Changeset 2736
- Timestamp:
- 06/25/08 08:39:11
(4 months ago)
- Author:
- cpebenito
- Message:
rbacsep: switch over su to role template convention.
-
Files:
-
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
| r2735 |
r2736 |
|
| 129 | 129 | ####################################### |
|---|
| 130 | 130 | ## <summary> |
|---|
| 131 | | ## The per role template for the su module. |
|---|
| | 131 | ## The role template for the su module. |
|---|
| 132 | 132 | ## </summary> |
|---|
| 133 | | ## <desc> |
|---|
| 134 | | ## <p> |
|---|
| 135 | | ## This template creates a derived domain which is allowed |
|---|
| 136 | | ## to change the linux user id, to run shells as a different |
|---|
| 137 | | ## user. |
|---|
| 138 | | ## </p> |
|---|
| 139 | | ## <p> |
|---|
| 140 | | ## This template is invoked automatically for each user, and |
|---|
| 141 | | ## generally does not need to be invoked directly |
|---|
| 142 | | ## by policy writers. |
|---|
| 143 | | ## </p> |
|---|
| 144 | | ## </desc> |
|---|
| 145 | | ## <param name="userdomain_prefix"> |
|---|
| 146 | | ## <summary> |
|---|
| 147 | | ## The prefix of the user domain (e.g., user |
|---|
| 148 | | ## is the prefix for user_t). |
|---|
| | 133 | ## <param name="role_prefix"> |
|---|
| | 134 | ## <summary> |
|---|
| | 135 | ## The prefix of the user role (e.g., user |
|---|
| | 136 | ## is the prefix for user_r). |
|---|
| | 137 | ## </summary> |
|---|
| | 138 | ## </param> |
|---|
| | 139 | ## <param name="user_role"> |
|---|
| | 140 | ## <summary> |
|---|
| | 141 | ## The role associated with the user domain. |
|---|
| 149 | 142 | ## </summary> |
|---|
| 150 | 143 | ## </param> |
|---|
| … | … | |
| 154 | 147 | ## </summary> |
|---|
| 155 | 148 | ## </param> |
|---|
| 156 | | ## <param name="user_role"> |
|---|
| 157 | | ## <summary> |
|---|
| 158 | | ## The role associated with the user domain. |
|---|
| 159 | | ## </summary> |
|---|
| 160 | | ## </param> |
|---|
| 161 | 149 | # |
|---|
| 162 | | template(`su_per_role_template',` |
|---|
| | 150 | template(`su_role_template',` |
|---|
| 163 | 151 | gen_require(` |
|---|
| 164 | | attribute su_domain_type; |
|---|
| 165 | 152 | type su_exec_t; |
|---|
| 166 | 153 | bool secure_mode; |
|---|
| 167 | 154 | ') |
|---|
| 168 | 155 | |
|---|
| 169 | | type $1_su_t, su_domain_type; |
|---|
| | 156 | type $1_su_t; |
|---|
| 170 | 157 | domain_entry_file($1_su_t,su_exec_t) |
|---|
| 171 | 158 | domain_type($1_su_t) |
|---|
| 172 | 159 | domain_interactive_fd($1_su_t) |
|---|
| 173 | | role $3 types $1_su_t; |
|---|
| 174 | | |
|---|
| 175 | | allow $2 $1_su_t:process signal; |
|---|
| | 160 | role $2 types $1_su_t; |
|---|
| | 161 | |
|---|
| | 162 | allow $3 $1_su_t:process signal; |
|---|
| 176 | 163 | |
|---|
| 177 | 164 | allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; |
|---|
| … | … | |
| 183 | 170 | |
|---|
| 184 | 171 | # Transition from the user domain to this domain. |
|---|
| 185 | | domtrans_pattern($2, su_exec_t, $1_su_t) |
|---|
| | 172 | domtrans_pattern($3, su_exec_t, $1_su_t) |
|---|
| | 173 | |
|---|
| | 174 | ps_process_pattern($3, $1_su_t) |
|---|
| 186 | 175 | |
|---|
| 187 | 176 | # By default, revert to the calling domain when a shell is executed. |
|---|
| 188 | | corecmd_shell_domtrans($1_su_t,$2) |
|---|
| 189 | | allow $2 $1_su_t:fd use; |
|---|
| 190 | | allow $2 $1_su_t:fifo_file rw_file_perms; |
|---|
| 191 | | allow $2 $1_su_t:process sigchld; |
|---|
| | 177 | corecmd_shell_domtrans($1_su_t, $3) |
|---|
| | 178 | allow $3 $1_su_t:fd use; |
|---|
| | 179 | allow $3 $1_su_t:fifo_file rw_file_perms; |
|---|
| | 180 | allow $3 $1_su_t:process sigchld; |
|---|
| 192 | 181 | |
|---|
| 193 | 182 | kernel_read_system_state($1_su_t) |
|---|
| … | … | |
| 204 | 193 | selinux_compute_access_vector($1_su_t) |
|---|
| 205 | 194 | |
|---|
| 206 | | auth_domtrans_user_chk_passwd($1,$1_su_t) |
|---|
| 207 | | auth_dontaudit_read_shadow($1_su_t) |
|---|
| | 195 | auth_domtrans_chk_passwd($1_su_t) |
|---|
| 208 | 196 | auth_use_nsswitch($1_su_t) |
|---|
| 209 | 197 | auth_rw_faillog($1_su_t) |
|---|
| … | … | |
| 231 | 219 | miscfiles_read_localization($1_su_t) |
|---|
| 232 | 220 | |
|---|
| 233 | | userdom_use_user_terminals($1,$1_su_t) |
|---|
| 234 | | userdom_search_user_home_dirs($1,$1_su_t) |
|---|
| | 221 | userdom_use_user_terminals($1_su_t) |
|---|
| | 222 | userdom_search_user_home_dirs($1_su_t) |
|---|
| 235 | 223 | |
|---|
| 236 | 224 | ifdef(`distro_rhel4',` |
|---|
| … | … | |
| 292 | 280 | # Modify .Xauthority file (via xauth program). |
|---|
| 293 | 281 | optional_policy(` |
|---|
| 294 | | xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type) |
|---|
| 295 | | xserver_domtrans_user_xauth($1, $1_su_t) |
|---|
| 296 | | ') |
|---|
| 297 | | |
|---|
| 298 | | ifdef(`TODO',` |
|---|
| 299 | | allow $1_su_t $1_home_t:file manage_file_perms; |
|---|
| 300 | | |
|---|
| 301 | | # Access sshd cookie files. |
|---|
| 302 | | allow $1_su_t sshd_tmp_t:file rw_file_perms; |
|---|
| 303 | | file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) |
|---|
| 304 | | ') dnl end TODO |
|---|
| | 282 | xserver_user_home_dir_filetrans_user_xauth($1_su_t) |
|---|
| | 283 | xserver_domtrans_xauth($1_su_t) |
|---|
| | 284 | ') |
|---|
| 305 | 285 | ') |
|---|
| 306 | 286 | |
|---|
| r2735 |
r2736 |
|
| 7 | 7 | # |
|---|
| 8 | 8 | |
|---|
| 9 | | attribute su_domain_type; |
|---|
| 10 | | |
|---|
| 11 | 9 | type su_exec_t; |
|---|
| 12 | 10 | corecmd_executable_file(su_exec_t) |
|---|
| r2727 |
r2736 |
|
| 141 | 141 | |
|---|
| 142 | 142 | optional_policy(` |
|---|
| 143 | | su_role(auditadm_r, auditadm_t) |
|---|
| | 143 | su_role_template(auditadm, auditadm_r, auditadm_t) |
|---|
| 144 | 144 | ') |
|---|
| 145 | 145 | |
|---|
| r2727 |
r2736 |
|
| 153 | 153 | |
|---|
| 154 | 154 | optional_policy(` |
|---|
| 155 | | su_role(secadm_r, secadm_t) |
|---|
| | 155 | su_role_template(secadm, secadm_r, secadm_t) |
|---|
| 156 | 156 | ') |
|---|
| 157 | 157 | |
|---|
| r2727 |
r2736 |
|
| 121 | 121 | |
|---|
| 122 | 122 | optional_policy(` |
|---|
| 123 | | su_role(staff_r, staff_t) |
|---|
| | 123 | su_role_template(staff, staff_r, staff_t) |
|---|
| 124 | 124 | ') |
|---|
| 125 | 125 | |
|---|
| r2727 |
r2736 |
|
| 359 | 359 | |
|---|
| 360 | 360 | optional_policy(` |
|---|
| 361 | | su_role(sysadm_r, sysadm_t) |
|---|
| | 361 | su_role_template(sysadm, sysadm_r, sysadm_t) |
|---|
| 362 | 362 | ') |
|---|
| 363 | 363 | |
|---|
| r2689 |
r2736 |
|
| 111 | 111 | |
|---|
| 112 | 112 | optional_policy(` |
|---|
| 113 | | su_role(user_r, user_t) |
|---|
| | 113 | su_role_template(user, user_r, user_t) |
|---|
| 114 | 114 | ') |
|---|
| 115 | 115 | |
|---|
Download in other formats:
* Generating other formats may take time.
