Blob Blame History Raw

policy_module(authlogin,1.2.1)

########################################
#
# Declarations
#

attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;

type chkpwd_exec_t;
files_type(chkpwd_exec_t)

type faillog_t;
logging_log_file(faillog_t)

type lastlog_t;
logging_log_file(lastlog_t)

# real declaration moved to mls until
# range_transition works in loadable modules
gen_require(`
	type login_exec_t;
')
files_type(login_exec_t)

type pam_console_t;
type pam_console_exec_t;
init_system_domain(pam_console_t,pam_console_exec_t)
role system_r types pam_console_t;

type pam_t;
domain_type(pam_t)
role system_r types pam_t;

type pam_exec_t;
domain_entry_file(pam_t,pam_exec_t)

type pam_tmp_t;
files_tmp_file(pam_tmp_t)

type pam_var_console_t;
files_type(pam_var_console_t)

type pam_var_run_t;
files_pid_file(pam_var_run_t)

type shadow_t;
files_security_file(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;

authlogin_common_auth_domain_template(system)
role system_r types system_chkpwd_t;

type utempter_t;
domain_type(utempter_t)

type utempter_exec_t;
domain_entry_file(utempter_t,utempter_exec_t)

#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
#
type var_auth_t;
files_type(var_auth_t)

type wtmp_t;
logging_log_file(wtmp_t)

########################################
#
# PAM local policy
#

allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
dontaudit pam_t self:capability sys_tty_config;

allow pam_t self:fd use;
allow pam_t self:fifo_file rw_file_perms;
allow pam_t self:unix_dgram_socket create_socket_perms; 
allow pam_t self:unix_stream_socket rw_stream_socket_perms;
allow pam_t self:unix_dgram_socket sendto;
allow pam_t self:unix_stream_socket connectto;
allow pam_t self:shm create_shm_perms;
allow pam_t self:sem create_sem_perms;
allow pam_t self:msgq create_msgq_perms;
allow pam_t self:msg { send receive };

allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
allow pam_t pam_var_run_t:file { getattr read unlink };

allow pam_t pam_tmp_t:dir create_dir_perms;
allow pam_t pam_tmp_t:file create_file_perms;
files_filetrans_tmp(pam_t, pam_tmp_t, { file dir })

kernel_read_system_state(pam_t)

fs_search_auto_mountpoints(pam_t)

term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)

init_dontaudit_rw_utmp(pam_t)

files_read_etc_files(pam_t)
files_list_pids(pam_t)

libs_use_ld_so(pam_t)
libs_use_shared_libs(pam_t)

logging_send_syslog_msg(pam_t)

userdom_use_unpriv_users_fd(pam_t)

optional_policy(`locallogin',`
	locallogin_use_fd(pam_t)
')

optional_policy(`nis',`
	nis_use_ypbind(pam_t)
')

optional_policy(`nscd',`
	nscd_use_socket(pam_t)
')

########################################
#
# PAM console local policy
#

allow pam_console_t self:capability { chown fowner fsetid };
dontaudit pam_console_t self:capability sys_tty_config;

allow pam_console_t self:process { sigchld sigkill sigstop signull signal };

# for /var/run/console.lock checking
allow pam_console_t pam_var_console_t:dir r_dir_perms;;
allow pam_console_t pam_var_console_t:file r_file_perms;
dontaudit pam_console_t pam_var_console_t:file write;
allow pam_console_t pam_var_console_t:lnk_file { getattr read };

kernel_read_kernel_sysctl(pam_console_t)
kernel_use_fd(pam_console_t)
# Read /proc/meminfo
kernel_read_system_state(pam_console_t)

dev_read_sysfs(pam_console_t)
dev_getattr_apm_bios_dev(pam_console_t)
dev_setattr_apm_bios_dev(pam_console_t)
dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_misc_dev(pam_console_t)
dev_setattr_misc_dev(pam_console_t)
dev_getattr_mouse_dev(pam_console_t)
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
dev_setattr_sound_dev(pam_console_t)
dev_getattr_video_dev(pam_console_t)
dev_setattr_video_dev(pam_console_t)
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)

fs_search_auto_mountpoints(pam_console_t)

storage_getattr_fixed_disk(pam_console_t)
storage_setattr_fixed_disk(pam_console_t)
storage_getattr_removable_device(pam_console_t)
storage_setattr_removable_device(pam_console_t)
storage_getattr_scsi_generic(pam_console_t)
storage_setattr_scsi_generic(pam_console_t)

term_use_console(pam_console_t)
term_setattr_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)

auth_use_nsswitch(pam_console_t)

domain_use_wide_inherit_fd(pam_console_t)

files_read_etc_files(pam_console_t)
files_search_pids(pam_console_t)
files_list_mnt(pam_console_t)
# read /etc/mtab
files_read_etc_runtime_files(pam_console_t)

init_use_fd(pam_console_t)
init_use_script_pty(pam_console_t)

libs_use_ld_so(pam_console_t)
libs_use_shared_libs(pam_console_t)

logging_send_syslog_msg(pam_console_t)

mls_file_read_up(pam_console_t)
mls_file_write_down(pam_console_t)

seutil_read_file_contexts(pam_console_t)

userdom_dontaudit_use_unpriv_user_fd(pam_console_t)

# cjp: with the old daemon_(base_)domain being broken up into
# a daemon and system interface, this probably is not needed:
ifdef(`direct_sysadm_daemon', `
	userdom_dontaudit_use_sysadm_terms(pam_console_t)
')

ifdef(`targeted_policy', `
	term_dontaudit_use_unallocated_tty(pam_console_t)
	term_dontaudit_use_generic_pty(pam_console_t)
	files_dontaudit_read_root_file(pam_console_t)
')

optional_policy(`gpm',`
	gpm_getattr_gpmctl(pam_console_t)
	gpm_setattr_gpmctl(pam_console_t)
')

optional_policy(`hotplug',`
	hotplug_use_fd(pam_console_t)
	hotplug_dontaudit_search_config(pam_console_t)
')

optional_policy(`nscd',`
	nscd_use_socket(pam_console_t)
')

optional_policy(`selinuxutil',`
	seutil_sigchld_newrole(pam_console_t)
')

optional_policy(`udev',`
	udev_read_db(pam_console_t)
')

ifdef(`TODO',`
ifdef(`xdm.te', `
	allow pam_console_t xdm_var_run_t:file { getattr read };
')
') dnl endif TODO

########################################
#
# System check password local policy
#

allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

allow system_chkpwd_t shadow_t:file { getattr read };

corecmd_search_sbin(system_chkpwd_t)

domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)

term_dontaudit_use_unallocated_tty(system_chkpwd_t)
term_dontaudit_use_generic_pty(system_chkpwd_t)

userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)

########################################
#
# Utempter local policy
#

allow utempter_t self:capability setgid;
allow utempter_t self:unix_stream_socket create_stream_socket_perms;

allow utempter_t wtmp_t:file rw_file_perms;

dev_read_urand(utempter_t)

term_getattr_all_user_ttys(utempter_t)
term_getattr_all_user_ptys(utempter_t)
term_dontaudit_use_all_user_ttys(utempter_t)
term_dontaudit_use_all_user_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)

init_rw_utmp(utempter_t)

files_read_etc_files(utempter_t)

domain_use_wide_inherit_fd(utempter_t)

libs_use_ld_so(utempter_t)
libs_use_shared_libs(utempter_t)

logging_search_logs(utempter_t)

# Allow utemper to write to /tmp/.xses-*
userdom_write_unpriv_user_tmp(utempter_t)

optional_policy(`nscd',`
	nscd_use_socket(utempter_t)
')

ifdef(`TODO',`
optional_policy(`xdm',`
	can_pipe_xdm(utempter_t)
')
')