From 4d8ddf9a4f25a273e129c4fba68b5a8a073b777c Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: May 18 2005 13:18:49 +0000
Subject: start adding admin template



---

diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index fc59784..d90d158 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -392,6 +392,7 @@ terminal_make_physical_terminal($1_t,$1_tty_device_t)
 # Local policy
 #
 
+# Inherit rules for ordinary users.
 base_user_domain($1)
 
 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
@@ -560,3 +561,233 @@ allow $1_mount_t xdm_t:fifo_file { read write };
 
 ') dnl end TODO
 ')
+
+########################################
+#
+# Admin domain template
+#
+define(`admin_domain_template',`
+
+##############################
+#
+# Declarations
+#
+
+attribute $1_file_type;
+
+type $1_t, userdomain, privhome; #, admin, web_client_domain, nscd_client_domain;
+kernel_make_object_identity_change_constraint_exception($1_t)
+domain_make_domain($1_t)
+role system_r types $1_t;
+
+#ifdef(`direct_sysadm_daemon', `, priv_system_role')
+#; dnl end of sysadm_t type declaration
+
+# Type and access for pty devices.
+type $1_devpts_t;
+terminal_make_pseudoterminal($1_devpts_t)
+
+type $1_home_t, $1_file_type; #, home_type;
+files_make_file($1_home_t)
+
+type $1_home_dir_t; #, home_dir_type, home_type;
+files_make_file($1_home_t)
+
+type $1_tmp_t, $1_file_type;
+files_make_temporary_file($1_tmp_t)
+
+type $1_tty_device_t;
+terminal_make_physical_terminal($1_t,$1_tty_device_t)
+
+##############################
+#
+# $1_t local policy
+#
+
+# Inherit rules for ordinary users.
+base_user_domain($1)
+
+allow $1_t self:capability ~sys_module;
+allow $1_t self:process { setexec setfscreate };
+
+# Set password information for other users.
+allow $1_t self:passwd { passwd chfn chsh };
+
+# Skip authentication when pam_rootok is specified.
+allow $1_t self:passwd rootok;
+
+# Manipulate other users crontab.
+allow $1_t self:passwd crontab;
+
+# for the administrator to run TCP servers directly
+allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
+
+allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
+
+allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1_t $1_tmp_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+files_create_private_tmp_data($1_t, $1_tmp_t, { file dir lnk_file sock_file fifo_file })
+
+kernel_read_system_state($1_t)
+kernel_read_network_state($1_t)
+kernel_read_software_raid_state($1_t)
+kernel_get_core_interface_attributes($1_t)
+kernel_get_message_interface_attributes($1_t)
+kernel_change_ring_buffer_level($1_t)
+kernel_clear_ring_buffer($1_t)
+kernel_read_ring_buffer($1_t)
+kernel_get_sysvipc_info($1_t)
+kernel_modify_all_sysctl($1_t)
+kernel_set_selinux_enforcement_mode($1_t)
+kernel_set_selinux_boolean($1_t)
+kernel_set_selinux_security_parameters($1_t)
+# Get security policy decisions:
+kernel_get_selinuxfs_mount_point($1_t)
+kernel_validate_selinux_context($1_t)
+kernel_compute_selinux_access_vector($1_t)
+kernel_compute_selinux_create_context($1_t)
+kernel_compute_selinux_relabel_context($1_t)
+kernel_compute_selinux_reachable_user_contexts($1_t)
+
+corenetwork_bind_tcp_on_general_port($1_t)
+
+devices_get_generic_block_device_attributes($1_t)
+devices_get_generic_character_device_attributes($1_t)
+devices_get_all_block_device_attributes($1_t)
+devices_get_all_character_device_attributes($1_t)
+
+filesystem_get_all_filesystems_attributes($1_t)
+filesystem_set_all_filesystems_quotas($1_t)
+
+storage_raw_read_removable_device($1_t)
+storage_raw_write_removable_device($1_t)
+
+terminal_use_console($1_t)
+terminal_use_general_physical_terminal($1_t)
+terminal_use_all_private_pseudoterminals($1_t)
+terminal_use_all_private_physical_terminals($1_t)
+
+domain_set_all_domains_priorities($1_t)
+
+init_use_control_channel($1_t)
+
+logging_send_system_log_message($1_t)
+
+modutils_insmod_transition($1_t)
+
+selinux_read_config($1_t)
+# The following rule is temporary until such time that a complete
+# policy management infrastructure is in place so that an administrator
+# cannot directly manipulate policy files with arbitrary programs.
+selinux_manage_source_policy($1_t)
+# Violates the goal of limiting write access to checkpolicy.
+# But presently necessary for installing the file_contexts file.
+selinux_manage_binary_policy($1_t)
+
+ifdef(`TODO',`
+
+# Let admin stat the shadow file.
+allow $1_t shadow_t:file getattr;
+
+# Create and use all files that have the sysadmfile attribute.
+allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
+allow $1_t sysadmfile:lnk_file create_lnk_perms;
+allow $1_t sysadmfile:dir create_dir_perms;
+
+# Relabel all files.
+# Actually this will not allow relabeling ALL files unless you change
+# sysadmfile to file_type (and change the assertion in assert.te that
+# only auth_write can relabel shadow_t)
+allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
+allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
+
+# for lsof
+allow $1_t mtrr_device_t:file getattr;
+
+# Examine all processes.
+can_ps($1_t, domain)
+
+# Send signals to all processes.
+allow $1_t { domain unlabeled_t }:process signal_perms;
+
+allow $1_t serial_device:chr_file setattr;
+
+# allow setting up tunnels
+allow $1_t tun_tap_device_t:chr_file rw_file_perms;
+
+allow $1_t ptyfile:chr_file getattr;
+
+# Run programs from staff home directories.
+# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
+can_exec($1_t, staff_home_t)
+
+# Run programs from /usr/src.
+can_exec($1_t, src_t)
+
+# Run admin programs that require different permissions in their own domain.
+# These rules were moved into the appropriate program domain file.
+
+ifdef(`startx.te', `
+ifdef(`xserver.te', `
+# Create files in /tmp/.X11-unix with our X servers derived
+# tmp type rather than user_xserver_tmp_t.
+file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
+')dnl end xserver.te
+')dnl end startx.te
+
+ifdef(`xdm.te', `
+ifdef(`xauth.te', `
+if (xdm_sysadm_login) {
+allow xdm_t $1_home_t:lnk_file read;
+allow xdm_t $1_home_t:dir search;
+}
+allow $1_t xdm_t:fifo_file rw_file_perms;
+')dnl end ifdef xauth.te
+')dnl end ifdef xdm.te
+
+#
+# A user who is authorized for sysadm_t may nonetheless have
+# a home directory labeled with user_home_t if the user is expected
+# to login in either user_t or sysadm_t.  Hence, the derived domains
+# for programs need to be able to access user_home_t.  
+# 
+
+# Allow our gph domain to write to .xsession-errors.
+ifdef(`gnome-pty-helper.te', `
+allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
+allow $1_gph_t user_home_type:file create_file_perms;
+')
+
+# Manipulate other users crontab.
+can_getsecurity(sysadm_crontab_t)
+
+ifdef(`crond.te', `
+allow $1_crond_t var_log_t:file r_file_perms;
+')
+
+# Allow our crontab domain to unlink a user cron spool file.
+ifdef(`crontab.te',`allow $1_crontab_t user_cron_spool_t:file unlink;')
+
+# for the administrator to run TCP servers directly
+allow $1_t kernel_t:tcp_socket recvfrom;
+
+# Connect data port to ftpd.
+ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
+
+# Connect second port to rshd.
+ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
+
+# Allow MAKEDEV to work
+allow $1_t device_t:dir rw_dir_perms;
+allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
+allow $1_t device_t:lnk_file { create read };
+
+# for lsof
+allow $1_t domain:socket_class_set getattr;
+allow $1_t eventpollfs_t:file getattr;
+') dnl endif TODO
+')