#DESC SE Linux User Manager (seuser)

#DEPENDS checkpolicy.te load_policy.te

#

# Authors:   don.patterson@tresys.com, mayerf@tresys.com

# Additions: wsalamon@tislabs.com, dac@tresys.com

#

#################################

#

# Rules for the seuser_t domain.

#

# seuser_t is the domain of the seuser application when it is executed.

# seuser_conf_t is the type of the seuser configuration file.

# seuser_exec_t is the type of the seuser executable.

# seuser_tmp_t is the type of the temporary file(s) created by seuser.

# 

##############################################

# Define types, and typical rules including

# access to execute and transition

##############################################

# Defined seuser types

type seuser_t, domain, privhome  ;

type seuser_conf_t, file_type, sysadmfile ;

type seuser_exec_t, file_type, sysadmfile, exec_type ;

tmp_domain(seuser)

# Authorize roles

role sysadm_r types seuser_t ;

# Allow sysadm_t to run with privilege

domain_auto_trans(sysadm_t, seuser_exec_t, seuser_t)

# Grant the new domain permissions to many common operations

# FIX: Should be more resticted than this.

#every_domain(seuser_t)

allow seuser_t self:process { fork sigchld };

allow seuser_t self:fifo_file read;

allow seuser_t self:unix_stream_socket {create connect};

allow seuser_t self:dir search;

allow seuser_t self:file { read getattr };

allow seuser_t etc_t:dir search;

allow seuser_t etc_t:{lnk_file file} { read getattr};

read_locale(seuser_t)

allow seuser_t { var_run_t var_t}:dir search;

uses_shlib(seuser_t)

allow seuser_t devtty_t:chr_file {read write };

allow seuser_t proc_t:dir search;

allow seuser_t proc_t:{lnk_file file} { getattr read };

allow seuser_t root_t:dir search;

allow seuser_t staff_home_dir_t:dir search;

allow seuser_t home_root_t:dir { getattr search };

allow seuser_t staff_home_dir_t:dir getattr;

allow seuser_t default_t:file {read getattr};

allow seuser_t bin_t:dir { getattr search read} ;

allow seuser_t bin_t:lnk_file { read getattr };

allow seuser_t sbin_t:dir search;

# Inherit and use descriptors from login.

allow seuser_t privfd:fd use;

###############################################

# Use capabilities to self

allow seuser_t self:capability { dac_override setuid setgid } ;

# Grant the seuser domain ability to change passwords for a user.

allow seuser_t self:passwd { passwd chfn chsh } ;

# Read permissions for seuser.conf file

allow seuser_t seuser_conf_t:file r_file_perms ;

###################################################################

# Policy section: Define the ability to change and load policies

###################################################################

# seuser_t domain needs to transition to the checkpolicy and loadpolicy 

# domains in order to install and load new policies.

domain_auto_trans(seuser_t, checkpolicy_exec_t, checkpolicy_t)

domain_auto_trans(seuser_t, load_policy_exec_t, load_policy_t)

# allow load_policy and checkpolicy domains access to seuser_tmp_t

# files in order for their stdout/stderr able to be put into

# seuser's tmp files.

#

# Since both these domains carefully try to limit where the

# assoicated program can read from, we won't use the standard

# rw_file_perm macro, but instead only grant the minimum needed

# to redirect output, write and getattr.

allow checkpolicy_t seuser_tmp_t:file { getattr write } ;

allow load_policy_t seuser_tmp_t:file { getattr write } ;

allow useradd_t seuser_tmp_t:file { getattr write } ;

# FIX:  Temporarily allow seuser_t permissions for executing programs with a 

# bint_t type without changing domains. We have to give seuser_t the following 

# access because we use the policy make process to build new plicy.conf files. 

# At some point, a new policy management infrastructure should remove the ability 

# to modify policy source files with arbitrary progams

#

can_exec(seuser_t, bin_t)

can_exec(seuser_t, shell_exec_t)

# Read/write permission to the login context files in /etc/security

allow seuser_t login_contexts:file create_file_perms ;

# Read/write permission to the policy source and its' directory

allow seuser_t policy_src_t:dir create_dir_perms ;

allow seuser_t policy_src_t:file create_file_perms ;

# Allow search and stat for policy_config_t

allow seuser_t policy_config_t:dir { search getattr } ;

allow seuser_t policy_config_t:file stat_file_perms;

#ifdef(`xserver.te', `

############################################################

# Xserver section - To support our GUI interface, 

############################################################

# Permission to create files in /tmp/.X11-Unix

#allow seuser_t sysadm_xserver_tmp_t:dir search ;

#allow seuser_t sysadm_xserver_tmp_t:sock_file write ;

#allow seuser_t user_xserver_tmp_t:dir search ;

#allow seuser_t user_xserver_tmp_t:sock_file write ;

# Permission to establish a Unix stream connection to X server

#can_unix_connect(seuser_t, user_xserver_t)

#can_unix_connect(seuser_t, sysadm_xserver_t)

#')

ifdef(`xdm.te', `

can_unix_connect(seuser_t, xdm_xserver_t)

')

# seuser_t domain needs execute access to the library files so that it can run.

can_exec(seuser_t, lib_t)

# Access ttys

allow seuser_t sysadm_tty_device_t:chr_file rw_file_perms ;

allow seuser_t sysadm_devpts_t:chr_file rw_file_perms ;