1 policy_module(usermanage, 1.16.0)
3 ########################################
8 type admin_passwd_exec_t;
9 files_type(admin_passwd_exec_t)
13 domain_obj_id_change_exemption(chfn_t)
14 application_domain(chfn_t, chfn_exec_t)
15 role system_r types chfn_t;
19 application_domain(crack_t, crack_exec_t)
20 role system_r types crack_t;
23 files_type(crack_db_t)
26 files_tmp_file(crack_tmp_t)
30 domain_obj_id_change_exemption(groupadd_t)
31 init_system_domain(groupadd_t, groupadd_exec_t)
35 domain_obj_id_change_exemption(passwd_t)
36 application_domain(passwd_t, passwd_exec_t)
37 role system_r types passwd_t;
40 domain_obj_id_change_exemption(sysadm_passwd_t)
41 application_domain(sysadm_passwd_t, admin_passwd_exec_t)
42 role system_r types sysadm_passwd_t;
44 type sysadm_passwd_tmp_t;
45 files_tmp_file(sysadm_passwd_tmp_t)
49 domain_obj_id_change_exemption(useradd_t)
50 init_system_domain(useradd_t, useradd_exec_t)
52 ########################################
57 allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
58 allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
59 allow chfn_t self:process { setrlimit setfscreate };
60 allow chfn_t self:fd use;
61 allow chfn_t self:fifo_file rw_fifo_file_perms;
62 allow chfn_t self:sock_file read_sock_file_perms;
63 allow chfn_t self:shm create_shm_perms;
64 allow chfn_t self:sem create_sem_perms;
65 allow chfn_t self:msgq create_msgq_perms;
66 allow chfn_t self:msg { send receive };
67 allow chfn_t self:unix_dgram_socket create_socket_perms;
68 allow chfn_t self:unix_stream_socket create_stream_socket_perms;
69 allow chfn_t self:unix_dgram_socket sendto;
70 allow chfn_t self:unix_stream_socket connectto;
72 kernel_read_system_state(chfn_t)
73 kernel_read_kernel_sysctls(chfn_t)
75 selinux_get_fs_mount(chfn_t)
76 selinux_validate_context(chfn_t)
77 selinux_compute_access_vector(chfn_t)
78 selinux_compute_create_context(chfn_t)
79 selinux_compute_relabel_context(chfn_t)
80 selinux_compute_user_contexts(chfn_t)
82 term_use_all_inherited_ttys(chfn_t)
83 term_use_all_inherited_ptys(chfn_t)
85 fs_getattr_xattr_fs(chfn_t)
86 fs_search_auto_mountpoints(chfn_t)
89 dev_read_urand(chfn_t)
93 # allow checking if a shell is executable
94 corecmd_check_exec_shell(chfn_t)
96 domain_use_interactive_fds(chfn_t)
98 files_manage_etc_files(chfn_t)
99 files_read_etc_runtime_files(chfn_t)
100 files_dontaudit_search_var(chfn_t)
101 files_dontaudit_search_home(chfn_t)
103 # /usr/bin/passwd asks for w access to utmp, but it will operate
104 # correctly without it. Do not audit write denials to utmp.
105 init_dontaudit_rw_utmp(chfn_t)
107 miscfiles_read_localization(chfn_t)
109 logging_send_syslog_msg(chfn_t)
111 # uses unix_chkpwd for checking passwords
112 seutil_dontaudit_search_config(chfn_t)
114 userdom_use_unpriv_users_fds(chfn_t)
115 # user generally runs this from their home directory, so do not audit a search
117 userdom_dontaudit_search_user_home_content(chfn_t)
123 ########################################
128 allow crack_t self:process signal_perms;
129 allow crack_t self:fifo_file rw_fifo_file_perms;
131 manage_files_pattern(crack_t, crack_db_t, crack_db_t)
132 manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t)
133 files_search_var(crack_t)
135 manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t)
136 manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t)
137 files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
139 kernel_read_system_state(crack_t)
142 dev_read_urand(crack_t)
144 fs_getattr_xattr_fs(crack_t)
146 files_read_etc_files(crack_t)
147 files_read_etc_runtime_files(crack_t)
149 files_read_usr_files(crack_t)
151 corecmd_exec_bin(crack_t)
153 logging_send_syslog_msg(crack_t)
155 userdom_dontaudit_search_user_home_dirs(crack_t)
157 ifdef(`distro_debian',`
158 # the package cracklib-runtime on Debian contains a daily maintenance
159 # script /etc/cron.daily/cracklib-runtime, that calls
160 # update-cracklib and that calls crack_mkdict, which is a shell script.
161 corecmd_exec_shell(crack_t)
165 cron_system_entry(crack_t, crack_exec_t)
168 ########################################
170 # Groupadd local policy
173 allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
174 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
175 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
176 allow groupadd_t self:process { setrlimit setfscreate };
177 allow groupadd_t self:fd use;
178 allow groupadd_t self:fifo_file rw_fifo_file_perms;
179 allow groupadd_t self:shm create_shm_perms;
180 allow groupadd_t self:sem create_sem_perms;
181 allow groupadd_t self:msgq create_msgq_perms;
182 allow groupadd_t self:msg { send receive };
183 allow groupadd_t self:unix_dgram_socket create_socket_perms;
184 allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
185 allow groupadd_t self:unix_dgram_socket sendto;
186 allow groupadd_t self:unix_stream_socket connectto;
188 fs_getattr_xattr_fs(groupadd_t)
189 fs_search_auto_mountpoints(groupadd_t)
191 # Allow access to context for shadow file
192 selinux_get_fs_mount(groupadd_t)
193 selinux_validate_context(groupadd_t)
194 selinux_compute_access_vector(groupadd_t)
195 selinux_compute_create_context(groupadd_t)
196 selinux_compute_relabel_context(groupadd_t)
197 selinux_compute_user_contexts(groupadd_t)
199 term_use_all_inherited_terms(groupadd_t)
201 init_use_fds(groupadd_t)
202 init_read_utmp(groupadd_t)
203 init_dontaudit_write_utmp(groupadd_t)
205 domain_use_interactive_fds(groupadd_t)
207 files_manage_etc_files(groupadd_t)
208 files_relabel_etc_files(groupadd_t)
209 files_read_etc_runtime_files(groupadd_t)
210 files_read_usr_symlinks(groupadd_t)
212 # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
213 corecmd_exec_bin(groupadd_t)
215 logging_send_audit_msgs(groupadd_t)
216 logging_send_syslog_msg(groupadd_t)
218 miscfiles_read_localization(groupadd_t)
220 auth_domtrans_chk_passwd(groupadd_t)
221 auth_rw_lastlog(groupadd_t)
222 auth_use_nsswitch(groupadd_t)
223 # these may be unnecessary due to the above
224 # domtrans_chk_passwd() call.
225 auth_manage_shadow(groupadd_t)
226 auth_relabel_shadow(groupadd_t)
227 auth_etc_filetrans_shadow(groupadd_t)
229 seutil_read_config(groupadd_t)
231 userdom_use_unpriv_users_fds(groupadd_t)
232 # for when /root is the cwd
233 userdom_dontaudit_search_user_home_dirs(groupadd_t)
236 dpkg_use_fds(groupadd_t)
237 dpkg_rw_pipes(groupadd_t)
241 nscd_domtrans(groupadd_t)
245 puppet_rw_tmp(groupadd_t)
249 rpm_use_fds(groupadd_t)
250 rpm_rw_pipes(groupadd_t)
253 ########################################
255 # Passwd local policy
258 allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
259 dontaudit passwd_t self:capability sys_tty_config;
260 allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
261 allow passwd_t self:process { setrlimit setfscreate };
262 allow passwd_t self:fd use;
263 allow passwd_t self:fifo_file rw_fifo_file_perms;
264 allow passwd_t self:sock_file read_sock_file_perms;
265 allow passwd_t self:unix_dgram_socket create_socket_perms;
266 allow passwd_t self:unix_stream_socket create_stream_socket_perms;
267 allow passwd_t self:unix_dgram_socket sendto;
268 allow passwd_t self:unix_stream_socket connectto;
269 allow passwd_t self:shm create_shm_perms;
270 allow passwd_t self:sem create_sem_perms;
271 allow passwd_t self:msgq create_msgq_perms;
272 allow passwd_t self:msg { send receive };
274 allow passwd_t crack_db_t:dir list_dir_perms;
275 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
277 kernel_read_kernel_sysctls(passwd_t)
280 dev_read_urand(passwd_t)
282 fs_getattr_xattr_fs(passwd_t)
283 fs_search_auto_mountpoints(passwd_t)
285 mls_file_write_all_levels(passwd_t)
286 mls_file_downgrade(passwd_t)
288 selinux_get_fs_mount(passwd_t)
289 selinux_validate_context(passwd_t)
290 selinux_compute_access_vector(passwd_t)
291 selinux_compute_create_context(passwd_t)
292 selinux_compute_relabel_context(passwd_t)
293 selinux_compute_user_contexts(passwd_t)
295 term_use_all_inherited_terms(passwd_t)
297 auth_manage_shadow(passwd_t)
298 auth_relabel_shadow(passwd_t)
299 auth_etc_filetrans_shadow(passwd_t)
300 auth_use_pam(passwd_t)
302 # allow checking if a shell is executable
303 corecmd_check_exec_shell(passwd_t)
304 corecmd_exec_bin(passwd_t)
306 corenet_tcp_connect_kerberos_password_port(passwd_t)
308 domain_use_interactive_fds(passwd_t)
310 files_read_etc_runtime_files(passwd_t)
311 files_manage_etc_files(passwd_t)
312 files_search_var(passwd_t)
313 files_dontaudit_search_pids(passwd_t)
314 files_relabel_etc_files(passwd_t)
316 # /usr/bin/passwd asks for w access to utmp, but it will operate
317 # correctly without it. Do not audit write denials to utmp.
318 init_dontaudit_rw_utmp(passwd_t)
319 init_use_fds(passwd_t)
321 logging_send_audit_msgs(passwd_t)
322 logging_send_syslog_msg(passwd_t)
324 miscfiles_read_localization(passwd_t)
326 seutil_dontaudit_search_config(passwd_t)
328 userdom_use_inherited_user_terminals(passwd_t)
329 userdom_use_unpriv_users_fds(passwd_t)
330 # make sure that getcon succeeds
331 userdom_getattr_all_users(passwd_t)
332 userdom_read_all_users_state(passwd_t)
333 userdom_read_user_tmp_files(passwd_t)
334 # user generally runs this from their home directory, so do not audit a search
336 userdom_dontaudit_search_user_home_content(passwd_t)
337 userdom_stream_connect(passwd_t)
340 nscd_domtrans(passwd_t)
343 ########################################
345 # Password admin local policy
348 allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
349 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
350 allow sysadm_passwd_t self:process { setrlimit setfscreate };
351 allow sysadm_passwd_t self:fd use;
352 allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
353 allow sysadm_passwd_t self:sock_file read_sock_file_perms;
354 allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
355 allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
356 allow sysadm_passwd_t self:unix_dgram_socket sendto;
357 allow sysadm_passwd_t self:unix_stream_socket connectto;
358 allow sysadm_passwd_t self:shm create_shm_perms;
359 allow sysadm_passwd_t self:sem create_sem_perms;
360 allow sysadm_passwd_t self:msgq create_msgq_perms;
361 allow sysadm_passwd_t self:msg { send receive };
363 # allow vipw to create temporary files under /var/tmp/vi.recover
364 manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
365 manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
366 files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
367 files_search_var(sysadm_passwd_t)
368 files_dontaudit_search_home(sysadm_passwd_t)
370 kernel_read_kernel_sysctls(sysadm_passwd_t)
372 kernel_read_system_state(sysadm_passwd_t)
374 selinux_get_fs_mount(sysadm_passwd_t)
375 selinux_validate_context(sysadm_passwd_t)
376 selinux_compute_access_vector(sysadm_passwd_t)
377 selinux_compute_create_context(sysadm_passwd_t)
378 selinux_compute_relabel_context(sysadm_passwd_t)
379 selinux_compute_user_contexts(sysadm_passwd_t)
382 dev_read_urand(sysadm_passwd_t)
384 fs_getattr_xattr_fs(sysadm_passwd_t)
385 fs_search_auto_mountpoints(sysadm_passwd_t)
387 term_use_all_inherited_terms(sysadm_passwd_t)
389 auth_manage_shadow(sysadm_passwd_t)
390 auth_relabel_shadow(sysadm_passwd_t)
391 auth_etc_filetrans_shadow(sysadm_passwd_t)
392 auth_use_nsswitch(sysadm_passwd_t)
394 # allow vipw to exec the editor
395 corecmd_exec_bin(sysadm_passwd_t)
396 corecmd_exec_shell(sysadm_passwd_t)
397 files_read_usr_files(sysadm_passwd_t)
399 domain_use_interactive_fds(sysadm_passwd_t)
401 files_manage_etc_files(sysadm_passwd_t)
402 files_relabel_etc_files(sysadm_passwd_t)
403 files_read_etc_runtime_files(sysadm_passwd_t)
405 files_dontaudit_search_pids(sysadm_passwd_t)
407 # /usr/bin/passwd asks for w access to utmp, but it will operate
408 # correctly without it. Do not audit write denials to utmp.
409 init_dontaudit_rw_utmp(sysadm_passwd_t)
411 miscfiles_read_localization(sysadm_passwd_t)
413 logging_send_syslog_msg(sysadm_passwd_t)
415 seutil_dontaudit_search_config(sysadm_passwd_t)
417 userdom_use_unpriv_users_fds(sysadm_passwd_t)
418 # user generally runs this from their home directory, so do not audit a search
420 userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
423 nscd_domtrans(sysadm_passwd_t)
426 ########################################
428 # Useradd local policy
431 allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
432 dontaudit useradd_t self:capability sys_tty_config;
433 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
434 allow useradd_t self:process setfscreate;
435 allow useradd_t self:fd use;
436 allow useradd_t self:fifo_file rw_fifo_file_perms;
437 allow useradd_t self:shm create_shm_perms;
438 allow useradd_t self:sem create_sem_perms;
439 allow useradd_t self:msgq create_msgq_perms;
440 allow useradd_t self:msg { send receive };
441 allow useradd_t self:unix_dgram_socket create_socket_perms;
442 allow useradd_t self:unix_stream_socket create_stream_socket_perms;
443 allow useradd_t self:unix_dgram_socket sendto;
444 allow useradd_t self:unix_stream_socket connectto;
446 # for getting the number of groups
447 kernel_read_kernel_sysctls(useradd_t)
449 corecmd_exec_shell(useradd_t)
450 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
451 corecmd_exec_bin(useradd_t)
453 domain_use_interactive_fds(useradd_t)
454 domain_read_all_domains_state(useradd_t)
456 files_manage_etc_files(useradd_t)
457 files_search_var_lib(useradd_t)
458 files_relabel_etc_files(useradd_t)
459 files_read_etc_runtime_files(useradd_t)
461 fs_search_auto_mountpoints(useradd_t)
462 fs_getattr_xattr_fs(useradd_t)
464 mls_file_upgrade(useradd_t)
465 mls_process_read_to_clearance(useradd_t)
467 # Allow access to context for shadow file
468 selinux_get_fs_mount(useradd_t)
469 selinux_validate_context(useradd_t)
470 selinux_compute_access_vector(useradd_t)
471 selinux_compute_create_context(useradd_t)
472 selinux_compute_relabel_context(useradd_t)
473 selinux_compute_user_contexts(useradd_t)
475 term_use_all_inherited_terms(useradd_t)
477 auth_domtrans_chk_passwd(useradd_t)
478 auth_rw_lastlog(useradd_t)
479 auth_rw_faillog(useradd_t)
480 auth_use_nsswitch(useradd_t)
481 # these may be unnecessary due to the above
482 # domtrans_chk_passwd() call.
483 auth_manage_shadow(useradd_t)
484 auth_relabel_shadow(useradd_t)
485 auth_etc_filetrans_shadow(useradd_t)
487 init_use_fds(useradd_t)
488 init_rw_utmp(useradd_t)
490 logging_send_audit_msgs(useradd_t)
491 logging_send_syslog_msg(useradd_t)
493 miscfiles_read_localization(useradd_t)
495 seutil_read_config(useradd_t)
496 seutil_read_file_contexts(useradd_t)
497 seutil_read_default_contexts(useradd_t)
498 seutil_domtrans_semanage(useradd_t)
499 seutil_domtrans_setfiles(useradd_t)
501 userdom_use_unpriv_users_fds(useradd_t)
502 # Add/remove user home directories
503 userdom_home_filetrans_user_home_dir(useradd_t)
504 userdom_manage_home_role(system_r, useradd_t)
506 mta_manage_spool(useradd_t)
508 #ifdef(`distro_redhat',`
510 # unconfined_domain(useradd_t)
515 apache_manage_all_user_content(useradd_t)
519 dpkg_use_fds(useradd_t)
520 dpkg_rw_pipes(useradd_t)
524 nscd_domtrans(useradd_t)
528 puppet_rw_tmp(useradd_t)
532 tunable_policy(`samba_domain_controller',`
533 samba_append_log(useradd_t)
538 rpm_use_fds(useradd_t)
539 rpm_rw_pipes(useradd_t)