policy/modules/admin/usermanage.te

   1 policy_module(usermanage, 1.16.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type admin_passwd_exec_t;
   9 files_type(admin_passwd_exec_t)
  10
  11 type chfn_t;
  12 type chfn_exec_t;
  13 domain_obj_id_change_exemption(chfn_t)
  14 application_domain(chfn_t, chfn_exec_t)
  15 role system_r types chfn_t;
  16
  17 type crack_t;
  18 type crack_exec_t;
  19 application_domain(crack_t, crack_exec_t)
  20 role system_r types crack_t;
  21
  22 type crack_db_t;
  23 files_type(crack_db_t)
  24
  25 type crack_tmp_t;
  26 files_tmp_file(crack_tmp_t)
  27
  28 type groupadd_t;
  29 type groupadd_exec_t;
  30 domain_obj_id_change_exemption(groupadd_t)
  31 init_system_domain(groupadd_t, groupadd_exec_t)
  32
  33 type passwd_t;
  34 type passwd_exec_t;
  35 domain_obj_id_change_exemption(passwd_t)
  36 application_domain(passwd_t, passwd_exec_t)
  37 role system_r types passwd_t;
  38
  39 type sysadm_passwd_t;
  40 domain_obj_id_change_exemption(sysadm_passwd_t)
  41 application_domain(sysadm_passwd_t, admin_passwd_exec_t)
  42 role system_r types sysadm_passwd_t;
  43
  44 type sysadm_passwd_tmp_t;
  45 files_tmp_file(sysadm_passwd_tmp_t)
  46
  47 type useradd_t;
  48 type useradd_exec_t;
  49 domain_obj_id_change_exemption(useradd_t)
  50 init_system_domain(useradd_t, useradd_exec_t)
  51
  52 ########################################
  53 #
  54 # Chfn local policy
  55 #
  56
  57 allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
  58 allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
  59 allow chfn_t self:process { setrlimit setfscreate };
  60 allow chfn_t self:fd use;
  61 allow chfn_t self:fifo_file rw_fifo_file_perms;
  62 allow chfn_t self:sock_file read_sock_file_perms;
  63 allow chfn_t self:shm create_shm_perms;
  64 allow chfn_t self:sem create_sem_perms;
  65 allow chfn_t self:msgq create_msgq_perms;
  66 allow chfn_t self:msg { send receive };
  67 allow chfn_t self:unix_dgram_socket create_socket_perms;
  68 allow chfn_t self:unix_stream_socket create_stream_socket_perms;
  69 allow chfn_t self:unix_dgram_socket sendto;
  70 allow chfn_t self:unix_stream_socket connectto;
  71
  72 kernel_read_system_state(chfn_t)
  73 kernel_read_kernel_sysctls(chfn_t)
  74
  75 selinux_get_fs_mount(chfn_t)
  76 selinux_validate_context(chfn_t)
  77 selinux_compute_access_vector(chfn_t)
  78 selinux_compute_create_context(chfn_t)
  79 selinux_compute_relabel_context(chfn_t)
  80 selinux_compute_user_contexts(chfn_t)
  81
  82 term_use_all_inherited_ttys(chfn_t)
  83 term_use_all_inherited_ptys(chfn_t)
  84
  85 fs_getattr_xattr_fs(chfn_t)
  86 fs_search_auto_mountpoints(chfn_t)
  87
  88 # for SSP
  89 dev_read_urand(chfn_t)
  90
  91 auth_use_pam(chfn_t)
  92
  93 # allow checking if a shell is executable
  94 corecmd_check_exec_shell(chfn_t)
  95
  96 domain_use_interactive_fds(chfn_t)
  97
  98 files_manage_etc_files(chfn_t)
  99 files_read_etc_runtime_files(chfn_t)
 100 files_dontaudit_search_var(chfn_t)
 101 files_dontaudit_search_home(chfn_t)
 102
 103 # /usr/bin/passwd asks for w access to utmp, but it will operate
 104 # correctly without it.  Do not audit write denials to utmp.
 105 init_dontaudit_rw_utmp(chfn_t)
 106
 107 miscfiles_read_localization(chfn_t)
 108
 109 logging_send_syslog_msg(chfn_t)
 110
 111 # uses unix_chkpwd for checking passwords
 112 seutil_dontaudit_search_config(chfn_t)
 113
 114 userdom_use_unpriv_users_fds(chfn_t)
 115 # user generally runs this from their home directory, so do not audit a search
 116 # on user home dir
 117 userdom_dontaudit_search_user_home_content(chfn_t)
 118
 119 optional_policy(`
 120         rssh_exec(chfn_t)
 121 ')
 122
 123 ########################################
 124 #
 125 # Crack local policy
 126 #
 127
 128 allow crack_t self:process signal_perms;
 129 allow crack_t self:fifo_file rw_fifo_file_perms;
 130
 131 manage_files_pattern(crack_t, crack_db_t, crack_db_t)
 132 manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t)
 133 files_search_var(crack_t)
 134
 135 manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t)
 136 manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t)
 137 files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
 138
 139 kernel_read_system_state(crack_t)
 140
 141 # for SSP
 142 dev_read_urand(crack_t)
 143
 144 fs_getattr_xattr_fs(crack_t)
 145
 146 files_read_etc_files(crack_t)
 147 files_read_etc_runtime_files(crack_t)
 148 # for dictionaries
 149 files_read_usr_files(crack_t)
 150
 151 corecmd_exec_bin(crack_t)
 152
 153 logging_send_syslog_msg(crack_t)
 154
 155 userdom_dontaudit_search_user_home_dirs(crack_t)
 156
 157 ifdef(`distro_debian',`
 158         # the package cracklib-runtime on Debian contains a daily maintenance
 159         # script /etc/cron.daily/cracklib-runtime, that calls
 160         # update-cracklib and that calls crack_mkdict, which is a shell script.
 161         corecmd_exec_shell(crack_t)
 162 ')
 163
 164 optional_policy(`
 165         cron_system_entry(crack_t, crack_exec_t)
 166 ')
 167
 168 ########################################
 169 #
 170 # Groupadd local policy
 171 #
 172
 173 allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
 174 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 175 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 176 allow groupadd_t self:process { setrlimit setfscreate };
 177 allow groupadd_t self:fd use;
 178 allow groupadd_t self:fifo_file rw_fifo_file_perms;
 179 allow groupadd_t self:shm create_shm_perms;
 180 allow groupadd_t self:sem create_sem_perms;
 181 allow groupadd_t self:msgq create_msgq_perms;
 182 allow groupadd_t self:msg { send receive };
 183 allow groupadd_t self:unix_dgram_socket create_socket_perms;
 184 allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
 185 allow groupadd_t self:unix_dgram_socket sendto;
 186 allow groupadd_t self:unix_stream_socket connectto;
 187
 188 fs_getattr_xattr_fs(groupadd_t)
 189 fs_search_auto_mountpoints(groupadd_t)
 190
 191 # Allow access to context for shadow file
 192 selinux_get_fs_mount(groupadd_t)
 193 selinux_validate_context(groupadd_t)
 194 selinux_compute_access_vector(groupadd_t)
 195 selinux_compute_create_context(groupadd_t)
 196 selinux_compute_relabel_context(groupadd_t)
 197 selinux_compute_user_contexts(groupadd_t)
 198
 199 term_use_all_inherited_terms(groupadd_t)
 200
 201 init_use_fds(groupadd_t)
 202 init_read_utmp(groupadd_t)
 203 init_dontaudit_write_utmp(groupadd_t)
 204
 205 domain_use_interactive_fds(groupadd_t)
 206
 207 files_manage_etc_files(groupadd_t)
 208 files_relabel_etc_files(groupadd_t)
 209 files_read_etc_runtime_files(groupadd_t)
 210 files_read_usr_symlinks(groupadd_t)
 211
 212 # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
 213 corecmd_exec_bin(groupadd_t)
 214
 215 logging_send_audit_msgs(groupadd_t)
 216 logging_send_syslog_msg(groupadd_t)
 217
 218 miscfiles_read_localization(groupadd_t)
 219
 220 auth_domtrans_chk_passwd(groupadd_t)
 221 auth_rw_lastlog(groupadd_t)
 222 auth_use_nsswitch(groupadd_t)
 223 # these may be unnecessary due to the above
 224 # domtrans_chk_passwd() call.
 225 auth_manage_shadow(groupadd_t)
 226 auth_relabel_shadow(groupadd_t)
 227 auth_etc_filetrans_shadow(groupadd_t)
 228
 229 seutil_read_config(groupadd_t)
 230
 231 userdom_use_unpriv_users_fds(groupadd_t)
 232 # for when /root is the cwd
 233 userdom_dontaudit_search_user_home_dirs(groupadd_t)
 234
 235 optional_policy(`
 236         dpkg_use_fds(groupadd_t)
 237         dpkg_rw_pipes(groupadd_t)
 238 ')
 239
 240 optional_policy(`
 241         nscd_domtrans(groupadd_t)
 242 ')
 243
 244 optional_policy(`
 245         puppet_rw_tmp(groupadd_t)
 246 ')
 247
 248 optional_policy(`
 249         rpm_use_fds(groupadd_t)
 250         rpm_rw_pipes(groupadd_t)
 251 ')
 252
 253 ########################################
 254 #
 255 # Passwd local policy
 256 #
 257
 258 allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
 259 dontaudit passwd_t self:capability sys_tty_config;
 260 allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 261 allow passwd_t self:process { setrlimit setfscreate };
 262 allow passwd_t self:fd use;
 263 allow passwd_t self:fifo_file rw_fifo_file_perms;
 264 allow passwd_t self:sock_file read_sock_file_perms;
 265 allow passwd_t self:unix_dgram_socket create_socket_perms;
 266 allow passwd_t self:unix_stream_socket create_stream_socket_perms;
 267 allow passwd_t self:unix_dgram_socket sendto;
 268 allow passwd_t self:unix_stream_socket connectto;
 269 allow passwd_t self:shm create_shm_perms;
 270 allow passwd_t self:sem create_sem_perms;
 271 allow passwd_t self:msgq create_msgq_perms;
 272 allow passwd_t self:msg { send receive };
 273
 274 allow passwd_t crack_db_t:dir list_dir_perms;
 275 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
 276
 277 kernel_read_kernel_sysctls(passwd_t)
 278
 279 # for SSP
 280 dev_read_urand(passwd_t)
 281
 282 fs_getattr_xattr_fs(passwd_t)
 283 fs_search_auto_mountpoints(passwd_t)
 284
 285 mls_file_write_all_levels(passwd_t)
 286 mls_file_downgrade(passwd_t)
 287
 288 selinux_get_fs_mount(passwd_t)
 289 selinux_validate_context(passwd_t)
 290 selinux_compute_access_vector(passwd_t)
 291 selinux_compute_create_context(passwd_t)
 292 selinux_compute_relabel_context(passwd_t)
 293 selinux_compute_user_contexts(passwd_t)
 294
 295 term_use_all_inherited_terms(passwd_t)
 296
 297 auth_manage_shadow(passwd_t)
 298 auth_relabel_shadow(passwd_t)
 299 auth_etc_filetrans_shadow(passwd_t)
 300 auth_use_pam(passwd_t)
 301
 302 # allow checking if a shell is executable
 303 corecmd_check_exec_shell(passwd_t)
 304 corecmd_exec_bin(passwd_t)
 305
 306 corenet_tcp_connect_kerberos_password_port(passwd_t)
 307
 308 domain_use_interactive_fds(passwd_t)
 309
 310 files_read_etc_runtime_files(passwd_t)
 311 files_manage_etc_files(passwd_t)
 312 files_search_var(passwd_t)
 313 files_dontaudit_search_pids(passwd_t)
 314 files_relabel_etc_files(passwd_t)
 315
 316 # /usr/bin/passwd asks for w access to utmp, but it will operate
 317 # correctly without it.  Do not audit write denials to utmp.
 318 init_dontaudit_rw_utmp(passwd_t)
 319 init_use_fds(passwd_t)
 320
 321 logging_send_audit_msgs(passwd_t)
 322 logging_send_syslog_msg(passwd_t)
 323
 324 miscfiles_read_localization(passwd_t)
 325
 326 seutil_dontaudit_search_config(passwd_t)
 327
 328 userdom_use_inherited_user_terminals(passwd_t)
 329 userdom_use_unpriv_users_fds(passwd_t)
 330 # make sure that getcon succeeds
 331 userdom_getattr_all_users(passwd_t)
 332 userdom_read_all_users_state(passwd_t)
 333 userdom_read_user_tmp_files(passwd_t)
 334 # user generally runs this from their home directory, so do not audit a search
 335 # on user home dir
 336 userdom_dontaudit_search_user_home_content(passwd_t)
 337 userdom_stream_connect(passwd_t)
 338
 339 optional_policy(`
 340         nscd_domtrans(passwd_t)
 341 ')
 342
 343 ########################################
 344 #
 345 # Password admin local policy
 346 #
 347
 348 allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
 349 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 350 allow sysadm_passwd_t self:process { setrlimit setfscreate };
 351 allow sysadm_passwd_t self:fd use;
 352 allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
 353 allow sysadm_passwd_t self:sock_file read_sock_file_perms;
 354 allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
 355 allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
 356 allow sysadm_passwd_t self:unix_dgram_socket sendto;
 357 allow sysadm_passwd_t self:unix_stream_socket connectto;
 358 allow sysadm_passwd_t self:shm create_shm_perms;
 359 allow sysadm_passwd_t self:sem create_sem_perms;
 360 allow sysadm_passwd_t self:msgq create_msgq_perms;
 361 allow sysadm_passwd_t self:msg { send receive };
 362
 363 # allow vipw to create temporary files under /var/tmp/vi.recover
 364 manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
 365 manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
 366 files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
 367 files_search_var(sysadm_passwd_t)
 368 files_dontaudit_search_home(sysadm_passwd_t)
 369
 370 kernel_read_kernel_sysctls(sysadm_passwd_t)
 371 # for /proc/meminfo
 372 kernel_read_system_state(sysadm_passwd_t)
 373
 374 selinux_get_fs_mount(sysadm_passwd_t)
 375 selinux_validate_context(sysadm_passwd_t)
 376 selinux_compute_access_vector(sysadm_passwd_t)
 377 selinux_compute_create_context(sysadm_passwd_t)
 378 selinux_compute_relabel_context(sysadm_passwd_t)
 379 selinux_compute_user_contexts(sysadm_passwd_t)
 380
 381 # for SSP
 382 dev_read_urand(sysadm_passwd_t)
 383
 384 fs_getattr_xattr_fs(sysadm_passwd_t)
 385 fs_search_auto_mountpoints(sysadm_passwd_t)
 386
 387 term_use_all_inherited_terms(sysadm_passwd_t)
 388
 389 auth_manage_shadow(sysadm_passwd_t)
 390 auth_relabel_shadow(sysadm_passwd_t)
 391 auth_etc_filetrans_shadow(sysadm_passwd_t)
 392 auth_use_nsswitch(sysadm_passwd_t)
 393
 394 # allow vipw to exec the editor
 395 corecmd_exec_bin(sysadm_passwd_t)
 396 corecmd_exec_shell(sysadm_passwd_t)
 397 files_read_usr_files(sysadm_passwd_t)
 398
 399 domain_use_interactive_fds(sysadm_passwd_t)
 400
 401 files_manage_etc_files(sysadm_passwd_t)
 402 files_relabel_etc_files(sysadm_passwd_t)
 403 files_read_etc_runtime_files(sysadm_passwd_t)
 404 # for nscd lookups
 405 files_dontaudit_search_pids(sysadm_passwd_t)
 406
 407 # /usr/bin/passwd asks for w access to utmp, but it will operate
 408 # correctly without it.  Do not audit write denials to utmp.
 409 init_dontaudit_rw_utmp(sysadm_passwd_t)
 410
 411 miscfiles_read_localization(sysadm_passwd_t)
 412
 413 logging_send_syslog_msg(sysadm_passwd_t)
 414
 415 seutil_dontaudit_search_config(sysadm_passwd_t)
 416
 417 userdom_use_unpriv_users_fds(sysadm_passwd_t)
 418 # user generally runs this from their home directory, so do not audit a search
 419 # on user home dir
 420 userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
 421
 422 optional_policy(`
 423         nscd_domtrans(sysadm_passwd_t)
 424 ')
 425
 426 ########################################
 427 #
 428 # Useradd local policy
 429 #
 430
 431 allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
 432 dontaudit useradd_t self:capability sys_tty_config;
 433 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 434 allow useradd_t self:process setfscreate;
 435 allow useradd_t self:fd use;
 436 allow useradd_t self:fifo_file rw_fifo_file_perms;
 437 allow useradd_t self:shm create_shm_perms;
 438 allow useradd_t self:sem create_sem_perms;
 439 allow useradd_t self:msgq create_msgq_perms;
 440 allow useradd_t self:msg { send receive };
 441 allow useradd_t self:unix_dgram_socket create_socket_perms;
 442 allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 443 allow useradd_t self:unix_dgram_socket sendto;
 444 allow useradd_t self:unix_stream_socket connectto;
 445
 446 # for getting the number of groups
 447 kernel_read_kernel_sysctls(useradd_t)
 448
 449 corecmd_exec_shell(useradd_t)
 450 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 451 corecmd_exec_bin(useradd_t)
 452
 453 domain_use_interactive_fds(useradd_t)
 454 domain_read_all_domains_state(useradd_t)
 455
 456 files_manage_etc_files(useradd_t)
 457 files_search_var_lib(useradd_t)
 458 files_relabel_etc_files(useradd_t)
 459 files_read_etc_runtime_files(useradd_t)
 460
 461 fs_search_auto_mountpoints(useradd_t)
 462 fs_getattr_xattr_fs(useradd_t)
 463
 464 mls_file_upgrade(useradd_t)
 465 mls_process_read_to_clearance(useradd_t)
 466
 467 # Allow access to context for shadow file
 468 selinux_get_fs_mount(useradd_t)
 469 selinux_validate_context(useradd_t)
 470 selinux_compute_access_vector(useradd_t)
 471 selinux_compute_create_context(useradd_t)
 472 selinux_compute_relabel_context(useradd_t)
 473 selinux_compute_user_contexts(useradd_t)
 474
 475 term_use_all_inherited_terms(useradd_t)
 476
 477 auth_domtrans_chk_passwd(useradd_t)
 478 auth_rw_lastlog(useradd_t)
 479 auth_rw_faillog(useradd_t)
 480 auth_use_nsswitch(useradd_t)
 481 # these may be unnecessary due to the above
 482 # domtrans_chk_passwd() call.
 483 auth_manage_shadow(useradd_t)
 484 auth_relabel_shadow(useradd_t)
 485 auth_etc_filetrans_shadow(useradd_t)
 486
 487 init_use_fds(useradd_t)
 488 init_rw_utmp(useradd_t)
 489
 490 logging_send_audit_msgs(useradd_t)
 491 logging_send_syslog_msg(useradd_t)
 492
 493 miscfiles_read_localization(useradd_t)
 494
 495 seutil_read_config(useradd_t)
 496 seutil_read_file_contexts(useradd_t)
 497 seutil_read_default_contexts(useradd_t)
 498 seutil_domtrans_semanage(useradd_t)
 499 seutil_domtrans_setfiles(useradd_t)
 500
 501 userdom_use_unpriv_users_fds(useradd_t)
 502 # Add/remove user home directories
 503 userdom_home_filetrans_user_home_dir(useradd_t)
 504 userdom_manage_home_role(system_r, useradd_t)
 505
 506 mta_manage_spool(useradd_t)
 507
 508 #ifdef(`distro_redhat',`
 509 #       optional_policy(`
 510 #               unconfined_domain(useradd_t)
 511 #       ')
 512 #')
 513
 514 optional_policy(`
 515         apache_manage_all_user_content(useradd_t)
 516 ')
 517
 518 optional_policy(`
 519         dpkg_use_fds(useradd_t)
 520         dpkg_rw_pipes(useradd_t)
 521 ')
 522
 523 optional_policy(`
 524         nscd_domtrans(useradd_t)
 525 ')
 526
 527 optional_policy(`
 528         puppet_rw_tmp(useradd_t)
 529 ')
 530
 531 optional_policy(`
 532         tunable_policy(`samba_domain_controller',`
 533                 samba_append_log(useradd_t)
 534         ')
 535 ')
 536
 537 optional_policy(`
 538         rpm_use_fds(useradd_t)
 539         rpm_rw_pipes(useradd_t)
 540 ')