Changeset 2751
- Timestamp:
- 07/09/08 07:51:36 (5 months ago)
- Files:
-
- branches/rbacsep/policy/modules/admin/sudo.if (modified) (1 diff)
- branches/rbacsep/policy/modules/admin/sudo.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/auditadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/secadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/staff.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/sysadm.te (modified) (1 diff)
- branches/rbacsep/policy/modules/roles/unprivuser.te (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/rbacsep/policy/modules/admin/sudo.if
r2726 r2751 1 1 ## <summary>Execute a command with a substitute user</summary> 2 2 3 ####################################### #####################3 ####################################### 4 4 ## <summary> 5 ## Role access for sudo5 ## The role template for the sudo module. 6 6 ## </summary> 7 ## <param name="role"> 7 ## <desc> 8 ## <p> 9 ## This template creates a derived domain which is allowed 10 ## to change the linux user id, to run commands as a different 11 ## user. 12 ## </p> 13 ## </desc> 14 ## <param name="role_prefix"> 8 15 ## <summary> 9 ## Role allowed access 16 ## The prefix of the user role (e.g., user 17 ## is the prefix for user_r). 10 18 ## </summary> 11 19 ## </param> 12 ## <param name=" domain">20 ## <param name="user_role"> 13 21 ## <summary> 14 ## User domain for the role 22 ## The user role. 23 ## </summary> 24 ## </param> 25 ## <param name="user_domain"> 26 ## <summary> 27 ## The user domain associated with the role. 15 28 ## </summary> 16 29 ## </param> 17 30 # 18 interface(`sudo_role',` 31 template(`sudo_role_template',` 32 19 33 gen_require(` 20 type sudo_ t, sudo_exec_t;34 type sudo_exec_t; 21 35 ') 22 36 23 role $1 types sudo_t; 37 ############################## 38 # 39 # Declarations 40 # 41 42 type $1_sudo_t; 43 application_domain($1_sudo_t, sudo_exec_t) 44 domain_interactive_fd($1_sudo_t) 45 role $2 types $1_sudo_t; 46 47 ############################## 48 # 49 # Local Policy 50 # 51 52 # Use capabilities. 53 allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; 54 allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; 55 allow $1_sudo_t self:process { setexec setrlimit }; 56 allow $1_sudo_t self:fd use; 57 allow $1_sudo_t self:fifo_file rw_fifo_file_perms; 58 allow $1_sudo_t self:shm create_shm_perms; 59 allow $1_sudo_t self:sem create_sem_perms; 60 allow $1_sudo_t self:msgq create_msgq_perms; 61 allow $1_sudo_t self:msg { send receive }; 62 allow $1_sudo_t self:unix_dgram_socket create_socket_perms; 63 allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; 64 allow $1_sudo_t self:unix_dgram_socket sendto; 65 allow $1_sudo_t self:unix_stream_socket connectto; 66 allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; 24 67 25 68 # Enter this derived domain from the user domain 26 domtrans_pattern($ 2, sudo_exec_t,sudo_t)27 69 domtrans_pattern($3, sudo_exec_t, $1_sudo_t) 70 28 71 # By default, revert to the calling domain when a shell is executed. 29 corecmd_shell_domtrans(sudo_t, $2) 30 allow $2 sudo_t:fd use; 31 allow $2 sudo_t:fifo_file rw_file_perms; 32 allow $2 sudo_t:process sigchld; 72 corecmd_shell_domtrans($1_sudo_t, $3) 73 allow $3 $1_sudo_t:fd use; 74 allow $3 $1_sudo_t:fifo_file rw_file_perms; 75 allow $3 $1_sudo_t:process sigchld; 76 77 kernel_read_kernel_sysctls($1_sudo_t) 78 kernel_read_system_state($1_sudo_t) 79 kernel_search_key($1_sudo_t) 80 81 dev_read_urand($1_sudo_t) 82 83 fs_search_auto_mountpoints($1_sudo_t) 84 fs_getattr_xattr_fs($1_sudo_t) 85 86 auth_domtrans_chk_passwd($1_sudo_t) 87 # sudo stores a token in the pam_pid directory 88 auth_manage_pam_pid($1_sudo_t) 89 auth_use_nsswitch($1_sudo_t) 90 91 corecmd_read_bin_symlinks($1_sudo_t) 92 corecmd_getattr_all_executables($1_sudo_t) 93 94 domain_use_interactive_fds($1_sudo_t) 95 domain_sigchld_interactive_fds($1_sudo_t) 96 domain_getattr_all_entry_files($1_sudo_t) 97 98 files_read_etc_files($1_sudo_t) 99 files_read_var_files($1_sudo_t) 100 files_read_usr_symlinks($1_sudo_t) 101 files_getattr_usr_files($1_sudo_t) 102 # for some PAM modules and for cwd 103 files_dontaudit_search_home($1_sudo_t) 104 105 init_rw_utmp($1_sudo_t) 106 107 libs_use_ld_so($1_sudo_t) 108 libs_use_shared_libs($1_sudo_t) 109 110 logging_send_syslog_msg($1_sudo_t) 111 112 miscfiles_read_localization($1_sudo_t) 113 114 userdom_manage_user_home_content_files($1_sudo_t) 115 userdom_manage_user_home_content_symlinks($1_sudo_t) 116 userdom_manage_user_tmp_files($1_sudo_t) 117 userdom_manage_user_tmp_symlinks($1_sudo_t) 118 userdom_use_user_terminals($1_sudo_t) 119 userdom_use_unpriv_users_fds($1_sudo_t) 120 # for some PAM modules and for cwd 121 userdom_dontaudit_search_user_home_content($1_sudo_t) 33 122 ') branches/rbacsep/policy/modules/admin/sudo.te
r2727 r2751 5 5 # 6 6 # Declarations 7 #8 7 9 type sudo_t;10 8 type sudo_exec_t; 11 application_domain(sudo_t, sudo_exec_t) 12 domain_interactive_fd(sudo_t) 13 14 ############################## 15 # 16 # Local Policy 17 # 18 19 # Use capabilities. 20 allow sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; 21 allow sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; 22 allow sudo_t self:process { setexec setrlimit }; 23 allow sudo_t self:fd use; 24 allow sudo_t self:fifo_file rw_fifo_file_perms; 25 allow sudo_t self:shm create_shm_perms; 26 allow sudo_t self:sem create_sem_perms; 27 allow sudo_t self:msgq create_msgq_perms; 28 allow sudo_t self:msg { send receive }; 29 allow sudo_t self:unix_dgram_socket create_socket_perms; 30 allow sudo_t self:unix_stream_socket create_stream_socket_perms; 31 allow sudo_t self:unix_dgram_socket sendto; 32 allow sudo_t self:unix_stream_socket connectto; 33 allow sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; 34 35 kernel_read_kernel_sysctls(sudo_t) 36 kernel_read_system_state(sudo_t) 37 kernel_search_key(sudo_t) 38 39 dev_read_urand(sudo_t) 40 41 fs_search_auto_mountpoints(sudo_t) 42 fs_getattr_xattr_fs(sudo_t) 43 44 auth_domtrans_chk_passwd(sudo_t) 45 # sudo stores a token in the pam_pid directory 46 auth_manage_pam_pid(sudo_t) 47 auth_use_nsswitch(sudo_t) 48 49 corecmd_read_bin_symlinks(sudo_t) 50 corecmd_getattr_all_executables(sudo_t) 51 52 domain_use_interactive_fds(sudo_t) 53 domain_sigchld_interactive_fds(sudo_t) 54 domain_getattr_all_entry_files(sudo_t) 55 56 files_read_etc_files(sudo_t) 57 files_read_var_files(sudo_t) 58 files_read_usr_symlinks(sudo_t) 59 files_getattr_usr_files(sudo_t) 60 # for some PAM modules and for cwd 61 files_dontaudit_search_home(sudo_t) 62 63 init_rw_utmp(sudo_t) 64 65 libs_use_ld_so(sudo_t) 66 libs_use_shared_libs(sudo_t) 67 68 logging_send_syslog_msg(sudo_t) 69 70 miscfiles_read_localization(sudo_t) 71 72 userdom_manage_user_home_content_files(sudo_t) 73 userdom_manage_user_home_content_symlinks(sudo_t) 74 userdom_manage_user_tmp_files(sudo_t) 75 userdom_manage_user_tmp_symlinks(sudo_t) 76 userdom_use_user_terminals(sudo_t) 77 # for some PAM modules and for cwd 78 userdom_dontaudit_search_user_home_content(sudo_t) 9 application_executable_file(sudo_exec_t) branches/rbacsep/policy/modules/roles/auditadm.te
r2750 r2751 145 145 146 146 optional_policy(` 147 sudo_role (auditadm_r, auditadm_t)147 sudo_role_template(auditadm, auditadm_r, auditadm_t) 148 148 ') 149 149 branches/rbacsep/policy/modules/roles/secadm.te
r2750 r2751 157 157 158 158 optional_policy(` 159 sudo_role (secadm_r, secadm_t)159 sudo_role_template(secadm, secadm_r, secadm_t) 160 160 ') 161 161 branches/rbacsep/policy/modules/roles/staff.te
r2750 r2751 125 125 126 126 optional_policy(` 127 sudo_role (staff_r, staff_t)127 sudo_role_template(staff, staff_r, staff_t) 128 128 ') 129 129 branches/rbacsep/policy/modules/roles/sysadm.te
r2750 r2751 363 363 364 364 optional_policy(` 365 sudo_role (sysadm_r, sysadm_t)365 sudo_role_template(sysadm, sysadm_r, sysadm_t) 366 366 ') 367 367 branches/rbacsep/policy/modules/roles/unprivuser.te
r2750 r2751 115 115 116 116 optional_policy(` 117 sudo_role (user_r, user_t)117 sudo_role_template(user, user_r, user_t) 118 118 ') 119 119
