From 9489149ec06a517f0c3d94f231857fb747f07210 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 08 2005 21:03:23 +0000 Subject: add su --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index b04973a..c2b4898 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -8,6 +8,7 @@ * Added policies: acct mysql + su tmpreaper updfstab diff --git a/refpolicy/policy/modules.conf.targeted_example b/refpolicy/policy/modules.conf.targeted_example index 488d6f8..c0fbd0a 100644 --- a/refpolicy/policy/modules.conf.targeted_example +++ b/refpolicy/policy/modules.conf.targeted_example @@ -60,6 +60,34 @@ files = base domain = base # Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = base + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = off + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = base + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = off + +# Layer: admin # Module: consoletype # # Determine of the console connected to the controlling terminal. @@ -74,32 +102,32 @@ consoletype = base netutils = base # Layer: admin -# Module: usermanage +# Module: acct # -# Policy for managing user accounts. +# Berkeley process accounting # -usermanage = base +acct = base # Layer: admin -# Module: rpm +# Module: tmpreaper # -# Policy for the RPM package manager. +# Manage temporary directory sizes and file ages # -rpm = off +tmpreaper = base # Layer: admin -# Module: dmesg +# Module: updfstab # -# Policy for dmesg. +# Red Hat utility to change /etc/fstab. # -dmesg = base +updfstab = base # Layer: admin -# Module: logrotate +# Module: su # -# Rotate and archive system logs +# Run shells with substitute user and group # -logrotate = off +su = off # Layer: apps # Module: gpg @@ -137,25 +165,25 @@ storage = base terminal = base # Layer: services -# Module: cron +# Module: remotelogin # -# Periodic execution of scheduled commands. +# Policy for rshd, rlogind, and telnetd. # -cron = base +remotelogin = base # Layer: services -# Module: ssh +# Module: nscd # -# Secure shell client and server policy. +# Name service cache daemon # -ssh = off +nscd = base # Layer: services -# Module: remotelogin +# Module: nis # -# Policy for rshd, rlogind, and telnetd. +# Policy for NIS (YP) servers and clients # -remotelogin = base +nis = base # Layer: services # Module: sendmail @@ -165,18 +193,18 @@ remotelogin = base sendmail = off # Layer: services -# Module: mta +# Module: ssh # -# Policy common to all email tranfer agents. +# Secure shell client and server policy. # -mta = base +ssh = off # Layer: services -# Module: nis +# Module: cron # -# Policy for NIS (YP) servers and clients +# Periodic execution of scheduled commands. # -nis = base +cron = base # Layer: services # Module: inetd @@ -193,11 +221,32 @@ inetd = base kerberos = base # Layer: services -# Module: nscd +# Module: mta # -# Name service cache daemon +# Policy common to all email tranfer agents. # -nscd = base +mta = base + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = base + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = base + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base # Layer: system # Module: selinuxutil @@ -221,11 +270,11 @@ getty = base mount = base # Layer: system -# Module: logging +# Module: ipsec # -# Policy for the kernel message logger and system logging daemon. +# TCP/IP encryption # -logging = base +ipsec = base # Layer: system # Module: locallogin @@ -235,6 +284,13 @@ logging = base locallogin = base # Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = base + +# Layer: system # Module: sysnetwork # # Policy for network configuration: ifconfig and dhcp client. @@ -242,6 +298,20 @@ locallogin = base sysnetwork = base # Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = base + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = base + +# Layer: system # Module: iptables # # Policy for iptables. @@ -256,13 +326,6 @@ iptables = base userdomain = base # Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = base - -# Layer: system # Module: corecommands # # Core policy for shells, and generic programs @@ -279,6 +342,13 @@ corecommands = base hotplug = base # Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = base + +# Layer: system # Module: lvm # # Policy for logical volume management programs. @@ -293,18 +363,18 @@ lvm = base modutils = base # Layer: system -# Module: udev +# Module: init # -# Policy for udev. +# System initialization programs (init and init scripts). # -udev = base +init = base # Layer: system -# Module: init +# Module: udev # -# System initialization programs (init and init scripts). +# Policy for udev. # -init = base +udev = base # Layer: system # Module: hostname @@ -314,11 +384,11 @@ init = base hostname = base # Layer: system -# Module: authlogin +# Module: raid # -# Common policy for authentication and user login. +# RAID array management tools # -authlogin = base +raid = base # Layer: system # Module: libraries @@ -328,44 +398,9 @@ authlogin = base libraries = base # Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = base - -# Layer: system -# Module: unconfined -# -# The unconfined domain. -# -unconfined = base - -# Layer: system # Module: miscfiles # # Miscelaneous files. # miscfiles = base -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = base - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = base - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = base - diff --git a/refpolicy/policy/modules/admin/su.fc b/refpolicy/policy/modules/admin/su.fc new file mode 100644 index 0000000..ed98aba --- /dev/null +++ b/refpolicy/policy/modules/admin/su.fc @@ -0,0 +1,2 @@ + +/bin/su -- context_template(system_u:object_r:su_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if new file mode 100644 index 0000000..6dc5216 --- /dev/null +++ b/refpolicy/policy/modules/admin/su.if @@ -0,0 +1,149 @@ +## Run shells with substitute user and group + +template(`su_per_userdomain_template',` + + type $1_su_t; + domain_entry_file($1_su_t,su_exec_t) + domain_type($1_su_t) + domain_role_change_exempt($1_su_t) + domain_subj_id_change_exempt($1_su_t) + domain_obj_id_change_exempt($1_su_t) + domain_wide_inherit_fd($1_su_t) + role $1_r types $1_su_t; + + allow $1_t $1_su_t:process signal; + + allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + dontaudit $1_su_t self:capability sys_tty_config; + allow $1_su_t self:process { setexec setsched setrlimit }; + allow $1_su_t self:fifo_file rw_file_perms; + + # Transition from the user domain to this domain. + domain_auto_trans($1_t, su_exec_t, $1_su_t) + allow $1_t $1_su_t:fd use; + allow $1_su_t $1_t:fd use; + allow $1_su_t $1_t:fifo_file rw_file_perms; + allow $1_su_t $1_t:process sigchld; + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_su_t,$1_t) + allow $1_t $1_su_t:fd use; + allow $1_su_t $1_t:fd use; + allow $1_su_t $1_t:fifo_file rw_file_perms; + allow $1_su_t $1_t:process sigchld; + + kernel_read_system_state($1_su_t) + kernel_read_kernel_sysctl($1_su_t) + + # for SSP + dev_read_urand($1_su_t) + + fs_search_auto_mountpoints($1_su_t) + + selinux_get_fs_mount($1_su_t) + selinux_validate_context($1_su_t) + selinux_compute_access_vector($1_su_t) + selinux_compute_create_context($1_su_t) + selinux_compute_relabel_context($1_su_t) + selinux_compute_user_contexts($1_su_t) + + # Relabel ttys and ptys. + term_relabel_all_user_ttys($1_su_t) + term_relabel_all_user_ptys($1_su_t) + # Close and re-open ttys and ptys to get the fd into the correct domain. + term_use_all_user_ttys($1_su_t) + term_use_all_user_ptys($1_su_t) + + auth_dontaudit_read_shadow($1_su_t) + + domain_wide_inherit_fd($1_su_t) + + files_read_etc_files($1_su_t) + files_search_var_lib($1_su_t) + + init_dontaudit_use_fd($1_su_t) + # Write to utmp. + init_rw_script_pid($1_su_t) + + libs_use_ld_so($1_su_t) + libs_use_shared_libs($1_su_t) + + logging_send_syslog_msg($1_su_t) + + miscfiles_read_localization($1_su_t) + + seutil_read_config($1_su_t) + seutil_read_default_contexts($1_su_t) + + if(secure_mode) + { + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) + } else { + # Allow transitions to all user domains + userdom_spec_domtrans_all_users($1_su_t) + } + + if (use_nfs_home_dirs) { + fs_search_nfs($1_su_t) + } + + if (use_samba_home_dirs) { + fs_search_cifs($1_su_t) + } + + optional_policy(`crond.te',` + cron_read_pipe($1_su_t) + ') + + optional_policy(`kerberos.te',` + kerberos_use($1_su_t) + ') + + optional_policy(`nis.te',` + nis_use_ypbind($1_su_t) + ') + + optional_policy(`nscd.te',` + nscd_use_socket($1_su_t) + ') + + ifdef(`TODO',` + domain_auto_trans($1_su_t, chkpwd_exec_t, $1_chkpwd_t) + + # Caused by su - init scripts + dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; + + # Inherit and use descriptors from gnome-pty-helper. + ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;') + + # Write to the user domain tty. + access_terminal($1_su_t, $1) + + allow $1_su_t { home_root_t $1_home_dir_t }:dir search; + allow $1_su_t $1_home_t:file create_file_perms; + + ifdef(`user_canbe_sysadm', ` + allow $1_su_t home_dir_type:dir { search write }; + ', ` + dontaudit $1_su_t home_dir_type:dir { search write }; + ') + + # Modify .Xauthority file (via xauth program). + ifdef(`xauth.te', ` + file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) + file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) + file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) + domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t) + ') + + ifdef(`cyrus.te', ` + allow $1_su_t cyrus_var_lib_t:dir search; + ') + ifdef(`ssh.te', ` + # Access sshd cookie files. + allow $1_su_t sshd_tmp_t:file rw_file_perms; + file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t) + ') + ') dnl end TODO +') diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te new file mode 100644 index 0000000..e01bee1 --- /dev/null +++ b/refpolicy/policy/modules/admin/su.te @@ -0,0 +1,12 @@ + +policy_module(su,1.0) + +######################################## +# +# Declarations +# + +type su_exec_t; +files_type(su_exec_t) + +# Remaining policy in the per-user domain template diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 825818c..09e1c6b 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -403,6 +403,23 @@ interface(`fs_getattr_cifs',` ######################################## ## +## Search directories on a CIFS or SMB filesystem. +## +## +## The type of the domain reading the files. +## +# +interface(`fs_search_cifs',` + gen_require(` + type cifs_t; + class dir search; + ') + + allow $1 cifs_t:dir search; +') + +######################################## +## ## Read files on a CIFS or SMB filesystem. ## ## @@ -873,6 +890,23 @@ interface(`fs_getattr_nfs',` ######################################## ## +## Search directories on a NFS filesystem. +## +## +## The type of the domain reading the files. +## +# +interface(`fs_search_nfs',` + gen_require(` + type nfs_t; + class dir search; + ') + + allow $1 nfs_t:dir search; +') + +######################################## +## ## Read files on a NFS filesystem. ## ##