Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# $1 is the source domain (or domains), $2 is the source role (or roles) and $3
Chris PeBenito 0fbfa5
# is the base name for the domain to run.  $1 is normally sysadm_t, and $2 is
Chris PeBenito 0fbfa5
# normally sysadm_r.  $4 is the type of program to run and $5 is the domain to
Chris PeBenito 0fbfa5
# transition to.
Chris PeBenito 0fbfa5
# sample usage:
Chris PeBenito 0fbfa5
# run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# if you have several users who run the same run_init type program for
Chris PeBenito 0fbfa5
# different purposes (think of a run_db program used by several database
Chris PeBenito 0fbfa5
# administrators to start several databases) then you can list all the source
Chris PeBenito 0fbfa5
# domains in $1, all the source roles in $2, but you may not want to list all
Chris PeBenito 0fbfa5
# types of programs to run in $4 and target domains in $5 (as that may permit
Chris PeBenito 0fbfa5
# entering a domain from the wrong type).  In such a situation just specify
Chris PeBenito 0fbfa5
# one value for each of $4 and $5 and have some rules such as the following:
Chris PeBenito 0fbfa5
# domain_trans(run_whatever_t, whatever_exec_t, whatever_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
define(`run_program', `
Chris PeBenito 0fbfa5
type run_$3_exec_t, file_type, exec_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# domain for program to run in, needs to change role (priv_system_role), change
Chris PeBenito 0fbfa5
# identity to system_u (privuser), log failures to syslog (privlog) and
Chris PeBenito 0fbfa5
# authenticate users
Chris PeBenito 0fbfa5
type run_$3_t, domain, priv_system_role, privuser, privlog;
Chris PeBenito 0fbfa5
domain_auto_trans($1, run_$3_exec_t, run_$3_t)
Chris PeBenito 0fbfa5
role $2 types run_$3_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(run_$3_t, chkpwd_exec_t, sysadm_chkpwd_t)
Chris PeBenito 0fbfa5
dontaudit run_$3_t shadow_t:file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for utmp
Chris PeBenito 0fbfa5
allow run_$3_t initrc_var_run_t:file rw_file_perms;
Chris PeBenito 0fbfa5
allow run_$3_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit run_$3_t devpts_t:dir { getattr read };
Chris PeBenito 0fbfa5
dontaudit run_$3_t device_t:dir read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for auth_chkpwd
Chris PeBenito 0fbfa5
dontaudit run_$3_t shadow_t:file read;
Chris PeBenito 0fbfa5
allow run_$3_t self:process { fork sigchld };
Chris PeBenito 0fbfa5
allow run_$3_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow run_$3_t self:capability setuid;
Chris PeBenito 0fbfa5
allow run_$3_t self:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# often the administrator runs such programs from a directory that is owned
Chris PeBenito 0fbfa5
# by a different user or has restrictive SE permissions, do not want to audit
Chris PeBenito 0fbfa5
# the failed access to the current directory
Chris PeBenito 0fbfa5
dontaudit run_$3_t file_type:dir search;
Chris PeBenito 0fbfa5
dontaudit run_$3_t self:capability { dac_override dac_read_search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow run_$3_t bin_t:lnk_file read;
Chris PeBenito 0fbfa5
can_exec(run_$3_t, { bin_t shell_exec_t })
Chris PeBenito 0fbfa5
ifdef(`chkpwd.te', `
Chris PeBenito 0fbfa5
can_exec(run_$3_t, chkpwd_exec_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_trans(run_$3_t, $4, $5)
Chris PeBenito 0fbfa5
can_setexec(run_$3_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow run_$3_t privfd:fd use;
Chris PeBenito 0fbfa5
uses_shlib(run_$3_t)
Chris PeBenito 0fbfa5
allow run_$3_t lib_t:file { getattr read };
Chris PeBenito 0fbfa5
can_getsecurity(run_$3_t)
Chris PeBenito 0fbfa5
r_dir_file(run_$3_t,selinux_config_t)
Chris PeBenito 0fbfa5
r_dir_file(run_$3_t,default_context_t)
Chris PeBenito 0fbfa5
allow run_$3_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow run_$3_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow run_$3_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
read_locale(run_$3_t)
Chris PeBenito 0fbfa5
allow run_$3_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
allow run_$3_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
dontaudit run_$3_t device_t:dir { getattr search };
Chris PeBenito 0fbfa5
')