Chris PeBenito 31b7c0
#DESC Useradd - Manage system user accounts
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Authors:  Chris Vance <cvance@tislabs.com>  David Caplan <dac@tresys.com>
Chris PeBenito 31b7c0
#           Russell Coker <russell@coker.com.au>
Chris PeBenito 31b7c0
# X-Debian-Packages: passwd
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the useradd_t and groupadd_t domains.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# useradd_t is the domain of the useradd/userdel programs.
Chris PeBenito 31b7c0
# groupadd_t is for adding groups (can not create home dirs)
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
define(`user_group_add_program', `
Chris PeBenito 31b7c0
type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain;
Chris PeBenito 31b7c0
role sysadm_r types $1_t;
Chris PeBenito 31b7c0
role system_r types $1_t;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
general_domain_access($1_t)
Chris PeBenito 31b7c0
uses_shlib($1_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
type $1_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 31b7c0
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
Chris PeBenito 31b7c0
domain_auto_trans(initrc_t, $1_exec_t, $1_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use capabilities.
Chris PeBenito 31b7c0
allow $1_t self:capability { dac_override chown kill };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Allow access to context for shadow file
Chris PeBenito 31b7c0
can_getsecurity($1_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Inherit and use descriptors from login.
Chris PeBenito 31b7c0
allow $1_t { init_t privfd }:fd use;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
Chris PeBenito 31b7c0
allow $1_t { bin_t sbin_t }:dir r_dir_perms;
Chris PeBenito 31b7c0
can_exec($1_t, { bin_t sbin_t })
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Update /etc/shadow and /etc/passwd
Chris PeBenito 31b7c0
file_type_auto_trans($1_t, etc_t, shadow_t, file)
Chris PeBenito 31b7c0
allow $1_t etc_t:file create_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# some apps ask for these accesses, but seems to work regardless
Chris PeBenito 31b7c0
dontaudit $1_t var_run_t:dir search;
Chris PeBenito 31b7c0
r_dir_file($1_t,  selinux_config_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Set fscreate context.
Chris PeBenito 31b7c0
can_setfscreate($1_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
read_locale($1_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# useradd/userdel request read/write for /var/log/lastlog, and read of /dev, 
Chris PeBenito 31b7c0
# but will operate without them.
Chris PeBenito 31b7c0
dontaudit $1_t { device_t var_t var_log_t }:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# For userdel and groupadd
Chris PeBenito 31b7c0
allow $1_t fs_t:filesystem getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Access terminals.
Chris PeBenito 31b7c0
allow $1_t ttyfile:chr_file rw_file_perms;
Chris PeBenito 31b7c0
allow $1_t ptyfile:chr_file rw_file_perms;
Chris PeBenito 31b7c0
ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for when /root is the cwd
Chris PeBenito 31b7c0
dontaudit $1_t sysadm_home_dir_t:dir search;
Chris PeBenito 31b7c0
nsswitch_domain($1_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
user_group_add_program(useradd)
Chris PeBenito 31b7c0
allow useradd_t lastlog_t:file { getattr read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for getting the number of groups
Chris PeBenito 31b7c0
read_sysctl(useradd_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Add/remove user home directories
Chris PeBenito 31b7c0
file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
Chris PeBenito 31b7c0
file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# create/delete mail spool file in /var/mail
Chris PeBenito 31b7c0
allow useradd_t var_spool_t:dir search;
Chris PeBenito 31b7c0
allow useradd_t mail_spool_t:dir { search write add_name remove_name };
Chris PeBenito 31b7c0
allow useradd_t mail_spool_t:file create_file_perms;
Chris PeBenito 31b7c0
# /var/mail is a link to /var/spool/mail
Chris PeBenito 31b7c0
allow useradd_t mail_spool_t:lnk_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow useradd_t self:capability { fowner fsetid setuid sys_resource };
Chris PeBenito 31b7c0
can_exec(useradd_t, shell_exec_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# /usr/bin/userdel locks the user being deleted, allow write access to utmp
Chris PeBenito 31b7c0
allow useradd_t initrc_var_run_t:file { read write lock };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
user_group_add_program(groupadd)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
dontaudit groupadd_t self:capability fsetid;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow groupadd_t self:capability { setuid sys_resource };
Chris PeBenito 31b7c0
allow groupadd_t self:process setrlimit;
Chris PeBenito 31b7c0
allow groupadd_t initrc_var_run_t:file r_file_perms;
Chris PeBenito 31b7c0
dontaudit groupadd_t initrc_var_run_t:file write;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow useradd_t default_context_t:dir search;
Chris PeBenito 31b7c0
allow useradd_t file_context_t:dir search;
Chris PeBenito 31b7c0
allow useradd_t file_context_t:file { getattr read };
Chris PeBenito 31b7c0
allow useradd_t var_lib_t:dir search;