| 72 | | # reorder to work around require-then-decare bug |
|---|
| 73 | | authlogin_common_auth_domain_template(system) |
|---|
| 74 | | role system_r types system_chkpwd_t; |
|---|
| | 74 | ######################################## |
|---|
| | 75 | # |
|---|
| | 76 | # Check password local policy |
|---|
| | 77 | # |
|---|
| | 78 | |
|---|
| | 79 | allow chkpwd_t self:capability { dac_override setuid }; |
|---|
| | 80 | dontaudit chkpwd_t self:capability sys_tty_config; |
|---|
| | 81 | allow chkpwd_t self:process getattr; |
|---|
| | 82 | |
|---|
| | 83 | allow chkpwd_t shadow_t:file { getattr read }; |
|---|
| | 84 | files_list_etc(chkpwd_t) |
|---|
| | 85 | |
|---|
| | 86 | # is_selinux_enabled |
|---|
| | 87 | kernel_read_system_state(chkpwd_t) |
|---|
| | 88 | |
|---|
| | 89 | domain_dontaudit_use_interactive_fds(chkpwd_t) |
|---|
| | 90 | |
|---|
| | 91 | dev_read_rand(chkpwd_t) |
|---|
| | 92 | dev_read_urand(chkpwd_t) |
|---|
| | 93 | |
|---|
| | 94 | files_read_etc_files(chkpwd_t) |
|---|
| | 95 | # for nscd |
|---|
| | 96 | files_dontaudit_search_var(chkpwd_t) |
|---|
| | 97 | |
|---|
| | 98 | fs_dontaudit_getattr_xattr_fs(chkpwd_t) |
|---|
| | 99 | |
|---|
| | 100 | term_dontaudit_use_unallocated_ttys(chkpwd_t) |
|---|
| | 101 | term_dontaudit_use_generic_ptys(chkpwd_t) |
|---|
| | 102 | |
|---|
| | 103 | auth_use_nsswitch(chkpwd_t) |
|---|
| | 104 | |
|---|
| | 105 | libs_use_ld_so(chkpwd_t) |
|---|
| | 106 | libs_use_shared_libs(chkpwd_t) |
|---|
| | 107 | |
|---|
| | 108 | logging_send_audit_msgs(chkpwd_t) |
|---|
| | 109 | logging_send_syslog_msg(chkpwd_t) |
|---|
| | 110 | |
|---|
| | 111 | miscfiles_read_localization(chkpwd_t) |
|---|
| | 112 | |
|---|
| | 113 | seutil_read_config(chkpwd_t) |
|---|
| | 114 | |
|---|
| | 115 | userdom_dontaudit_use_unpriv_users_ttys(chkpwd_t) |
|---|
| | 116 | userdom_dontaudit_use_unpriv_users_ptys(chkpwd_t) |
|---|
| | 117 | |
|---|
| | 118 | sysadm_dontaudit_use_terms(chkpwd_t) |
|---|
| | 119 | |
|---|
| | 120 | ifdef(`distro_ubuntu',` |
|---|
| | 121 | optional_policy(` |
|---|
| | 122 | unconfined_domain(chkpwd_t) |
|---|
| | 123 | ') |
|---|
| | 124 | ') |
|---|
| | 125 | |
|---|
| | 126 | optional_policy(` |
|---|
| | 127 | kerberos_use(chkpwd_t) |
|---|
| | 128 | ') |
|---|
| 263 | | # System check password local policy |
|---|
| 264 | | # |
|---|
| 265 | | |
|---|
| 266 | | allow system_chkpwd_t shadow_t:file { getattr read }; |
|---|
| 267 | | |
|---|
| 268 | | corecmd_search_bin(system_chkpwd_t) |
|---|
| 269 | | |
|---|
| 270 | | domain_dontaudit_use_interactive_fds(system_chkpwd_t) |
|---|
| 271 | | |
|---|
| 272 | | term_dontaudit_use_unallocated_ttys(system_chkpwd_t) |
|---|
| 273 | | term_dontaudit_use_generic_ptys(system_chkpwd_t) |
|---|
| 274 | | |
|---|
| 275 | | userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) |
|---|
| 276 | | userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) |
|---|
| 277 | | |
|---|
| 278 | | sysadm_dontaudit_use_terms(system_chkpwd_t) |
|---|
| 279 | | |
|---|
| 280 | | ifdef(`distro_ubuntu',` |
|---|
| 281 | | optional_policy(` |
|---|
| 282 | | unconfined_domain(system_chkpwd_t) |
|---|
| 283 | | ') |
|---|
| 284 | | ') |
|---|
| 285 | | |
|---|
| 286 | | ######################################## |
|---|
| 287 | | # |
|---|
