Chris PeBenito 31b7c0
#DESC Passwd - Password utilities
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
Chris PeBenito 31b7c0
# X-Debian-Packages: passwd
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the passwd_t domain.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
define(`base_passwd_domain', `
Chris PeBenito 31b7c0
type $1_t, domain, privlog, $2;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for SSP
Chris PeBenito 31b7c0
allow $1_t urandom_device_t:chr_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow $1_t self:process setrlimit;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
general_domain_access($1_t);
Chris PeBenito 31b7c0
uses_shlib($1_t);
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Inherit and use descriptors from login.
Chris PeBenito 31b7c0
allow $1_t privfd:fd use;
Chris PeBenito 31b7c0
ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
read_locale($1_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow $1_t fs_t:filesystem getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# allow checking if a shell is executable
Chris PeBenito 31b7c0
allow $1_t shell_exec_t:file execute;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Obtain contexts
Chris PeBenito 31b7c0
can_getsecurity($1_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow $1_t etc_t:file create_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# read /etc/mtab
Chris PeBenito 31b7c0
allow $1_t etc_runtime_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Allow etc_t symlinks for /etc/alternatives on Debian.
Chris PeBenito 31b7c0
allow $1_t etc_t:lnk_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use capabilities.
Chris PeBenito 31b7c0
allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Access terminals.
Chris PeBenito 31b7c0
allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
Chris PeBenito 31b7c0
allow $1_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
dontaudit $1_t devpts_t:dir getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# /usr/bin/passwd asks for w access to utmp, but it will operate
Chris PeBenito 31b7c0
# correctly without it.  Do not audit write denials to utmp.
Chris PeBenito 31b7c0
dontaudit $1_t initrc_var_run_t:file { read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# user generally runs this from their home directory, so do not audit a search
Chris PeBenito 31b7c0
# on user home dir
Chris PeBenito 31b7c0
dontaudit $1_t { user_home_dir_type user_home_type }:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# When the wrong current passwd is entered, passwd, for some reason, 
Chris PeBenito 31b7c0
# attempts to access /proc and /dev, but handles failure appropriately. So
Chris PeBenito 31b7c0
# do not audit those denials.
Chris PeBenito 31b7c0
dontaudit $1_t { proc_t device_t }:dir { search read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow $1_t device_t:dir getattr;
Chris PeBenito 31b7c0
read_sysctl($1_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the passwd_t domain.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
define(`passwd_domain', `
Chris PeBenito 31b7c0
base_passwd_domain($1, `auth_write, privowner')
Chris PeBenito 31b7c0
# Update /etc/shadow and /etc/passwd
Chris PeBenito 31b7c0
file_type_auto_trans($1_t, etc_t, shadow_t, file)
Chris PeBenito 31b7c0
allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
Chris PeBenito 31b7c0
can_setfscreate($1_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
passwd_domain(passwd)
Chris PeBenito 31b7c0
passwd_domain(sysadm_passwd)
Chris PeBenito 31b7c0
base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner')
Chris PeBenito 31b7c0
can_setfscreate(chfn_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# can exec /sbin/unix_chkpwd
Chris PeBenito 31b7c0
allow chfn_t { bin_t sbin_t }:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# uses unix_chkpwd for checking passwords
Chris PeBenito 31b7c0
dontaudit chfn_t shadow_t:file read;
Chris PeBenito 31b7c0
allow chfn_t etc_t:dir rw_dir_perms;
Chris PeBenito 31b7c0
allow chfn_t etc_t:file create_file_perms;
Chris PeBenito 31b7c0
allow chfn_t proc_t:file { getattr read };
Chris PeBenito 31b7c0
allow chfn_t self:file write;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
in_user_role(passwd_t)
Chris PeBenito 31b7c0
in_user_role(chfn_t)
Chris PeBenito 31b7c0
role sysadm_r types passwd_t;
Chris PeBenito 31b7c0
role sysadm_r types sysadm_passwd_t;
Chris PeBenito 31b7c0
role sysadm_r types chfn_t;
Chris PeBenito 31b7c0
role system_r types passwd_t;
Chris PeBenito 31b7c0
role system_r types chfn_t;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
type admin_passwd_exec_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
type passwd_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 31b7c0
type chfn_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
Chris PeBenito 31b7c0
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
Chris PeBenito 31b7c0
domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
dontaudit chfn_t var_t:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`crack.te', `
Chris PeBenito 31b7c0
allow passwd_t var_t:dir search;
Chris PeBenito 31b7c0
dontaudit passwd_t var_run_t:dir search;
Chris PeBenito 31b7c0
allow passwd_t crack_db_t:dir r_dir_perms;
Chris PeBenito 31b7c0
allow passwd_t crack_db_t:file r_file_perms;
Chris PeBenito 31b7c0
', `
Chris PeBenito 31b7c0
dontaudit passwd_t var_t:dir search;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# allow vipw to exec the editor
Chris PeBenito 31b7c0
allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search;
Chris PeBenito 31b7c0
allow sysadm_passwd_t bin_t:lnk_file read;
Chris PeBenito 31b7c0
can_exec(sysadm_passwd_t, { shell_exec_t bin_t })
Chris PeBenito 31b7c0
r_dir_file(sysadm_passwd_t, usr_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# allow vipw to create temporary files under /var/tmp/vi.recover
Chris PeBenito 31b7c0
allow sysadm_passwd_t var_t:dir search;
Chris PeBenito 31b7c0
tmp_domain(sysadm_passwd)
Chris PeBenito 31b7c0
# for vipw - vi looks in the root home directory for config
Chris PeBenito 31b7c0
dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
Chris PeBenito 31b7c0
# for /etc/alternatives/vi
Chris PeBenito 31b7c0
allow sysadm_passwd_t etc_t:lnk_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for nscd lookups
Chris PeBenito 31b7c0
dontaudit sysadm_passwd_t var_run_t:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for /proc/meminfo
Chris PeBenito 31b7c0
allow sysadm_passwd_t proc_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search;
Chris PeBenito 31b7c0
dontaudit sysadm_passwd_t devpts_t:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# make sure that getcon succeeds
Chris PeBenito 31b7c0
allow passwd_t userdomain:dir search;
Chris PeBenito 31b7c0
allow passwd_t userdomain:file { getattr read };
Chris PeBenito 31b7c0
allow passwd_t userdomain:process getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`targeted_policy', `
Chris PeBenito 31b7c0
role system_r types sysadm_passwd_t;
Chris PeBenito 31b7c0
allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
Chris PeBenito 31b7c0
')