|
Chris PeBenito |
0fbfa5 |
#DESC Useradd - Manage system user accounts
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Authors: Chris Vance <cvance@tislabs.com> David Caplan <dac@tresys.com>
|
|
Chris PeBenito |
0fbfa5 |
# Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: passwd
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the useradd_t and groupadd_t domains.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# useradd_t is the domain of the useradd/userdel programs.
|
|
Chris PeBenito |
0fbfa5 |
# groupadd_t is for adding groups (can not create home dirs)
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
define(`user_group_add_program', `
|
|
Chris PeBenito |
0fbfa5 |
type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain;
|
|
Chris PeBenito |
0fbfa5 |
role sysadm_r types $1_t;
|
|
Chris PeBenito |
0fbfa5 |
role system_r types $1_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
general_domain_access($1_t)
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib($1_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type $1_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(initrc_t, $1_exec_t, $1_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use capabilities.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t self:capability { dac_override chown kill };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow access to context for shadow file
|
|
Chris PeBenito |
0fbfa5 |
can_getsecurity($1_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Inherit and use descriptors from login.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t { init_t privfd }:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t { bin_t sbin_t }:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
can_exec($1_t, { bin_t sbin_t })
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Update /etc/shadow and /etc/passwd
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans($1_t, etc_t, shadow_t, file)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t etc_t:file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# some apps ask for these accesses, but seems to work regardless
|
|
Chris PeBenito |
0fbfa5 |
dontaudit $1_t var_run_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($1_t, selinux_config_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Set fscreate context.
|
|
Chris PeBenito |
0fbfa5 |
can_setfscreate($1_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
read_locale($1_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
|
|
Chris PeBenito |
0fbfa5 |
# but will operate without them.
|
|
Chris PeBenito |
0fbfa5 |
dontaudit $1_t { device_t var_t var_log_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow useradd_t lastlog_t:file { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For userdel and groupadd
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access terminals.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t ttyfile:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t ptyfile:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for when /root is the cwd
|
|
Chris PeBenito |
0fbfa5 |
dontaudit $1_t sysadm_home_dir_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
user_group_add_program(useradd)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for getting the number of groups
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(useradd_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Add/remove user home directories
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# create/delete mail spool file in /var/mail
|
|
Chris PeBenito |
0fbfa5 |
allow useradd_t var_spool_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow useradd_t mail_spool_t:dir { search write add_name remove_name };
|
|
Chris PeBenito |
0fbfa5 |
allow useradd_t mail_spool_t:file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
# /var/mail is a link to /var/spool/mail
|
|
Chris PeBenito |
0fbfa5 |
allow useradd_t mail_spool_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow useradd_t self:capability { fowner fsetid setuid sys_resource };
|
|
Chris PeBenito |
0fbfa5 |
can_exec(useradd_t, shell_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# /usr/bin/userdel locks the user being deleted, allow write access to utmp
|
|
Chris PeBenito |
0fbfa5 |
allow useradd_t initrc_var_run_t:file { read write lock };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
user_group_add_program(groupadd)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
dontaudit groupadd_t self:capability fsetid;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow groupadd_t self:capability { setuid sys_resource };
|
|
Chris PeBenito |
0fbfa5 |
allow groupadd_t self:process setrlimit;
|
|
Chris PeBenito |
0fbfa5 |
allow groupadd_t initrc_var_run_t:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit groupadd_t initrc_var_run_t:file write;
|