Blob Blame History Raw

policy_module(userdomain,1.3.36)

gen_require(`
	role sysadm_r, staff_r, user_r;

	ifdef(`enable_mls',`
		role secadm_r;
		role auditadm_r;
	')
')

########################################
#
# Declarations
#

# admin users terminals (tty and pty)
attribute admin_terminal;

# users home directory
attribute home_dir_type;

# users home directory contents
attribute home_type;

# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;

# all unprivileged users home directories
attribute user_home_dir_type;
attribute user_home_type;

# all unprivileged users ptys
attribute user_ptynode;

# all unprivileged users tmp files
attribute user_tmpfile;

# all unprivileged users ttys
attribute user_ttynode;

# all user domains
attribute userdomain;

# unprivileged user domains
attribute unpriv_userdomain;

attribute untrusted_content_type;
attribute untrusted_content_tmp_type;

########################################
#
# Local policy
#

ifdef(`strict_policy',`
	userdom_admin_user_template(sysadm)
	userdom_unpriv_user_template(staff)
	userdom_unpriv_user_template(user)

	# user role change rules:
	# sysadm_r can change to user roles
	userdom_role_change_template(sysadm, user)
	userdom_role_change_template(sysadm, staff)

	# only staff_r can change to sysadm_r
	userdom_role_change_template(staff, sysadm)

	ifdef(`enable_mls',`
		userdom_unpriv_user_template(secadm)
		userdom_unpriv_user_template(auditadm)

		userdom_role_change_template(staff,auditadm)
		userdom_role_change_template(staff,secadm)

		userdom_role_change_template(sysadm,secadm)
		userdom_role_change_template(sysadm,auditadm)

		userdom_role_change_template(auditadm,secadm)
		userdom_role_change_template(auditadm,sysadm)

		userdom_role_change_template(secadm,auditadm)
		userdom_role_change_template(secadm,sysadm)
	')

	# this should be tunable_policy, but
	# currently type_change and RBAC allow
	# do not work in conditionals
	ifdef(`user_canbe_sysadm',`
		userdom_role_change_template(user,sysadm)
	')

	########################################
	#
	# Sysadm local policy
	#

	# for su
	allow sysadm_t userdomain:fd use;

	# Add/remove user home directories
	allow sysadm_t user_home_dir_t:dir create_dir_perms;
	files_home_filetrans(sysadm_t,user_home_dir_t,dir)

	corecmd_exec_shell(sysadm_t)

	mls_process_read_up(sysadm_t)

	init_exec(sysadm_t)

	# Following for sending reboot and wall messages
	userdom_use_unpriv_users_ptys(sysadm_t)
	userdom_use_unpriv_users_ttys(sysadm_t)

	ifdef(`direct_sysadm_daemon',`
		optional_policy(`
			init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
		')
	',`
		ifdef(`distro_gentoo',`
			optional_policy(`
				seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
			')
		')
	')

	ifdef(`enable_mls',`
		seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
		domain_kill_all_domains(auditadm_t)
	        seutil_read_bin_policy(auditadm_t)
		corecmd_exec_shell(auditadm_t)
		logging_send_syslog_msg(auditadm_t)
	        logging_read_generic_logs(auditadm_t)
		logging_manage_audit_log(auditadm_t)
		logging_manage_audit_config(auditadm_t)
		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
		logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
		userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)

		allow secadm_t self:capability dac_override;
		corecmd_exec_shell(secadm_t)
		domain_obj_id_change_exemption(secadm_t)
		mls_process_read_up(secadm_t)
		mls_file_read_up(secadm_t)
		mls_file_write_down(secadm_t)
		mls_file_upgrade(secadm_t)
		mls_file_downgrade(secadm_t)
	        auth_relabel_all_files_except_shadow(secadm_t)
		auth_relabel_shadow(secadm_t)
		init_exec(secadm_t)
		logging_read_audit_log(secadm_t)
	        logging_read_generic_logs(secadm_t)
		userdom_dontaudit_append_staff_home_content_files(secadm_t)
		userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
	',`
		logging_manage_audit_log(sysadm_t)
		logging_manage_audit_config(sysadm_t)
		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
	')

	tunable_policy(`allow_ptrace',`
		domain_ptrace_all_domains(sysadm_t)
	')

	optional_policy(`
		amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
		#apache_run_all_scripts(sysadm_t,sysadm_r)
		#apache_domtrans_sys_script(sysadm_t)
	')

	optional_policy(`
		# cjp: why is this not apm_run_client
		apm_domtrans_client(sysadm_t)
	')

	optional_policy(`
		apt_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		backup_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		bootloader_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		consoletype_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		clock_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		certwatach_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		cvs_exec(sysadm_t)
	')

	optional_policy(`
		consoletype_exec(sysadm_t)

		ifdef(`enable_mls',`
			consoletype_exec(secadm_t)
			consoletype_exec(auditadm_t)
		')
	')

	optional_policy(`
		dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
		dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
		dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		dmesg_exec(sysadm_t)

		ifdef(`enable_mls',`
			dmesg_exec(secadm_t)
			dmesg_exec(auditadm_t)
		')
	')

	optional_policy(`
		dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		dpkg_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
	')

	optional_policy(`
		fstools_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		hostname_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		# allow system administrator to use the ipsec script to look
		# at things (e.g., ipsec auto --status)
		# probably should create an ipsec_admin role for this kind of thing
		ipsec_exec_mgmt(sysadm_t)
		ipsec_stream_connect(sysadm_t)
		# for lsof
		ipsec_getattr_key_sockets(sysadm_t)
	')

	optional_policy(`
		iptables_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		lvm_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		logrotate_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		kudzu_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
		modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
		modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		mount_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		mysql_stream_connect(sysadm_t)
	')

	optional_policy(`
		netutils_run(sysadm_t,sysadm_r,admin_terminal)
		netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
		netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		rpc_domtrans_nfsd(sysadm_t)
	')

	optional_policy(`
		munin_stream_connect(sysadm_t)
	')

	optional_policy(`
		ntp_stub()
		corenet_udp_bind_ntp_port(sysadm_t)
	')

	optional_policy(`
		oav_run_update(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		portage_run(sysadm_t,sysadm_r,admin_terminal)
		portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		quota_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		rpm_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		rsync_exec(sysadm_t)
	')

	optional_policy(`
		samba_run_net(sysadm_t,sysadm_r,admin_terminal)
		samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
		seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)

		ifdef(`enable_mls',`
			selinux_set_enforce_mode(secadm_t)
			selinux_set_boolean(secadm_t)
			selinux_set_parameters(secadm_t)

			seutil_manage_bin_policy(secadm_t)
			seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
			seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
			seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
			seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
			seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
			logging_send_syslog_msg(secadm_t)
		', `
			selinux_set_enforce_mode(sysadm_t)
			selinux_set_boolean(sysadm_t)
			selinux_set_parameters(sysadm_t)

			seutil_manage_bin_policy(sysadm_t)
			seutil_run_checkpolicy(sysadm_t,sysadm_r,admin_terminal)
			seutil_run_loadpolicy(sysadm_t,sysadm_r,admin_terminal)
			seutil_run_semanage(sysadm_t,sysadm_r,admin_terminal)
			seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
		')
	')

	optional_policy(`
		sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
		sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
		tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
		tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
		tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		vpn_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		webalizer_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		yam_run(sysadm_t,sysadm_r,admin_terminal)
	')
')

ifdef(`targeted_policy',`
	# Define some type aliases to help with compatibility with
	# strict policy.
	unconfined_alias_domain(secadm_t)
	unconfined_alias_domain(auditadm_t)
	unconfined_alias_domain(sysadm_t)

	# User home directory type.
	type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
	files_type(user_home_t)
	files_associate_tmp(user_home_t)
	fs_associate_tmpfs(user_home_t)

	type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
	files_type(user_home_dir_t)
	files_associate_tmp(user_home_dir_t)
	fs_associate_tmpfs(user_home_dir_t)

	# compatibility for switching from strict
#	dominance { role secadm_r { role system_r; }}
#	dominance { role auditadm_r { role system_r; }}
#	dominance { role sysadm_r { role system_r; }}
#	dominance { role user_r { role system_r; }}
#	dominance { role staff_r { role system_r; }}

	# dont need to use the full role_change()
	allow sysadm_r system_r;
	allow sysadm_r user_r;
	allow user_r system_r;
	allow user_r sysadm_r;
	allow system_r sysadm_r;
	allow system_r sysadm_r;

	allow privhome user_home_t:dir manage_dir_perms;
	allow privhome user_home_t:file create_file_perms;
	allow privhome user_home_t:lnk_file create_lnk_perms;
	allow privhome user_home_t:fifo_file create_file_perms;
	allow privhome user_home_t:sock_file create_file_perms;
	allow privhome user_home_dir_t:dir rw_dir_perms;
	type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t;
	files_search_home(privhome)

	ifdef(`enable_mls',`
		allow secadm_r system_r;
		allow auditadm_r system_r;
		allow secadm_r user_r;
		allow staff_r secadm_r;
		allow staff_r auditadm_r;
	')

	optional_policy(`
		samba_per_role_template(user)
	')
')