Blob Blame History Raw

policy_module(userdomain,2.2.1)

gen_require(`
	role sysadm_r, staff_r, user_r;

	ifdef(`enable_mls',`
		role secadm_r;
		role auditadm_r;
	')
')

########################################
#
# Declarations
#

ifdef(`strict_policy',`
## <desc>
## <p>
## Allow sysadm to ptrace all processes
## </p>
## </desc>
gen_tunable(allow_ptrace,false)

## <desc>
## <p>
## Allow users to connect to mysql
## </p>
## </desc>
gen_tunable(allow_user_mysql_connect,false)

## <desc>
## <p>
## Allow regular users direct mouse access
## </p>
## </desc>
gen_tunable(user_direct_mouse,false)

## <desc>
## <p>
## Allow users to read system messages.
## </p>
## </desc>
gen_tunable(user_dmesg,false)

## <desc>
## <p>
## Allow user to r/w files on filesystems
## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p>
## </desc>
gen_tunable(user_rw_noexattrfile,false)

## <desc>
## <p>
## Allow w to display everyone
## </p>
## </desc>
gen_tunable(user_ttyfile_stat,false)
')

# admin users terminals (tty and pty)
attribute admin_terminal;

# users home directory
attribute home_dir_type;

# users home directory contents
attribute home_type;

# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
attribute privhome;

# all unprivileged users home directories
attribute user_home_dir_type;
attribute user_home_type;

# all unprivileged users ptys
attribute user_ptynode;

# all unprivileged users tmp files
attribute user_tmpfile;

# all unprivileged users ttys
attribute user_ttynode;

# all user domains
attribute userdomain;

# unprivileged user domains
attribute unpriv_userdomain;

attribute untrusted_content_type;
attribute untrusted_content_tmp_type;

########################################
#
# Local policy
#

ifdef(`strict_policy',`
	userdom_admin_user_template(sysadm)
	userdom_unpriv_user_template(staff)
	userdom_unpriv_user_template(user)

	# user role change rules:
	# sysadm_r can change to user roles
	userdom_role_change_template(sysadm, user)
	userdom_role_change_template(sysadm, staff)

	# only staff_r can change to sysadm_r
	userdom_role_change_template(staff, sysadm)
	dontaudit staff_t admin_terminal:chr_file { read write };

	ifdef(`enable_mls',`
		userdom_unpriv_user_template(secadm)
		userdom_unpriv_user_template(auditadm)

		userdom_role_change_template(staff,auditadm)
		userdom_role_change_template(staff,secadm)

		userdom_role_change_template(sysadm,secadm)
		userdom_role_change_template(sysadm,auditadm)

		userdom_role_change_template(auditadm,secadm)
		userdom_role_change_template(auditadm,sysadm)

		userdom_role_change_template(secadm,auditadm)
		userdom_role_change_template(secadm,sysadm)
	')

	# this should be tunable_policy, but
	# currently type_change and RBAC allow
	# do not work in conditionals
	ifdef(`user_canbe_sysadm',`
		userdom_role_change_template(user,sysadm)
	')

	########################################
	#
	# Sysadm local policy
	#

	# for su
	allow sysadm_t userdomain:fd use;

	# Add/remove user home directories
	allow sysadm_t user_home_dir_t:dir manage_dir_perms;
	files_home_filetrans(sysadm_t,user_home_dir_t,dir)

	corecmd_exec_shell(sysadm_t)

	mls_process_read_up(sysadm_t)

	init_exec(sysadm_t)

	# Following for sending reboot and wall messages
	userdom_use_unpriv_users_ptys(sysadm_t)
	userdom_use_unpriv_users_ttys(sysadm_t)

	ifdef(`direct_sysadm_daemon',`
		optional_policy(`
			init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
		')
	',`
		ifdef(`distro_gentoo',`
			optional_policy(`
				seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
			')
		')
	')

	ifdef(`enable_mls',`
		allow auditadm_t self:capability { dac_read_search dac_override };
		seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
		domain_kill_all_domains(auditadm_t)
	        seutil_read_bin_policy(auditadm_t)
		corecmd_exec_shell(auditadm_t)
		logging_send_syslog_msg(auditadm_t)
	        logging_read_generic_logs(auditadm_t)
		logging_manage_audit_log(auditadm_t)
		logging_manage_audit_config(auditadm_t)
		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
		logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
		userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)

		allow secadm_t self:capability { dac_read_search dac_override };
		corecmd_exec_shell(secadm_t)
		domain_obj_id_change_exemption(secadm_t)
		mls_process_read_up(secadm_t)
		mls_file_read_up(secadm_t)
		mls_file_write_down(secadm_t)
		mls_file_upgrade(secadm_t)
		mls_file_downgrade(secadm_t)
	        auth_relabel_all_files_except_shadow(secadm_t)
		dev_relabel_all_dev_nodes(secadm_t)
		auth_relabel_shadow(secadm_t)
		init_exec(secadm_t)
		logging_read_audit_log(secadm_t)
	        logging_read_generic_logs(secadm_t)
		logging_read_audit_config(secadm_t)
		userdom_dontaudit_append_staff_home_content_files(secadm_t)
		userdom_dontaudit_read_sysadm_home_content_files(secadm_t)

		optional_policy(`
			aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
		')

		optional_policy(`
			netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
		')
	',`
		logging_manage_audit_log(sysadm_t)
		logging_manage_audit_config(sysadm_t)
		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
	')

	tunable_policy(`allow_ptrace',`
		domain_ptrace_all_domains(sysadm_t)
	')

	optional_policy(`
		amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
		#apache_run_all_scripts(sysadm_t,sysadm_r)
		#apache_domtrans_sys_script(sysadm_t)
	')

	optional_policy(`
		tzdata_domtrans(sysadm_t)
	')

	optional_policy(`
		raid_domtrans_mdadm(sysadm_t)
	')

	optional_policy(`
		# cjp: why is this not apm_run_client
		apm_domtrans_client(sysadm_t)
	')

	optional_policy(`
		apt_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		backup_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		bootloader_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		consoletype_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		clock_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		certwatach_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		cvs_exec(sysadm_t)
	')

	optional_policy(`
		consoletype_exec(sysadm_t)

		ifdef(`enable_mls',`
			consoletype_exec(auditadm_t)
		')
	')

	optional_policy(`
		cron_admin_template(sysadm,sysadm_t,sysadm_r)
	')

	optional_policy(`
		dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
		dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
		dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		dmesg_exec(sysadm_t)

		ifdef(`enable_mls',`
			dmesg_exec(auditadm_t)
		')
	')

	optional_policy(`
		dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		dpkg_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
		ethereal_admin_template(sysadm,sysadm_t,sysadm_r)
	')

	optional_policy(`
		firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
	')

	optional_policy(`
		fstools_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		hostname_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		# allow system administrator to use the ipsec script to look
		# at things (e.g., ipsec auto --status)
		# probably should create an ipsec_admin role for this kind of thing
		ipsec_exec_mgmt(sysadm_t)
		ipsec_stream_connect(sysadm_t)
		# for lsof
		ipsec_getattr_key_sockets(sysadm_t)
	')

	optional_policy(`
		iptables_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		lvm_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		logrotate_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
		lpr_admin_template(sysadm,sysadm_t,sysadm_r)
	')

	optional_policy(`
		kudzu_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
		modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
		modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		mount_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		mta_admin_template(sysadm,sysadm_t,sysadm_r)
	')

	optional_policy(`
		mysql_stream_connect(sysadm_t)
	')

	optional_policy(`
		netutils_run(sysadm_t,sysadm_r,admin_terminal)
		netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
		netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		rpc_domtrans_nfsd(sysadm_t)
	')

	optional_policy(`
		munin_stream_connect(sysadm_t)
	')

	optional_policy(`
		ntp_stub()
		corenet_udp_bind_ntp_port(sysadm_t)
	')

	optional_policy(`
		oav_run_update(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		portage_run(sysadm_t,sysadm_r,admin_terminal)
		portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		quota_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		rpm_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		rsync_exec(sysadm_t)
	')

	optional_policy(`
		samba_run_net(sysadm_t,sysadm_r,admin_terminal)
		samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
		seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)

		ifdef(`enable_mls',`
			userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
		', `
			userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
		')
	')

	optional_policy(`
		sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
		sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
		tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
		tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
		tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		vpn_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		webalizer_run(sysadm_t,sysadm_r,admin_terminal)
	')

	optional_policy(`
		yam_run(sysadm_t,sysadm_r,admin_terminal)
	')
')

ifdef(`targeted_policy',`
	# Define some type aliases to help with compatibility with
	# strict policy.
	unconfined_alias_domain(secadm_t)
	unconfined_alias_domain(auditadm_t)
	unconfined_alias_domain(sysadm_t)

	# User home directory type.
	type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
	files_type(user_home_t)
	files_associate_tmp(user_home_t)
	fs_associate_tmpfs(user_home_t)

	type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
	files_type(user_home_dir_t)
	files_associate_tmp(user_home_dir_t)
	fs_associate_tmpfs(user_home_dir_t)

	# compatibility for switching from strict
#	dominance { role secadm_r { role system_r; }}
#	dominance { role auditadm_r { role system_r; }}
#	dominance { role sysadm_r { role system_r; }}
#	dominance { role user_r { role system_r; }}
#	dominance { role staff_r { role system_r; }}

	# dont need to use the full role_change()
	allow sysadm_r system_r;
	allow sysadm_r user_r;
	allow user_r system_r;
	allow user_r sysadm_r;
	allow system_r sysadm_r;
	allow system_r sysadm_r;

	manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
	manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
	manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
	manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
	manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
	filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
	files_search_home(privhome)

	ifdef(`enable_mls',`
		allow secadm_r system_r;
		allow auditadm_r system_r;
		allow secadm_r user_r;
		allow staff_r secadm_r;
		allow staff_r auditadm_r;
	')

	optional_policy(`
		samba_per_role_template(user)
	')
')