1 policy_module(usermanage, 1.16.0)
3 ########################################
8 type admin_passwd_exec_t;
9 files_type(admin_passwd_exec_t)
13 domain_obj_id_change_exemption(chfn_t)
14 application_domain(chfn_t, chfn_exec_t)
15 role system_r types chfn_t;
19 application_domain(crack_t, crack_exec_t)
20 role system_r types crack_t;
23 files_type(crack_db_t)
26 files_tmp_file(crack_tmp_t)
30 domain_obj_id_change_exemption(groupadd_t)
31 init_system_domain(groupadd_t, groupadd_exec_t)
35 domain_obj_id_change_exemption(passwd_t)
36 application_domain(passwd_t, passwd_exec_t)
37 role system_r types passwd_t;
40 domain_obj_id_change_exemption(sysadm_passwd_t)
41 application_domain(sysadm_passwd_t, admin_passwd_exec_t)
42 role system_r types sysadm_passwd_t;
44 type sysadm_passwd_tmp_t;
45 files_tmp_file(sysadm_passwd_tmp_t)
49 domain_obj_id_change_exemption(useradd_t)
50 init_system_domain(useradd_t, useradd_exec_t)
52 ########################################
57 allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
58 allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
59 allow chfn_t self:process { setrlimit setfscreate };
60 allow chfn_t self:fd use;
61 allow chfn_t self:fifo_file rw_fifo_file_perms;
62 allow chfn_t self:sock_file read_sock_file_perms;
63 allow chfn_t self:shm create_shm_perms;
64 allow chfn_t self:sem create_sem_perms;
65 allow chfn_t self:msgq create_msgq_perms;
66 allow chfn_t self:msg { send receive };
67 allow chfn_t self:unix_dgram_socket create_socket_perms;
68 allow chfn_t self:unix_stream_socket create_stream_socket_perms;
69 allow chfn_t self:unix_dgram_socket sendto;
70 allow chfn_t self:unix_stream_socket connectto;
72 kernel_read_system_state(chfn_t)
73 kernel_read_kernel_sysctls(chfn_t)
75 selinux_get_fs_mount(chfn_t)
76 selinux_validate_context(chfn_t)
77 selinux_compute_access_vector(chfn_t)
78 selinux_compute_create_context(chfn_t)
79 selinux_compute_relabel_context(chfn_t)
80 selinux_compute_user_contexts(chfn_t)
82 term_use_all_ttys(chfn_t)
83 term_use_all_ptys(chfn_t)
85 fs_getattr_xattr_fs(chfn_t)
86 fs_search_auto_mountpoints(chfn_t)
89 dev_read_urand(chfn_t)
93 # allow checking if a shell is executable
94 corecmd_check_exec_shell(chfn_t)
96 domain_use_interactive_fds(chfn_t)
98 files_manage_etc_files(chfn_t)
99 files_read_etc_runtime_files(chfn_t)
100 files_dontaudit_search_var(chfn_t)
101 files_dontaudit_search_home(chfn_t)
103 # /usr/bin/passwd asks for w access to utmp, but it will operate
104 # correctly without it. Do not audit write denials to utmp.
105 init_dontaudit_rw_utmp(chfn_t)
107 miscfiles_read_localization(chfn_t)
109 logging_send_syslog_msg(chfn_t)
111 # uses unix_chkpwd for checking passwords
112 seutil_dontaudit_search_config(chfn_t)
114 userdom_use_unpriv_users_fds(chfn_t)
115 # user generally runs this from their home directory, so do not audit a search
117 userdom_dontaudit_search_user_home_content(chfn_t)
119 ########################################
124 allow crack_t self:process signal_perms;
125 allow crack_t self:fifo_file rw_fifo_file_perms;
127 manage_files_pattern(crack_t, crack_db_t, crack_db_t)
128 manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t)
129 files_search_var(crack_t)
131 manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t)
132 manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t)
133 files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
135 kernel_read_system_state(crack_t)
138 dev_read_urand(crack_t)
140 fs_getattr_xattr_fs(crack_t)
142 files_read_etc_files(crack_t)
143 files_read_etc_runtime_files(crack_t)
145 files_read_usr_files(crack_t)
147 corecmd_exec_bin(crack_t)
149 logging_send_syslog_msg(crack_t)
151 userdom_dontaudit_search_user_home_dirs(crack_t)
153 ifdef(`distro_debian',`
154 # the package cracklib-runtime on Debian contains a daily maintenance
155 # script /etc/cron.daily/cracklib-runtime, that calls
156 # update-cracklib and that calls crack_mkdict, which is a shell script.
157 corecmd_exec_shell(crack_t)
161 cron_system_entry(crack_t, crack_exec_t)
164 ########################################
166 # Groupadd local policy
169 allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
170 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
171 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
172 allow groupadd_t self:process { setrlimit setfscreate };
173 allow groupadd_t self:fd use;
174 allow groupadd_t self:fifo_file rw_fifo_file_perms;
175 allow groupadd_t self:shm create_shm_perms;
176 allow groupadd_t self:sem create_sem_perms;
177 allow groupadd_t self:msgq create_msgq_perms;
178 allow groupadd_t self:msg { send receive };
179 allow groupadd_t self:unix_dgram_socket create_socket_perms;
180 allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
181 allow groupadd_t self:unix_dgram_socket sendto;
182 allow groupadd_t self:unix_stream_socket connectto;
184 fs_getattr_xattr_fs(groupadd_t)
185 fs_search_auto_mountpoints(groupadd_t)
187 # Allow access to context for shadow file
188 selinux_get_fs_mount(groupadd_t)
189 selinux_validate_context(groupadd_t)
190 selinux_compute_access_vector(groupadd_t)
191 selinux_compute_create_context(groupadd_t)
192 selinux_compute_relabel_context(groupadd_t)
193 selinux_compute_user_contexts(groupadd_t)
195 term_use_all_terms(groupadd_t)
197 init_use_fds(groupadd_t)
198 init_read_utmp(groupadd_t)
199 init_dontaudit_write_utmp(groupadd_t)
201 domain_use_interactive_fds(groupadd_t)
203 files_manage_etc_files(groupadd_t)
204 files_relabel_etc_files(groupadd_t)
205 files_read_etc_runtime_files(groupadd_t)
206 files_read_usr_symlinks(groupadd_t)
208 # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
209 corecmd_exec_bin(groupadd_t)
211 logging_send_audit_msgs(groupadd_t)
212 logging_send_syslog_msg(groupadd_t)
214 miscfiles_read_localization(groupadd_t)
216 auth_domtrans_chk_passwd(groupadd_t)
217 auth_rw_lastlog(groupadd_t)
218 auth_use_nsswitch(groupadd_t)
219 # these may be unnecessary due to the above
220 # domtrans_chk_passwd() call.
221 auth_manage_shadow(groupadd_t)
222 auth_relabel_shadow(groupadd_t)
223 auth_etc_filetrans_shadow(groupadd_t)
225 seutil_read_config(groupadd_t)
227 userdom_use_unpriv_users_fds(groupadd_t)
228 # for when /root is the cwd
229 userdom_dontaudit_search_user_home_dirs(groupadd_t)
232 dpkg_use_fds(groupadd_t)
233 dpkg_rw_pipes(groupadd_t)
237 nscd_domtrans(groupadd_t)
241 puppet_rw_tmp(groupadd_t)
245 rpm_use_fds(groupadd_t)
246 rpm_rw_pipes(groupadd_t)
249 ########################################
251 # Passwd local policy
254 allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
255 dontaudit passwd_t self:capability sys_tty_config;
256 allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
257 allow passwd_t self:process { setrlimit setfscreate };
258 allow passwd_t self:fd use;
259 allow passwd_t self:fifo_file rw_fifo_file_perms;
260 allow passwd_t self:sock_file read_sock_file_perms;
261 allow passwd_t self:unix_dgram_socket create_socket_perms;
262 allow passwd_t self:unix_stream_socket create_stream_socket_perms;
263 allow passwd_t self:unix_dgram_socket sendto;
264 allow passwd_t self:unix_stream_socket connectto;
265 allow passwd_t self:shm create_shm_perms;
266 allow passwd_t self:sem create_sem_perms;
267 allow passwd_t self:msgq create_msgq_perms;
268 allow passwd_t self:msg { send receive };
270 allow passwd_t crack_db_t:dir list_dir_perms;
271 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
273 kernel_read_kernel_sysctls(passwd_t)
276 dev_read_urand(passwd_t)
278 fs_getattr_xattr_fs(passwd_t)
279 fs_search_auto_mountpoints(passwd_t)
281 mls_file_write_all_levels(passwd_t)
282 mls_file_downgrade(passwd_t)
284 selinux_get_fs_mount(passwd_t)
285 selinux_validate_context(passwd_t)
286 selinux_compute_access_vector(passwd_t)
287 selinux_compute_create_context(passwd_t)
288 selinux_compute_relabel_context(passwd_t)
289 selinux_compute_user_contexts(passwd_t)
291 term_use_all_terms(passwd_t)
293 auth_manage_shadow(passwd_t)
294 auth_relabel_shadow(passwd_t)
295 auth_etc_filetrans_shadow(passwd_t)
296 auth_use_pam(passwd_t)
298 # allow checking if a shell is executable
299 corecmd_check_exec_shell(passwd_t)
300 corecmd_exec_bin(passwd_t)
302 corenet_tcp_connect_kerberos_password_port(passwd_t)
304 domain_use_interactive_fds(passwd_t)
306 files_read_etc_runtime_files(passwd_t)
307 files_manage_etc_files(passwd_t)
308 files_search_var(passwd_t)
309 files_dontaudit_search_pids(passwd_t)
310 files_relabel_etc_files(passwd_t)
312 # /usr/bin/passwd asks for w access to utmp, but it will operate
313 # correctly without it. Do not audit write denials to utmp.
314 init_dontaudit_rw_utmp(passwd_t)
315 init_use_fds(passwd_t)
317 logging_send_audit_msgs(passwd_t)
318 logging_send_syslog_msg(passwd_t)
320 miscfiles_read_localization(passwd_t)
322 seutil_dontaudit_search_config(passwd_t)
324 userdom_use_user_terminals(passwd_t)
325 userdom_use_unpriv_users_fds(passwd_t)
326 # make sure that getcon succeeds
327 userdom_getattr_all_users(passwd_t)
328 userdom_read_all_users_state(passwd_t)
329 userdom_read_user_tmp_files(passwd_t)
330 # user generally runs this from their home directory, so do not audit a search
332 userdom_dontaudit_search_user_home_content(passwd_t)
333 userdom_stream_connect(passwd_t)
336 nscd_domtrans(passwd_t)
339 ########################################
341 # Password admin local policy
344 allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
345 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
346 allow sysadm_passwd_t self:process { setrlimit setfscreate };
347 allow sysadm_passwd_t self:fd use;
348 allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
349 allow sysadm_passwd_t self:sock_file read_sock_file_perms;
350 allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
351 allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
352 allow sysadm_passwd_t self:unix_dgram_socket sendto;
353 allow sysadm_passwd_t self:unix_stream_socket connectto;
354 allow sysadm_passwd_t self:shm create_shm_perms;
355 allow sysadm_passwd_t self:sem create_sem_perms;
356 allow sysadm_passwd_t self:msgq create_msgq_perms;
357 allow sysadm_passwd_t self:msg { send receive };
359 # allow vipw to create temporary files under /var/tmp/vi.recover
360 manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
361 manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
362 files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
363 files_search_var(sysadm_passwd_t)
364 files_dontaudit_search_home(sysadm_passwd_t)
366 kernel_read_kernel_sysctls(sysadm_passwd_t)
368 kernel_read_system_state(sysadm_passwd_t)
370 selinux_get_fs_mount(sysadm_passwd_t)
371 selinux_validate_context(sysadm_passwd_t)
372 selinux_compute_access_vector(sysadm_passwd_t)
373 selinux_compute_create_context(sysadm_passwd_t)
374 selinux_compute_relabel_context(sysadm_passwd_t)
375 selinux_compute_user_contexts(sysadm_passwd_t)
378 dev_read_urand(sysadm_passwd_t)
380 fs_getattr_xattr_fs(sysadm_passwd_t)
381 fs_search_auto_mountpoints(sysadm_passwd_t)
383 term_use_all_terms(sysadm_passwd_t)
385 auth_manage_shadow(sysadm_passwd_t)
386 auth_relabel_shadow(sysadm_passwd_t)
387 auth_etc_filetrans_shadow(sysadm_passwd_t)
388 auth_use_nsswitch(sysadm_passwd_t)
390 # allow vipw to exec the editor
391 corecmd_exec_bin(sysadm_passwd_t)
392 corecmd_exec_shell(sysadm_passwd_t)
393 files_read_usr_files(sysadm_passwd_t)
395 domain_use_interactive_fds(sysadm_passwd_t)
397 files_manage_etc_files(sysadm_passwd_t)
398 files_relabel_etc_files(sysadm_passwd_t)
399 files_read_etc_runtime_files(sysadm_passwd_t)
401 files_dontaudit_search_pids(sysadm_passwd_t)
403 # /usr/bin/passwd asks for w access to utmp, but it will operate
404 # correctly without it. Do not audit write denials to utmp.
405 init_dontaudit_rw_utmp(sysadm_passwd_t)
407 miscfiles_read_localization(sysadm_passwd_t)
409 logging_send_syslog_msg(sysadm_passwd_t)
411 seutil_dontaudit_search_config(sysadm_passwd_t)
413 userdom_use_unpriv_users_fds(sysadm_passwd_t)
414 # user generally runs this from their home directory, so do not audit a search
416 userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
419 nscd_domtrans(sysadm_passwd_t)
422 ########################################
424 # Useradd local policy
427 allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
428 dontaudit useradd_t self:capability sys_tty_config;
429 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
430 allow useradd_t self:process setfscreate;
431 allow useradd_t self:fd use;
432 allow useradd_t self:fifo_file rw_fifo_file_perms;
433 allow useradd_t self:shm create_shm_perms;
434 allow useradd_t self:sem create_sem_perms;
435 allow useradd_t self:msgq create_msgq_perms;
436 allow useradd_t self:msg { send receive };
437 allow useradd_t self:unix_dgram_socket create_socket_perms;
438 allow useradd_t self:unix_stream_socket create_stream_socket_perms;
439 allow useradd_t self:unix_dgram_socket sendto;
440 allow useradd_t self:unix_stream_socket connectto;
442 # for getting the number of groups
443 kernel_read_kernel_sysctls(useradd_t)
445 corecmd_exec_shell(useradd_t)
446 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
447 corecmd_exec_bin(useradd_t)
449 domain_use_interactive_fds(useradd_t)
450 domain_read_all_domains_state(useradd_t)
452 files_manage_etc_files(useradd_t)
453 files_search_var_lib(useradd_t)
454 files_relabel_etc_files(useradd_t)
455 files_read_etc_runtime_files(useradd_t)
457 fs_search_auto_mountpoints(useradd_t)
458 fs_getattr_xattr_fs(useradd_t)
460 mls_file_upgrade(useradd_t)
462 # Allow access to context for shadow file
463 selinux_get_fs_mount(useradd_t)
464 selinux_validate_context(useradd_t)
465 selinux_compute_access_vector(useradd_t)
466 selinux_compute_create_context(useradd_t)
467 selinux_compute_relabel_context(useradd_t)
468 selinux_compute_user_contexts(useradd_t)
470 term_use_all_terms(useradd_t)
472 auth_domtrans_chk_passwd(useradd_t)
473 auth_rw_lastlog(useradd_t)
474 auth_rw_faillog(useradd_t)
475 auth_use_nsswitch(useradd_t)
476 # these may be unnecessary due to the above
477 # domtrans_chk_passwd() call.
478 auth_manage_shadow(useradd_t)
479 auth_relabel_shadow(useradd_t)
480 auth_etc_filetrans_shadow(useradd_t)
482 init_use_fds(useradd_t)
483 init_rw_utmp(useradd_t)
485 logging_send_audit_msgs(useradd_t)
486 logging_send_syslog_msg(useradd_t)
488 miscfiles_read_localization(useradd_t)
490 seutil_read_config(useradd_t)
491 seutil_read_file_contexts(useradd_t)
492 seutil_read_default_contexts(useradd_t)
493 seutil_domtrans_semanage(useradd_t)
494 seutil_domtrans_setfiles(useradd_t)
496 userdom_use_unpriv_users_fds(useradd_t)
497 # Add/remove user home directories
498 userdom_home_filetrans_user_home_dir(useradd_t)
499 userdom_manage_home_role(system_r, useradd_t)
501 mta_manage_spool(useradd_t)
503 ifdef(`distro_redhat',`
505 unconfined_domain(useradd_t)
510 apache_manage_all_user_content(useradd_t)
514 dpkg_use_fds(useradd_t)
515 dpkg_rw_pipes(useradd_t)
519 nscd_domtrans(useradd_t)
523 puppet_rw_tmp(useradd_t)
527 tunable_policy(`samba_domain_controller',`
528 samba_append_log(useradd_t)
533 rpm_use_fds(useradd_t)
534 rpm_rw_pipes(useradd_t)