Navigation

← Previous Changeset
Next Changeset →

Changeset 2684

Timestamp:

05/15/08 08:51:09 (6 months ago)

Author:

pebenito

Message:

rbacsep: cut-n-paste collapse admin layer.

Files:

branches/rbacsep/policy/modules/admin/su.te (modified) (2 diffs)
branches/rbacsep/policy/modules/admin/sudo.te (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/modules/admin/su.te

r2553	r2684
1	1
2	2	policy_module(su,1.8.0)
	3
	4	gen_require(`
	5	bool secure_mode;
	6	')
3	7
4	8	########################################
…	…
7	11	#
8	12
9		attribute su_domain_type;
	13	type su_t;
	14	type su_exec_t;
	15	application_domain(su_t, su_exec_t)
	16	domain_interactive_fd(su_t)
10	17
11		type su_exec_t;
12		corecmd_executable_file(su_exec_t)
	18	########################################
	19	#
	20	# Local policy
	21	#
	22
	23	allow su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
	24	dontaudit su_t self:capability sys_tty_config;
	25	allow su_t self:process { setexec setsched setrlimit };
	26	allow su_t self:fifo_file rw_fifo_file_perms;
	27	allow su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
	28	allow su_t self:key { search write };
	29
	30	# Transition from the user domain to this domain.
	31	domtrans_pattern($2, su_exec_t, su_t)
	32
	33	allow $2 su_t:process signal;
	34
	35	# By default, revert to the calling domain when a shell is executed.
	36	corecmd_shell_domtrans(su_t,$2)
	37	allow $2 su_t:fd use;
	38	allow $2 su_t:fifo_file rw_file_perms;
	39	allow $2 su_t:process sigchld;
	40
	41	kernel_read_system_state(su_t)
	42	kernel_read_kernel_sysctls(su_t)
	43	kernel_search_key(su_t)
	44	kernel_link_key(su_t)
	45
	46	# for SSP
	47	dev_read_urand(su_t)
	48
	49	fs_search_auto_mountpoints(su_t)
	50
	51	# needed for pam_rootok
	52	selinux_compute_access_vector(su_t)
	53
	54	auth_domtrans_user_chk_passwd($1,su_t)
	55	auth_dontaudit_read_shadow(su_t)
	56	auth_use_nsswitch(su_t)
	57	auth_rw_faillog(su_t)
	58
	59	corecmd_search_bin(su_t)
	60
	61	domain_use_interactive_fds(su_t)
	62
	63	files_read_etc_files(su_t)
	64	files_read_etc_runtime_files(su_t)
	65	files_search_var_lib(su_t)
	66	files_dontaudit_getattr_tmp_dirs(su_t)
	67
	68	init_dontaudit_use_fds(su_t)
	69	# Write to utmp.
	70	init_rw_utmp(su_t)
	71
	72	mls_file_write_all_levels(su_t)
	73
	74	libs_use_ld_so(su_t)
	75	libs_use_shared_libs(su_t)
	76
	77	logging_send_syslog_msg(su_t)
	78
	79	miscfiles_read_localization(su_t)
	80
	81	userdom_use_user_terminals($1,su_t)
	82	userdom_search_user_home_dirs($1,su_t)
	83
	84	ifdef(`distro_rhel4',`
	85	domain_role_change_exemption(su_t)
	86	domain_subj_id_change_exemption(su_t)
	87	domain_obj_id_change_exemption(su_t)
	88
	89	selinux_get_fs_mount(su_t)
	90	selinux_validate_context(su_t)
	91	selinux_compute_create_context(su_t)
	92	selinux_compute_relabel_context(su_t)
	93	selinux_compute_user_contexts(su_t)
	94
	95	# Relabel ttys and ptys.
	96	term_relabel_all_user_ttys(su_t)
	97	term_relabel_all_user_ptys(su_t)
	98	# Close and re-open ttys and ptys to get the fd into the correct domain.
	99	term_use_all_user_ttys(su_t)
	100	term_use_all_user_ptys(su_t)
	101
	102	seutil_read_config(su_t)
	103	seutil_read_default_contexts(su_t)
	104
	105	if(secure_mode) {
	106	# Only allow transitions to unprivileged user domains.
	107	userdom_spec_domtrans_unpriv_users(su_t)
	108	} else {
	109	# Allow transitions to all user domains
	110	userdom_spec_domtrans_all_users(su_t)
	111	}
	112
	113	optional_policy(`
	114	unconfined_domtrans(su_t)
	115	unconfined_signal(su_t)
	116	')
	117	')
	118
	119	tunable_policy(`allow_polyinstantiation',`
	120	fs_mount_xattr_fs(su_t)
	121	fs_unmount_xattr_fs(su_t)
	122	')
	123
	124	tunable_policy(`use_nfs_home_dirs',`
	125	fs_search_nfs(su_t)
	126	')
	127
	128	tunable_policy(`use_samba_home_dirs',`
	129	fs_search_cifs(su_t)
	130	')
	131
	132	optional_policy(`
	133	cron_read_pipes(su_t)
	134	')
	135
	136	optional_policy(`
	137	kerberos_use(su_t)
	138	')
	139
	140	# Modify .Xauthority file (via xauth program).
	141	optional_policy(`
	142	xserver_user_home_dir_filetrans_user_xauth($1, su_t)
	143	xserver_domtrans_user_xauth($1, su_t)
	144	')

branches/rbacsep/policy/modules/admin/sudo.te

r2553	r2684
5	5	#
6	6	# Declarations
	7	#
7	8
	9	type sudo_t;
8	10	type sudo_exec_t;
9		application_executable_file(sudo_exec_t)
	11	application_domain(sudo_t, sudo_exec_t)
	12	domain_interactive_fd(sudo_t)
10	13
11		# Remaining policy in per user domain template.
	14	##############################
	15	#
	16	# Local Policy
	17	#
	18
	19	# Use capabilities.
	20	allow sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
	21	allow sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	22	allow sudo_t self:process { setexec setrlimit };
	23	allow sudo_t self:fd use;
	24	allow sudo_t self:fifo_file rw_fifo_file_perms;
	25	allow sudo_t self:shm create_shm_perms;
	26	allow sudo_t self:sem create_sem_perms;
	27	allow sudo_t self:msgq create_msgq_perms;
	28	allow sudo_t self:msg { send receive };
	29	allow sudo_t self:unix_dgram_socket create_socket_perms;
	30	allow sudo_t self:unix_stream_socket create_stream_socket_perms;
	31	allow sudo_t self:unix_dgram_socket sendto;
	32	allow sudo_t self:unix_stream_socket connectto;
	33	allow sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
	34
	35	# Enter this derived domain from the user domain
	36	domtrans_pattern($2, sudo_exec_t, sudo_t)
	37
	38	# By default, revert to the calling domain when a shell is executed.
	39	corecmd_shell_domtrans(sudo_t,$2)
	40	allow $2 sudo_t:fd use;
	41	allow $2 sudo_t:fifo_file rw_file_perms;
	42	allow $2 sudo_t:process sigchld;
	43
	44	kernel_read_kernel_sysctls(sudo_t)
	45	kernel_read_system_state(sudo_t)
	46	kernel_search_key(sudo_t)
	47
	48	dev_read_urand(sudo_t)
	49
	50	fs_search_auto_mountpoints(sudo_t)
	51	fs_getattr_xattr_fs(sudo_t)
	52
	53	auth_domtrans_chk_passwd(sudo_t)
	54	# sudo stores a token in the pam_pid directory
	55	auth_manage_pam_pid(sudo_t)
	56	auth_use_nsswitch(sudo_t)
	57
	58	corecmd_read_bin_symlinks(sudo_t)
	59	corecmd_getattr_all_executables(sudo_t)
	60
	61	domain_use_interactive_fds(sudo_t)
	62	domain_sigchld_interactive_fds(sudo_t)
	63	domain_getattr_all_entry_files(sudo_t)
	64
	65	files_read_etc_files(sudo_t)
	66	files_read_var_files(sudo_t)
	67	files_read_usr_symlinks(sudo_t)
	68	files_getattr_usr_files(sudo_t)
	69	# for some PAM modules and for cwd
	70	files_dontaudit_search_home(sudo_t)
	71
	72	init_rw_utmp(sudo_t)
	73
	74	libs_use_ld_so(sudo_t)
	75	libs_use_shared_libs(sudo_t)
	76
	77	logging_send_syslog_msg(sudo_t)
	78
	79	miscfiles_read_localization(sudo_t)
	80
	81	userdom_manage_user_home_content_files($1,sudo_t)
	82	userdom_manage_user_home_content_symlinks($1,sudo_t)
	83	userdom_manage_user_tmp_files($1,sudo_t)
	84	userdom_manage_user_tmp_symlinks($1,sudo_t)
	85	userdom_use_user_terminals($1,sudo_t)
	86	userdom_use_unpriv_users_fds(sudo_t)
	87	# for some PAM modules and for cwd
	88	userdom_dontaudit_search_all_users_home_content(sudo_t)

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.