exec_shell(useradd_t)
 446 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 447 corecmd_exec_bin(useradd_t)
 448
 449 domain_use_interactive_fds(useradd_t)
 450 domain_read_all_domains_state(useradd_t)
 451
 452 files_manage_etc_files(useradd_t)
 453 files_search_var_lib(useradd_t)
 454 files_relabel_etc_files(useradd_t)
 455 files_read_etc_runtime_files(useradd_t)
 456
 457 fs_search_auto_mountpoints(useradd_t)
 458 fs_getattr_xattr_fs(useradd_t)
 459
 460 mls_file_upgrade(useradd_t)
 461
 462 # Allow access to context for shadow file
 463 selinux_get_fs_mount(useradd_t)
 464 selinux_validate_context(useradd_t)
 465 selinux_compute_access_vector(useradd_t)
 466 selinux_compute_create_context(useradd_t)
 467 selinux_compute_relabel_context(useradd_t)
 468 selinux_compute_user_contexts(useradd_t)
 469
 470 term_use_all_terms(useradd_t)
 471
 472 auth_domtrans_chk_passwd(useradd_t)
 473 auth_rw_lastlog(useradd_t)
 474 auth_rw_faillog(useradd_t)
 475 auth_use_nsswitch(useradd_t)
 476 # these may be unnecessary due to the above
 477 # domtrans_chk_passwd() call.
 478 auth_manage_shadow(useradd_t)
 479 auth_relabel_shadow(useradd_t)
 480 auth_etc_filetrans_shadow(useradd_t)
 481
 482 init_use_fds(useradd_t)
 483 init_rw_utmp(useradd_t)
 484
 485 logging_send_audit_msgs(useradd_t)
 486 logging_send_syslog_msg(useradd_t)
 487
 488 miscfiles_read_localization(useradd_t)
 489
 490 seutil_read_config(useradd_t)
 491 seutil_read_file_contexts(useradd_t)
 492 seutil_read_default_contexts(useradd_t)
 493 seutil_domtrans_semanage(useradd_t)
 494 seutil_domtrans_setfiles(useradd_t)
 495
 496 userdom_use_unpriv_users_fds(useradd_t)
 497 # Add/remove user home directories
 498 userdom_home_filetrans_user_home_dir(useradd_t)
 499 userdom_manage_home_role(system_r, useradd_t)
 500
 501 mta_manage_spool(useradd_t)
 502
 503 ifdef(`distro_redhat',`
 504         optional_policy(`
 505                 unconfined_domain(useradd_t)
 506         ')
 507 ')
 508
 509 optional_policy(`
 510         apache_manage_all_user_content(useradd_t)
 511 ')
 512
 513 optional_policy(`
 514         dpkg_use_fds(useradd_t)
 515         dpkg_rw_pipes(useradd_t)
 516 ')
 517
 518 optional_policy(`
 519         nscd_domtrans(useradd_t)
 520 ')
 521
 522 optional_policy(`
 523         puppet_rw_tmp(useradd_t)
 524 ')
 525
 526 optional_policy(`
 527         tunable_policy(`samba_domain_controller',`
 528                 samba_append_log(useradd_t)
 529         ')
 530 ')
 531
 532 optional_policy(`
 533         rpm_use_fds(useradd_t)
 534         rpm_rw_pipes(useradd_t)
 535 ')