From bb676335721ed687e8ff0941450a4323dd39788b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Oct 24 2005 11:55:53 +0000 Subject: add initrc_su_t --- diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index c36b187..7215d89 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -1,5 +1,96 @@ ## Run shells with substitute user and group +template(`su_restricted_domain_template', ` + gen_require(` + type su_exec_t; + ') + + type $1_su_t; + domain_entry_file($1_su_t,su_exec_t) + domain_type($1_su_t) + domain_role_change_exempt($1_su_t) + domain_subj_id_change_exempt($1_su_t) + domain_obj_id_change_exempt($1_su_t) + domain_wide_inherit_fd($1_su_t) + role $3 types $1_su_t; + + allow $2 $1_su_t:process signal; + + allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + dontaudit $1_su_t self:capability sys_tty_config; + allow $1_su_t self:process { setexec setsched setrlimit }; + allow $1_su_t self:fifo_file rw_file_perms; + allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + + # Transition from the user domain to this domain. + domain_auto_trans($2, su_exec_t, $1_su_t) + allow $2 $1_su_t:fd use; + allow $1_su_t $2:fd use; + allow $1_su_t $2:fifo_file rw_file_perms; + allow $1_su_t $2:process sigchld; + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_su_t,$2) + allow $2 $1_su_t:fd use; + allow $1_su_t $2:fd use; + allow $1_su_t $2:fifo_file rw_file_perms; + allow $1_su_t $2:process sigchld; + + kernel_read_system_state($1_su_t) + kernel_read_kernel_sysctl($1_su_t) + + # for SSP + dev_read_urand($1_su_t) + + selinux_get_fs_mount($1_su_t) + selinux_validate_context($1_su_t) + selinux_compute_access_vector($1_su_t) + selinux_compute_create_context($1_su_t) + selinux_compute_relabel_context($1_su_t) + selinux_compute_user_contexts($1_su_t) + + auth_domtrans_chk_passwd($1_su_t) + auth_dontaudit_read_shadow($1_su_t) + auth_use_nsswitch($1_su_t) + + domain_wide_inherit_fd($1_su_t) + + files_read_etc_files($1_su_t) + + # Write to utmp. + init_rw_script_pid($1_su_t) + + libs_use_ld_so($1_su_t) + libs_use_shared_libs($1_su_t) + + logging_send_syslog_msg($1_su_t) + + miscfiles_read_localization($1_su_t) + + seutil_read_config($1_su_t) + seutil_read_default_contexts($1_su_t) + + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) + + optional_policy(`crond.te',` + cron_read_pipe($1_su_t) + ') + + optional_policy(`kerberos.te',` + kerberos_use($1_su_t) + ') + + optional_policy(`nscd.te',` + nscd_use_socket($1_su_t) + ') + + ifdef(`TODO',` + # Caused by su - init scripts + dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; + ') dnl end TODO +') + ####################################### ## ## The per user domain template for the su module. diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 70c9cd6..db79172 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -605,6 +605,11 @@ optional_policy(`ssh.te',` ssh_dontaudit_read_server_keys(initrc_t) ') +# allow init scripts to su +optional_policy(`su.te',` + su_restricted_domain_template(initrc,initrc_t,system_r) +') + optional_policy(`sysnetwork.te',` ifdef(`distro_redhat',` sysnet_rw_dhcp_config(initrc_t) @@ -631,14 +636,6 @@ allow initrc_t ramfs_t:fifo_file write; # during boot up initrc needs to do the following allow initrc_t default_t:dir write; -# -# These rules are here to allow init scripts to su -# -optional_policy(`su.te', ` -su_restricted_domain(initrc,system) -role system_r types initrc_su_t; -') - ifdef(`distro_redhat', ` # readahead asks for these allow initrc_t var_lib_nfs_t:file r_file_perms;