Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Macros for all admin domains.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# admin_domain(domain_prefix)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Define derived types and rules for an administrator domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# The type declaration and role authorization for the domain must be
Chris PeBenito 0fbfa5
# provided separately.  Likewise, domain transitions into this domain
Chris PeBenito 0fbfa5
# must be specified separately.  If the every_domain() rules are desired,
Chris PeBenito 0fbfa5
# then these rules must also be specified separately.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
undefine(`admin_domain')
Chris PeBenito 0fbfa5
define(`admin_domain',`
Chris PeBenito 0fbfa5
# Type for home directory.
Chris PeBenito 0fbfa5
attribute $1_file_type;
Chris PeBenito 0fbfa5
type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
Chris PeBenito 0fbfa5
type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Type and access for pty devices.
Chris PeBenito a1fcff
can_create_pty($1, `, admin_tty_type')
Chris PeBenito 0fbfa5
Chris PeBenito a1fcff
# Transition manually for { lnk sock fifo }. The rest is in content macros.
Chris PeBenito a1fcff
tmp_domain_notrans($1, `, $1_file_type')
Chris PeBenito a1fcff
file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
Chris PeBenito a1fcff
allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Type for tty devices.
Chris PeBenito a1fcff
type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Inherit rules for ordinary users.
Chris PeBenito 0fbfa5
base_user_domain($1)
Chris PeBenito a1fcff
access_removable_media($1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_t self:capability setuid;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`su.te', `su_domain($1)')
Chris PeBenito 0fbfa5
ifdef(`userhelper.te', `userhelper_domain($1)')
Chris PeBenito 0fbfa5
ifdef(`sudo.te', `sudo_domain($1)')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Let admin stat the shadow file.
Chris PeBenito 0fbfa5
allow $1_t shadow_t:file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`crond.te', `
Chris PeBenito 0fbfa5
allow $1_crond_t var_log_t:file r_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow system log read
Chris PeBenito 0fbfa5
allow $1_t kernel_t:system syslog_read;
Chris PeBenito 0fbfa5
Chris PeBenito a1fcff
# Allow autrace
Chris PeBenito a1fcff
# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
Chris PeBenito a1fcff
Chris PeBenito 0fbfa5
# Use capabilities other than sys_module.
Chris PeBenito 0fbfa5
allow $1_t self:capability ~sys_module;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use system operations.
Chris PeBenito 0fbfa5
allow $1_t kernel_t:system *;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Set password information for other users.
Chris PeBenito 0fbfa5
allow $1_t self:passwd { passwd chfn chsh };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Skip authentication when pam_rootok is specified.
Chris PeBenito 0fbfa5
allow $1_t self:passwd rootok;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Manipulate other user crontab.
Chris PeBenito 0fbfa5
allow $1_t self:passwd crontab;
Chris PeBenito 0fbfa5
can_getsecurity(sysadm_crontab_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Change system parameters.
Chris PeBenito 0fbfa5
can_sysctl($1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Create and use all files that have the sysadmfile attribute.
Chris PeBenito 0fbfa5
allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
Chris PeBenito 0fbfa5
allow $1_t sysadmfile:lnk_file create_lnk_perms;
Chris PeBenito 0fbfa5
allow $1_t sysadmfile:dir create_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for lsof
Chris PeBenito 0fbfa5
allow $1_t mtrr_device_t:file getattr;
Chris PeBenito 0fbfa5
allow $1_t fs_type:dir getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access removable devices.
Chris PeBenito 0fbfa5
allow $1_t removable_device_t:devfile_class_set rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Communicate with the init process.
Chris PeBenito 0fbfa5
allow $1_t initctl_t:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Examine all processes.
Chris PeBenito 0fbfa5
can_ps($1_t, domain)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow renice
Chris PeBenito 0fbfa5
allow $1_t domain:process setsched;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Send signals to all processes.
Chris PeBenito 0fbfa5
allow $1_t { domain unlabeled_t }:process signal_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access all user terminals.
Chris PeBenito 0fbfa5
allow $1_t tty_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow $1_t ttyfile:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow $1_t ptyfile:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow $1_t serial_device:chr_file setattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow setting up tunnels
Chris PeBenito 0fbfa5
allow $1_t tun_tap_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# run ls -l /dev
Chris PeBenito 0fbfa5
allow $1_t device_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow $1_t { device_t device_type }:{ chr_file blk_file } getattr;
Chris PeBenito 0fbfa5
allow $1_t ptyfile:chr_file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Run programs from staff home directories.
Chris PeBenito 0fbfa5
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
Chris PeBenito 0fbfa5
can_exec($1_t, staff_home_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Run programs from /usr/src.
Chris PeBenito 0fbfa5
can_exec($1_t, src_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Relabel all files.
Chris PeBenito 0fbfa5
# Actually this will not allow relabeling ALL files unless you change
Chris PeBenito 0fbfa5
# sysadmfile to file_type (and change the assertion in assert.te that
Chris PeBenito 0fbfa5
# only auth_write can relabel shadow_t)
Chris PeBenito 0fbfa5
allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
Chris PeBenito 0fbfa5
allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`startx.te', `
Chris PeBenito 0fbfa5
ifdef(`xserver.te', `
Chris PeBenito 0fbfa5
# Create files in /tmp/.X11-unix with our X servers derived
Chris PeBenito 0fbfa5
# tmp type rather than user_xserver_tmp_t.
Chris PeBenito 0fbfa5
file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
Chris PeBenito 0fbfa5
')dnl end xserver.te
Chris PeBenito 0fbfa5
')dnl end startx.te
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`xdm.te', `
Chris PeBenito 0fbfa5
ifdef(`xauth.te', `
Chris PeBenito 0fbfa5
if (xdm_sysadm_login) {
Chris PeBenito 0fbfa5
allow xdm_t $1_home_t:lnk_file read;
Chris PeBenito 0fbfa5
allow xdm_t $1_home_t:dir search;
Chris PeBenito 0fbfa5
}
Chris PeBenito a1fcff
can_pipe_xdm($1_t)
Chris PeBenito 0fbfa5
')dnl end ifdef xauth.te
Chris PeBenito 0fbfa5
')dnl end ifdef xdm.te
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# A user who is authorized for sysadm_t may nonetheless have
Chris PeBenito 0fbfa5
# a home directory labeled with user_home_t if the user is expected
Chris PeBenito 0fbfa5
# to login in either user_t or sysadm_t.  Hence, the derived domains
Chris PeBenito 0fbfa5
# for programs need to be able to access user_home_t.  
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow our gph domain to write to .xsession-errors.
Chris PeBenito 0fbfa5
ifdef(`gnome-pty-helper.te', `
Chris PeBenito 0fbfa5
allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow $1_gph_t user_home_type:file create_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow our crontab domain to unlink a user cron spool file.
Chris PeBenito 0fbfa5
ifdef(`crontab.te',
Chris PeBenito 0fbfa5
`allow $1_crontab_t user_cron_spool_t:file unlink;')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for the administrator to run TCP servers directly
Chris PeBenito 0fbfa5
can_tcp_connect($1_t, $1_t)
Chris PeBenito 0fbfa5
allow $1_t port_t:tcp_socket name_bind;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Connect data port to ftpd.
Chris PeBenito 0fbfa5
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Connect second port to rshd.
Chris PeBenito 0fbfa5
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allow sysadm to execute quota commands against filesystems and files.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow $1_t fs_type:filesystem quotamod;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Grant read and write access to /dev/console.
Chris PeBenito 0fbfa5
allow $1_t console_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow MAKEDEV to work
Chris PeBenito 0fbfa5
allow $1_t device_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
Chris PeBenito 0fbfa5
allow $1_t device_t:lnk_file { create read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for lsof
Chris PeBenito 0fbfa5
allow $1_t domain:socket_class_set getattr;
Chris PeBenito 0fbfa5
allow $1_t eventpollfs_t:file getattr;
Chris PeBenito 0fbfa5
')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
define(`security_manager_domain', `
Chris PeBenito a1fcff
Chris PeBenito a1fcff
typeattribute $1 secadmin;
Chris PeBenito a1fcff
# Allow administrator domains to set the enforcing flag.
Chris PeBenito a1fcff
can_setenforce($1)
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# Allow administrator domains to set policy booleans.
Chris PeBenito a1fcff
can_setbool($1)
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# Get security policy decisions.
Chris PeBenito a1fcff
can_getsecurity($1)
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# Allow administrator domains to set security parameters
Chris PeBenito a1fcff
can_setsecparam($1)
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# Run admin programs that require different permissions in their own domain.
Chris PeBenito a1fcff
# These rules were moved into the appropriate program domain file.
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# added by mayerf@tresys.com
Chris PeBenito a1fcff
# The following rules are temporary until such time that a complete
Chris PeBenito a1fcff
# policy management infrastructure is in place so that an administrator
Chris PeBenito a1fcff
# cannot directly manipulate policy files with arbitrary programs.
Chris PeBenito a1fcff
#
Chris PeBenito a1fcff
allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
Chris PeBenito a1fcff
allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
Chris PeBenito a1fcff
allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# Set an exec context, e.g. for runcon.
Chris PeBenito a1fcff
can_setexec($1)
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# Set a context other than the default one for newly created files.
Chris PeBenito a1fcff
can_setfscreate($1)
Chris PeBenito a1fcff
Chris PeBenito a1fcff
allow $1 self:netlink_audit_socket nlmsg_readpriv;
Chris PeBenito a1fcff
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
Chris PeBenito a1fcff