|
Chris PeBenito |
0fbfa5 |
# Authors: Anthony Colatrella (NSA) Stephen Smalley <sds@epoch.ncsc.mil>
|
|
Chris PeBenito |
0fbfa5 |
# Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# This macro defines the rules for a newrole like program, it is used by
|
|
Chris PeBenito |
0fbfa5 |
# newrole.te and sudo.te, but may be used by other policy at some later time.
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
define(`newrole_domain', `
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the $1_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# $1_t is the domain for the program.
|
|
Chris PeBenito |
0fbfa5 |
# $1_exec_t is the type of the executable.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
|
|
Chris PeBenito |
0fbfa5 |
in_user_role($1_t)
|
|
Chris PeBenito |
0fbfa5 |
role sysadm_r types $1_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
general_domain_access($1_t);
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib($1_t)
|
|
Chris PeBenito |
0fbfa5 |
read_locale($1_t)
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl($1_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for when the user types "exec newrole" at the command line
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t privfd:process sigchld;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Inherit descriptors from the current session.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t privfd:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Execute /sbin/pwdb_chkpwd to check the password.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t sbin_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Execute shells
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t bin_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t bin_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t shell_exec_t:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t urandom_device_t:chr_file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow $1_t to transition to user domains.
|
|
Chris PeBenito |
0fbfa5 |
domain_trans($1_t, shell_exec_t, unpriv_userdomain)
|
|
Chris PeBenito |
0fbfa5 |
if(!secure_mode)
|
|
Chris PeBenito |
0fbfa5 |
{
|
|
Chris PeBenito |
0fbfa5 |
# if we are not in secure mode then we can transition to sysadm_t
|
|
Chris PeBenito |
0fbfa5 |
domain_trans($1_t, shell_exec_t, sysadm_t)
|
|
Chris PeBenito |
0fbfa5 |
}
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_setexec($1_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t autofs_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use capabilities.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t self:capability { setuid setgid net_bind_service dac_override };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read the devpts root directory.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read the /etc/security/default_type file
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($1_t, default_context_t)
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($1_t, selinux_config_t)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t etc_t:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read /var.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t var_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t var_t:notdevfile_class_set r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read /dev directories and any symbolic links.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t device_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Relabel terminals.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access terminals.
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`distro_debian', `
|
|
Chris PeBenito |
0fbfa5 |
# for /etc/alternatives
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t etc_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Allow newrole to obtain contexts to relabel TTYs
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
can_getsecurity($1_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for some PAM modules and for cwd
|
|
Chris PeBenito |
0fbfa5 |
dontaudit $1_t { home_root_t home_type }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t proc_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t proc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for when the network connection is killed
|
|
Chris PeBenito |
0fbfa5 |
dontaudit unpriv_userdomain $1_t:process signal;
|
|
Chris PeBenito |
0fbfa5 |
')
|