Chris PeBenito 0fbfa5
#DESC Useradd - Manage system user accounts
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Chris Vance <cvance@tislabs.com>  David Caplan <dac@tresys.com>
Chris PeBenito 0fbfa5
#           Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: passwd
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the useradd_t and groupadd_t domains.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# useradd_t is the domain of the useradd/userdel programs.
Chris PeBenito 0fbfa5
# groupadd_t is for adding groups (can not create home dirs)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`user_group_add_program', `
Chris PeBenito 0fbfa5
type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain;
Chris PeBenito 0fbfa5
role sysadm_r types $1_t;
Chris PeBenito 0fbfa5
role system_r types $1_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
general_domain_access($1_t)
Chris PeBenito 0fbfa5
uses_shlib($1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type $1_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
Chris PeBenito 0fbfa5
domain_auto_trans(initrc_t, $1_exec_t, $1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.
Chris PeBenito 0fbfa5
allow $1_t self:capability { dac_override chown kill };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow access to context for shadow file
Chris PeBenito 0fbfa5
can_getsecurity($1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Inherit and use descriptors from login.
Chris PeBenito 0fbfa5
allow $1_t { init_t privfd }:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
Chris PeBenito 0fbfa5
allow $1_t { bin_t sbin_t }:dir r_dir_perms;
Chris PeBenito 0fbfa5
can_exec($1_t, { bin_t sbin_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Update /etc/shadow and /etc/passwd
Chris PeBenito 0fbfa5
file_type_auto_trans($1_t, etc_t, shadow_t, file)
Chris PeBenito 0fbfa5
allow $1_t etc_t:file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# some apps ask for these accesses, but seems to work regardless
Chris PeBenito 0fbfa5
dontaudit $1_t var_run_t:dir search;
Chris PeBenito 0fbfa5
r_dir_file($1_t,  selinux_config_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Set fscreate context.
Chris PeBenito 0fbfa5
can_setfscreate($1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_locale($1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# useradd/userdel request read/write for /var/log/lastlog, and read of /dev, 
Chris PeBenito 0fbfa5
# but will operate without them.
Chris PeBenito 0fbfa5
dontaudit $1_t { device_t var_t var_log_t }:dir search;
Chris PeBenito 0fbfa5
allow useradd_t lastlog_t:file { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# For userdel and groupadd
Chris PeBenito 0fbfa5
allow $1_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access terminals.
Chris PeBenito 0fbfa5
allow $1_t ttyfile:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow $1_t ptyfile:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for when /root is the cwd
Chris PeBenito 0fbfa5
dontaudit $1_t sysadm_home_dir_t:dir search;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
user_group_add_program(useradd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for getting the number of groups
Chris PeBenito 0fbfa5
read_sysctl(useradd_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Add/remove user home directories
Chris PeBenito 0fbfa5
file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
Chris PeBenito 0fbfa5
file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# create/delete mail spool file in /var/mail
Chris PeBenito 0fbfa5
allow useradd_t var_spool_t:dir search;
Chris PeBenito 0fbfa5
allow useradd_t mail_spool_t:dir { search write add_name remove_name };
Chris PeBenito 0fbfa5
allow useradd_t mail_spool_t:file create_file_perms;
Chris PeBenito 0fbfa5
# /var/mail is a link to /var/spool/mail
Chris PeBenito 0fbfa5
allow useradd_t mail_spool_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow useradd_t self:capability { fowner fsetid setuid sys_resource };
Chris PeBenito 0fbfa5
can_exec(useradd_t, shell_exec_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# /usr/bin/userdel locks the user being deleted, allow write access to utmp
Chris PeBenito 0fbfa5
allow useradd_t initrc_var_run_t:file { read write lock };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
user_group_add_program(groupadd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit groupadd_t self:capability fsetid;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow groupadd_t self:capability { setuid sys_resource };
Chris PeBenito 0fbfa5
allow groupadd_t self:process setrlimit;
Chris PeBenito 0fbfa5
allow groupadd_t initrc_var_run_t:file r_file_perms;
Chris PeBenito 0fbfa5
dontaudit groupadd_t initrc_var_run_t:file write;