Navigation

← Previous Changeset
Next Changeset →

Changeset 2735

Timestamp:

06/25/08 08:23:29 (5 months ago)

Author:

cpebenito

Message:

rbacsep: revert su back to derived types.

Files:

branches/rbacsep/policy/modules/admin/su.if (modified) (1 diff)
branches/rbacsep/policy/modules/admin/su.te (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/rbacsep/policy/modules/admin/su.if

r2726	r2735
127	127	')
128	128
129		########################################
	129	#######################################
130	130	## <summary>
131		## ~~Role access for su~~
	131	## The per role template for the su module.
132	132	## </summary>
133		## <param name="role">
134		## <summary>
135		## Role allowed access
136		## </summary>
137		## </param>
138		## <param name="domain">
139		## <summary>
140		## User domain for the role
	133	## <desc>
	134	## <p>
	135	## This template creates a derived domain which is allowed
	136	## to change the linux user id, to run shells as a different
	137	## user.
	138	## </p>
	139	## <p>
	140	## This template is invoked automatically for each user, and
	141	## generally does not need to be invoked directly
	142	## by policy writers.
	143	## </p>
	144	## </desc>
	145	## <param name="userdomain_prefix">
	146	## <summary>
	147	## The prefix of the user domain (e.g., user
	148	## is the prefix for user_t).
	149	## </summary>
	150	## </param>
	151	## <param name="user_domain">
	152	## <summary>
	153	## The type of the user domain.
	154	## </summary>
	155	## </param>
	156	## <param name="user_role">
	157	## <summary>
	158	## The role associated with the user domain.
141	159	## </summary>
142	160	## </param>
143	161	#
144		~~interface(`su_rol~~e',`
	162	template(`su_per_role_template',`
145	163	gen_require(`
146		type su_t, su_exec_t;
147		')
148
149		role $1 types su_t;
	164	attribute su_domain_type;
	165	type su_exec_t;
	166	bool secure_mode;
	167	')
	168
	169	type $1_su_t, su_domain_type;
	170	domain_entry_file($1_su_t,su_exec_t)
	171	domain_type($1_su_t)
	172	domain_interactive_fd($1_su_t)
	173	role $3 types $1_su_t;
	174
	175	allow $2 $1_su_t:process signal;
	176
	177	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
	178	dontaudit $1_su_t self:capability sys_tty_config;
	179	allow $1_su_t self:process { setexec setsched setrlimit };
	180	allow $1_su_t self:fifo_file rw_fifo_file_perms;
	181	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
	182	allow $1_su_t self:key { search write };
150	183
151	184	# Transition from the user domain to this domain.
152		domtrans_pattern($2, su_exec_t, su_t)
153
154		allow $2 su_t:process signal;
155
	185	domtrans_pattern($2, su_exec_t, $1_su_t)
	186
156	187	# By default, revert to the calling domain when a shell is executed.
157		corecmd_shell_domtrans(su_t, $2)
158		allow $2 su_t:fd use;
159		allow $2 su_t:fifo_file rw_file_perms;
160		allow $2 su_t:process sigchld;
	188	corecmd_shell_domtrans($1_su_t,$2)
	189	allow $2 $1_su_t:fd use;
	190	allow $2 $1_su_t:fifo_file rw_file_perms;
	191	allow $2 $1_su_t:process sigchld;
	192
	193	kernel_read_system_state($1_su_t)
	194	kernel_read_kernel_sysctls($1_su_t)
	195	kernel_search_key($1_su_t)
	196	kernel_link_key($1_su_t)
	197
	198	# for SSP
	199	dev_read_urand($1_su_t)
	200
	201	fs_search_auto_mountpoints($1_su_t)
	202
	203	# needed for pam_rootok
	204	selinux_compute_access_vector($1_su_t)
	205
	206	auth_domtrans_user_chk_passwd($1,$1_su_t)
	207	auth_dontaudit_read_shadow($1_su_t)
	208	auth_use_nsswitch($1_su_t)
	209	auth_rw_faillog($1_su_t)
	210
	211	corecmd_search_bin($1_su_t)
	212
	213	domain_use_interactive_fds($1_su_t)
	214
	215	files_read_etc_files($1_su_t)
	216	files_read_etc_runtime_files($1_su_t)
	217	files_search_var_lib($1_su_t)
	218	files_dontaudit_getattr_tmp_dirs($1_su_t)
	219
	220	init_dontaudit_use_fds($1_su_t)
	221	# Write to utmp.
	222	init_rw_utmp($1_su_t)
	223
	224	mls_file_write_all_levels($1_su_t)
	225
	226	libs_use_ld_so($1_su_t)
	227	libs_use_shared_libs($1_su_t)
	228
	229	logging_send_syslog_msg($1_su_t)
	230
	231	miscfiles_read_localization($1_su_t)
	232
	233	userdom_use_user_terminals($1,$1_su_t)
	234	userdom_search_user_home_dirs($1,$1_su_t)
	235
	236	ifdef(`distro_rhel4',`
	237	domain_role_change_exemption($1_su_t)
	238	domain_subj_id_change_exemption($1_su_t)
	239	domain_obj_id_change_exemption($1_su_t)
	240
	241	selinux_get_fs_mount($1_su_t)
	242	selinux_validate_context($1_su_t)
	243	selinux_compute_create_context($1_su_t)
	244	selinux_compute_relabel_context($1_su_t)
	245	selinux_compute_user_contexts($1_su_t)
	246
	247	# Relabel ttys and ptys.
	248	term_relabel_all_user_ttys($1_su_t)
	249	term_relabel_all_user_ptys($1_su_t)
	250	# Close and re-open ttys and ptys to get the fd into the correct domain.
	251	term_use_all_user_ttys($1_su_t)
	252	term_use_all_user_ptys($1_su_t)
	253
	254	seutil_read_config($1_su_t)
	255	seutil_read_default_contexts($1_su_t)
	256
	257	if(secure_mode) {
	258	# Only allow transitions to unprivileged user domains.
	259	userdom_spec_domtrans_unpriv_users($1_su_t)
	260	} else {
	261	# Allow transitions to all user domains
	262	userdom_spec_domtrans_all_users($1_su_t)
	263	}
	264
	265	optional_policy(`
	266	unconfined_domtrans($1_su_t)
	267	unconfined_signal($1_su_t)
	268	')
	269	')
	270
	271	tunable_policy(`allow_polyinstantiation',`
	272	fs_mount_xattr_fs($1_su_t)
	273	fs_unmount_xattr_fs($1_su_t)
	274	')
	275
	276	tunable_policy(`use_nfs_home_dirs',`
	277	fs_search_nfs($1_su_t)
	278	')
	279
	280	tunable_policy(`use_samba_home_dirs',`
	281	fs_search_cifs($1_su_t)
	282	')
	283
	284	optional_policy(`
	285	cron_read_pipes($1_su_t)
	286	')
	287
	288	optional_policy(`
	289	kerberos_use($1_su_t)
	290	')
	291
	292	# Modify .Xauthority file (via xauth program).
	293	optional_policy(`
	294	xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type)
	295	xserver_domtrans_user_xauth($1, $1_su_t)
	296	')
	297
	298	ifdef(`TODO',`
	299	allow $1_su_t $1_home_t:file manage_file_perms;
	300
	301	# Access sshd cookie files.
	302	allow $1_su_t sshd_tmp_t:file rw_file_perms;
	303	file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
	304	') dnl end TODO
161	305	')
162	306

branches/rbacsep/policy/modules/admin/su.te

r2724	r2735
1	1
2	2	policy_module(su,1.8.0)
3
4		~~gen_require(`~~
5		~~bool secure_mode;~~
6		')
7	3
8	4	########################################
…	…
11	7	#
12	8
13		type su_t;
	9	attribute su_domain_type;
	10
14	11	type su_exec_t;
15		application_domain(su_t, su_exec_t)
16		domain_interactive_fd(su_t)
17
18		########################################
19		#
20		# Local policy
21		#
22
23		allow su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
24		dontaudit su_t self:capability sys_tty_config;
25		allow su_t self:process { setexec setsched setrlimit };
26		allow su_t self:fifo_file rw_fifo_file_perms;
27		allow su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
28		allow su_t self:key { search write };
29
30		kernel_read_system_state(su_t)
31		kernel_read_kernel_sysctls(su_t)
32		kernel_search_key(su_t)
33		kernel_link_key(su_t)
34
35		# for SSP
36		dev_read_urand(su_t)
37
38		fs_search_auto_mountpoints(su_t)
39
40		# needed for pam_rootok
41		selinux_compute_access_vector(su_t)
42
43		auth_domtrans_chk_passwd(su_t)
44		auth_dontaudit_read_shadow(su_t)
45		auth_use_nsswitch(su_t)
46		auth_rw_faillog(su_t)
47
48		corecmd_search_bin(su_t)
49
50		domain_use_interactive_fds(su_t)
51
52		files_read_etc_files(su_t)
53		files_read_etc_runtime_files(su_t)
54		files_search_var_lib(su_t)
55		files_dontaudit_getattr_tmp_dirs(su_t)
56
57		init_dontaudit_use_fds(su_t)
58		# Write to utmp.
59		init_rw_utmp(su_t)
60
61		mls_file_write_all_levels(su_t)
62
63		libs_use_ld_so(su_t)
64		libs_use_shared_libs(su_t)
65
66		logging_send_syslog_msg(su_t)
67
68		miscfiles_read_localization(su_t)
69
70		userdom_use_user_terminals(su_t)
71		userdom_search_user_home_dirs(su_t)
72
73		ifdef(`distro_rhel4',`
74		domain_role_change_exemption(su_t)
75		domain_subj_id_change_exemption(su_t)
76		domain_obj_id_change_exemption(su_t)
77
78		selinux_get_fs_mount(su_t)
79		selinux_validate_context(su_t)
80		selinux_compute_create_context(su_t)
81		selinux_compute_relabel_context(su_t)
82		selinux_compute_user_contexts(su_t)
83
84		# Relabel ttys and ptys.
85		term_relabel_all_user_ttys(su_t)
86		term_relabel_all_user_ptys(su_t)
87		# Close and re-open ttys and ptys to get the fd into the correct domain.
88		term_use_all_user_ttys(su_t)
89		term_use_all_user_ptys(su_t)
90
91		seutil_read_config(su_t)
92		seutil_read_default_contexts(su_t)
93
94		if(secure_mode) {
95		# Only allow transitions to unprivileged user domains.
96		userdom_spec_domtrans_unpriv_users(su_t)
97		} else {
98		# Allow transitions to all user domains
99		userdom_spec_domtrans_all_users(su_t)
100		}
101
102		optional_policy(`
103		unconfined_domtrans(su_t)
104		unconfined_signal(su_t)
105		')
106		')
107
108		tunable_policy(`allow_polyinstantiation',`
109		fs_mount_xattr_fs(su_t)
110		fs_unmount_xattr_fs(su_t)
111		')
112
113		tunable_policy(`use_nfs_home_dirs',`
114		fs_search_nfs(su_t)
115		')
116
117		tunable_policy(`use_samba_home_dirs',`
118		fs_search_cifs(su_t)
119		')
120
121		optional_policy(`
122		cron_read_pipes(su_t)
123		')
124
125		optional_policy(`
126		kerberos_use(su_t)
127		')
128
129		# Modify .Xauthority file (via xauth program).
130		optional_policy(`
131		xserver_user_home_dir_filetrans_user_xauth(su_t)
132		xserver_domtrans_xauth(su_t)
133		')
	12	corecmd_executable_file(su_exec_t)

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.