rpms / selinux-policy

Clone
Source Code
GIT

Blame targeted/macros/admin_macros.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   ab58ad00cd257a0b150954ef2892565aecb0d782
  2.   targeted
  3.   macros
  4.   admin_macros.te
Blob History Raw
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# Macros for all admin domains.
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# admin_domain(domain_prefix)
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# Define derived types and rules for an administrator domain.
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# The type declaration and role authorization for the domain must be
Chris PeBenito ab58ad 
# provided separately.  Likewise, domain transitions into this domain
Chris PeBenito ab58ad 
# must be specified separately.  If the every_domain() rules are desired,
Chris PeBenito ab58ad 
# then these rules must also be specified separately.
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
undefine(`admin_domain')
Chris PeBenito ab58ad 
define(`admin_domain',`
Chris PeBenito ab58ad 
# Type for home directory.
Chris PeBenito ab58ad 
attribute $1_file_type;
Chris PeBenito ab58ad 
type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
Chris PeBenito ab58ad 
type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Type and access for pty devices.
Chris PeBenito ab58ad 
can_create_pty($1, `, admin_tty_type')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Transition manually for { lnk sock fifo }. The rest is in content macros.
Chris PeBenito ab58ad 
tmp_domain_notrans($1, `, $1_file_type')
Chris PeBenito ab58ad 
file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
Chris PeBenito ab58ad 
allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Type for tty devices.
Chris PeBenito ab58ad 
type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Inherit rules for ordinary users.
Chris PeBenito ab58ad 
base_user_domain($1)
Chris PeBenito ab58ad 
access_removable_media($1_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
allow $1_t self:capability setuid;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
ifdef(`su.te', `su_domain($1)')
Chris PeBenito ab58ad 
ifdef(`userhelper.te', `userhelper_domain($1)')
Chris PeBenito ab58ad 
ifdef(`sudo.te', `sudo_domain($1)')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Let admin stat the shadow file.
Chris PeBenito ab58ad 
allow $1_t shadow_t:file getattr;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
ifdef(`crond.te', `
Chris PeBenito ab58ad 
allow $1_crond_t var_log_t:file r_file_perms;
Chris PeBenito ab58ad 
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow system log read
Chris PeBenito ab58ad 
allow $1_t kernel_t:system syslog_read;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow autrace
Chris PeBenito ab58ad 
# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Use capabilities other than sys_module.
Chris PeBenito ab58ad 
allow $1_t self:capability ~sys_module;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Use system operations.
Chris PeBenito ab58ad 
allow $1_t kernel_t:system *;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Set password information for other users.
Chris PeBenito ab58ad 
allow $1_t self:passwd { passwd chfn chsh };
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Skip authentication when pam_rootok is specified.
Chris PeBenito ab58ad 
allow $1_t self:passwd rootok;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Manipulate other user crontab.
Chris PeBenito ab58ad 
allow $1_t self:passwd crontab;
Chris PeBenito ab58ad 
can_getsecurity(sysadm_crontab_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Change system parameters.
Chris PeBenito ab58ad 
can_sysctl($1_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Create and use all files that have the sysadmfile attribute.
Chris PeBenito ab58ad 
allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
Chris PeBenito ab58ad 
allow $1_t sysadmfile:lnk_file create_lnk_perms;
Chris PeBenito ab58ad 
allow $1_t sysadmfile:dir create_dir_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# for lsof
Chris PeBenito ab58ad 
allow $1_t mtrr_device_t:file getattr;
Chris PeBenito ab58ad 
allow $1_t fs_type:dir getattr;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Access removable devices.
Chris PeBenito ab58ad 
allow $1_t removable_device_t:devfile_class_set rw_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Communicate with the init process.
Chris PeBenito ab58ad 
allow $1_t initctl_t:fifo_file rw_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Examine all processes.
Chris PeBenito ab58ad 
can_ps($1_t, domain)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# allow renice
Chris PeBenito ab58ad 
allow $1_t domain:process setsched;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Send signals to all processes.
Chris PeBenito ab58ad 
allow $1_t { domain unlabeled_t }:process signal_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Access all user terminals.
Chris PeBenito ab58ad 
allow $1_t tty_device_t:chr_file rw_file_perms;
Chris PeBenito ab58ad 
allow $1_t ttyfile:chr_file rw_file_perms;
Chris PeBenito ab58ad 
allow $1_t ptyfile:chr_file rw_file_perms;
Chris PeBenito ab58ad 
allow $1_t serial_device:chr_file setattr;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# allow setting up tunnels
Chris PeBenito ab58ad 
allow $1_t tun_tap_device_t:chr_file rw_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# run ls -l /dev
Chris PeBenito ab58ad 
allow $1_t device_t:dir r_dir_perms;
Chris PeBenito ab58ad 
allow $1_t { device_t device_type }:{ chr_file blk_file } getattr;
Chris PeBenito ab58ad 
allow $1_t ptyfile:chr_file getattr;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Run programs from staff home directories.
Chris PeBenito ab58ad 
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
Chris PeBenito ab58ad 
can_exec($1_t, staff_home_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Run programs from /usr/src.
Chris PeBenito ab58ad 
can_exec($1_t, src_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Relabel all files.
Chris PeBenito ab58ad 
# Actually this will not allow relabeling ALL files unless you change
Chris PeBenito ab58ad 
# sysadmfile to file_type (and change the assertion in assert.te that
Chris PeBenito ab58ad 
# only auth_write can relabel shadow_t)
Chris PeBenito ab58ad 
allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
Chris PeBenito ab58ad 
allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
ifdef(`startx.te', `
Chris PeBenito ab58ad 
ifdef(`xserver.te', `
Chris PeBenito ab58ad 
# Create files in /tmp/.X11-unix with our X servers derived
Chris PeBenito ab58ad 
# tmp type rather than user_xserver_tmp_t.
Chris PeBenito ab58ad 
file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
Chris PeBenito ab58ad 
')dnl end xserver.te
Chris PeBenito ab58ad 
')dnl end startx.te
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
ifdef(`xdm.te', `
Chris PeBenito ab58ad 
ifdef(`xauth.te', `
Chris PeBenito ab58ad 
if (xdm_sysadm_login) {
Chris PeBenito ab58ad 
allow xdm_t $1_home_t:lnk_file read;
Chris PeBenito ab58ad 
allow xdm_t $1_home_t:dir search;
Chris PeBenito ab58ad 
}
Chris PeBenito ab58ad 
can_pipe_xdm($1_t)
Chris PeBenito ab58ad 
')dnl end ifdef xauth.te
Chris PeBenito ab58ad 
')dnl end ifdef xdm.te
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# A user who is authorized for sysadm_t may nonetheless have
Chris PeBenito ab58ad 
# a home directory labeled with user_home_t if the user is expected
Chris PeBenito ab58ad 
# to login in either user_t or sysadm_t.  Hence, the derived domains
Chris PeBenito ab58ad 
# for programs need to be able to access user_home_t.
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow our gph domain to write to .xsession-errors.
Chris PeBenito ab58ad 
ifdef(`gnome-pty-helper.te', `
Chris PeBenito ab58ad 
allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
Chris PeBenito ab58ad 
allow $1_gph_t user_home_type:file create_file_perms;
Chris PeBenito ab58ad 
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow our crontab domain to unlink a user cron spool file.
Chris PeBenito ab58ad 
ifdef(`crontab.te',
Chris PeBenito ab58ad 
`allow $1_crontab_t user_cron_spool_t:file unlink;')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# for the administrator to run TCP servers directly
Chris PeBenito ab58ad 
can_tcp_connect($1_t, $1_t)
Chris PeBenito ab58ad 
allow $1_t port_t:tcp_socket name_bind;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Connect data port to ftpd.
Chris PeBenito ab58ad 
ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Connect second port to rshd.
Chris PeBenito ab58ad 
ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
# Allow sysadm to execute quota commands against filesystems and files.
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
allow $1_t fs_type:filesystem quotamod;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Grant read and write access to /dev/console.
Chris PeBenito ab58ad 
allow $1_t console_device_t:chr_file rw_file_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow MAKEDEV to work
Chris PeBenito ab58ad 
allow $1_t device_t:dir rw_dir_perms;
Chris PeBenito ab58ad 
allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
Chris PeBenito ab58ad 
allow $1_t device_t:lnk_file { create read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# for lsof
Chris PeBenito ab58ad 
allow $1_t domain:socket_class_set getattr;
Chris PeBenito ab58ad 
allow $1_t eventpollfs_t:file getattr;
Chris PeBenito ab58ad 
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
define(`security_manager_domain', `
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
typeattribute $1 secadmin;
Chris PeBenito ab58ad 
# Allow administrator domains to set the enforcing flag.
Chris PeBenito ab58ad 
can_setenforce($1)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow administrator domains to set policy booleans.
Chris PeBenito ab58ad 
can_setbool($1)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Get security policy decisions.
Chris PeBenito ab58ad 
can_getsecurity($1)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Allow administrator domains to set security parameters
Chris PeBenito ab58ad 
can_setsecparam($1)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Run admin programs that require different permissions in their own domain.
Chris PeBenito ab58ad 
# These rules were moved into the appropriate program domain file.
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# added by mayerf@tresys.com
Chris PeBenito ab58ad 
# The following rules are temporary until such time that a complete
Chris PeBenito ab58ad 
# policy management infrastructure is in place so that an administrator
Chris PeBenito ab58ad 
# cannot directly manipulate policy files with arbitrary programs.
Chris PeBenito ab58ad 
#
Chris PeBenito ab58ad 
allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
Chris PeBenito ab58ad 
allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
Chris PeBenito ab58ad 
allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Set an exec context, e.g. for runcon.
Chris PeBenito ab58ad 
can_setexec($1)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
# Set a context other than the default one for newly created files.
Chris PeBenito ab58ad 
can_setfscreate($1)
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
allow $1 self:netlink_audit_socket nlmsg_readpriv;
Chris PeBenito ab58ad
Chris PeBenito ab58ad 
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation