Tree - rpms/selinux-policy - CentOS Git server

rpms / selinux-policy

Blame mls/domains/program/useradd.te

Blob History Raw

Chris PeBenito	31b7c0	`#DESC Useradd - Manage system user accounts`
Chris PeBenito	31b7c0	`#`
Chris PeBenito	31b7c0	`# Authors: Chris Vance <cvance@tislabs.com> David Caplan <dac@tresys.com>`
Chris PeBenito	31b7c0	`# Russell Coker <russell@coker.com.au>`
Chris PeBenito	31b7c0	`# X-Debian-Packages: passwd`
Chris PeBenito	31b7c0	`#`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`#################################`
Chris PeBenito	31b7c0	`#`
Chris PeBenito	31b7c0	`# Rules for the useradd_t and groupadd_t domains.`
Chris PeBenito	31b7c0	`#`
Chris PeBenito	31b7c0	`# useradd_t is the domain of the useradd/userdel programs.`
Chris PeBenito	31b7c0	`# groupadd_t is for adding groups (can not create home dirs)`
Chris PeBenito	31b7c0	`#`
Chris PeBenito	31b7c0	define(`user_group_add_program', `
Chris PeBenito	31b7c0	`type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain;`
Chris PeBenito	31b7c0	`role sysadm_r types $1_t;`
Chris PeBenito	31b7c0	`role system_r types $1_t;`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`general_domain_access($1_t)`
Chris PeBenito	31b7c0	`uses_shlib($1_t)`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`type $1_exec_t, file_type, sysadmfile, exec_type;`
Chris PeBenito	31b7c0	`domain_auto_trans(sysadm_t, $1_exec_t, $1_t)`
Chris PeBenito	31b7c0	`domain_auto_trans(initrc_t, $1_exec_t, $1_t)`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# Use capabilities.`
Chris PeBenito	31b7c0	`allow $1_t self:capability { dac_override chown kill };`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# Allow access to context for shadow file`
Chris PeBenito	31b7c0	`can_getsecurity($1_t)`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# Inherit and use descriptors from login.`
Chris PeBenito	31b7c0	`allow $1_t { init_t privfd }:fd use;`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.`
Chris PeBenito	31b7c0	`allow $1_t { bin_t sbin_t }:dir r_dir_perms;`
Chris PeBenito	31b7c0	`can_exec($1_t, { bin_t sbin_t })`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# Update /etc/shadow and /etc/passwd`
Chris PeBenito	31b7c0	`file_type_auto_trans($1_t, etc_t, shadow_t, file)`
Chris PeBenito	31b7c0	`allow $1_t etc_t:file create_file_perms;`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# some apps ask for these accesses, but seems to work regardless`
Chris PeBenito	31b7c0	`dontaudit $1_t var_run_t:dir search;`
Chris PeBenito	31b7c0	`r_dir_file($1_t, selinux_config_t)`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# Set fscreate context.`
Chris PeBenito	31b7c0	`can_setfscreate($1_t)`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`read_locale($1_t)`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,`
Chris PeBenito	31b7c0	`# but will operate without them.`
Chris PeBenito	31b7c0	`dontaudit $1_t { device_t var_t var_log_t }:dir search;`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# For userdel and groupadd`
Chris PeBenito	31b7c0	`allow $1_t fs_t:filesystem getattr;`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# Access terminals.`
Chris PeBenito	31b7c0	`allow $1_t ttyfile:chr_file rw_file_perms;`
Chris PeBenito	31b7c0	`allow $1_t ptyfile:chr_file rw_file_perms;`
Chris PeBenito	31b7c0	ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# for when /root is the cwd`
Chris PeBenito	31b7c0	`dontaudit $1_t sysadm_home_dir_t:dir search;`
Chris PeBenito	31b7c0	`nsswitch_domain($1_t)`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };`
Chris PeBenito	31b7c0	`')`
Chris PeBenito	31b7c0	`user_group_add_program(useradd)`
Chris PeBenito	31b7c0	`allow useradd_t lastlog_t:file { getattr read write };`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# for getting the number of groups`
Chris PeBenito	31b7c0	`read_sysctl(useradd_t)`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# Add/remove user home directories`
Chris PeBenito	31b7c0	`file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)`
Chris PeBenito	31b7c0	`file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# create/delete mail spool file in /var/mail`
Chris PeBenito	31b7c0	`allow useradd_t var_spool_t:dir search;`
Chris PeBenito	31b7c0	`allow useradd_t mail_spool_t:dir { search write add_name remove_name };`
Chris PeBenito	31b7c0	`allow useradd_t mail_spool_t:file create_file_perms;`
Chris PeBenito	31b7c0	`# /var/mail is a link to /var/spool/mail`
Chris PeBenito	31b7c0	`allow useradd_t mail_spool_t:lnk_file read;`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`allow useradd_t self:capability { fowner fsetid setuid sys_resource };`
Chris PeBenito	31b7c0	`can_exec(useradd_t, shell_exec_t)`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`# /usr/bin/userdel locks the user being deleted, allow write access to utmp`
Chris PeBenito	31b7c0	`allow useradd_t initrc_var_run_t:file { read write lock };`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`user_group_add_program(groupadd)`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`dontaudit groupadd_t self:capability fsetid;`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`allow groupadd_t self:capability { setuid sys_resource };`
Chris PeBenito	31b7c0	`allow groupadd_t self:process setrlimit;`
Chris PeBenito	31b7c0	`allow groupadd_t initrc_var_run_t:file r_file_perms;`
Chris PeBenito	31b7c0	`dontaudit groupadd_t initrc_var_run_t:file write;`
Chris PeBenito	31b7c0
Chris PeBenito	31b7c0	`allow useradd_t default_context_t:dir search;`
Chris PeBenito	31b7c0	`allow useradd_t file_context_t:dir search;`
Chris PeBenito	31b7c0	`allow useradd_t file_context_t:file { getattr read };`
Chris PeBenito	31b7c0	`allow useradd_t var_lib_t:dir search;`

rpms / selinux-policy

Source Code

Blame mls/domains/program/useradd.te