# Copyright (C) 2005 Tresys Technology, LLC policy_module(locallogin,1.0) ######################################## # # Declarations # type local_login_t; #, nscd_client_domain; kernel_make_object_identity_change_constraint_exception(local_login_t) kernel_make_process_identity_change_constraint_exception(local_login_t) kernel_make_role_change_constraint_exception(local_login_t) authlogin_make_login_program_entrypoint(local_login_t) domain_make_domain(local_login_t) domain_make_file_descriptors_widely_inheritable(local_login_t) role system_r types local_login_t; type local_login_tmp_t; files_make_file(local_login_tmp_t) type sulogin_t; type sulogin_exec_t; kernel_make_object_identity_change_constraint_exception(sulogin_t) kernel_make_process_identity_change_constraint_exception(sulogin_t) kernel_make_role_change_constraint_exception(sulogin_t) domain_make_file_descriptors_widely_inheritable(sulogin_t) init_make_init_domain(sulogin_t,sulogin_exec_t) init_make_system_domain(sulogin_t,sulogin_exec_t) role system_r types sulogin_t; ######################################## # # Local login local policy # allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow local_login_t self:process { setrlimit setexec }; allow local_login_t self:fd use; allow local_login_t self:fifo_file { read getattr lock ioctl write append }; allow local_login_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow local_login_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; allow local_login_t self:unix_dgram_socket sendto; allow local_login_t self:unix_stream_socket connectto; allow local_login_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; allow local_login_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; allow local_login_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; allow local_login_t self:msg { send receive }; allow local_login_t local_login_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; allow local_login_t local_login_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) kernel_read_kernel_sysctl(local_login_t) kernel_get_selinuxfs_mount_point(local_login_t) kernel_validate_selinux_context(local_login_t) kernel_compute_selinux_access_vector(local_login_t) kernel_compute_selinux_create_context(local_login_t) kernel_compute_selinux_relabel_context(local_login_t) kernel_compute_selinux_reachable_user_contexts(local_login_t) # for SSP/ProPolice devices_get_pseudorandom_data(local_login_t) terminal_use_all_private_physical_terminals(local_login_t) terminal_use_general_physical_terminal(local_login_t) authlogin_check_password_transition(local_login_t) authlogin_ignore_read_shadow_passwords(local_login_t) authlogin_modify_login_records(local_login_t) authlogin_modify_last_login_log(local_login_t) authlogin_pam_execute(local_login_t) authlogin_pam_console_manage_runtime_data(local_login_t) domain_read_all_entrypoint_programs(local_login_t) files_read_general_system_config(local_login_t) files_read_runtime_system_config(local_login_t) files_list_home_directories(local_login_t) files_read_general_application_resources(local_login_t) init_script_modify_runtime_data(local_login_t) init_ignore_use_file_descriptors(local_login_t) libraries_use_dynamic_loader(local_login_t) libraries_use_shared_libraries(local_login_t) logging_send_system_log_message(local_login_t) miscfiles_read_localization(local_login_t) selinux_read_config(local_login_t) selinux_read_default_contexts(local_login_t) ifdef(`TODO',` allow local_login_t unpriv_userdomain:fd use; can_ypbind(local_login_t) ifdef(`automount.te', ` allow local_login_t autofs_t:dir { search getattr }; ') allow local_login_t bin_t:dir r_dir_perms; allow local_login_t bin_t:notdevfile_class_set r_file_perms; allow local_login_t sbin_t:dir r_dir_perms; allow local_login_t sbin_t:notdevfile_class_set r_file_perms; if (read_default_t) { allow local_login_t default_t:dir r_dir_perms; allow local_login_t default_t:notdevfile_class_set r_file_perms; } # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. allow local_login_t readable_t:dir r_dir_perms; allow local_login_t readable_t:notdevfile_class_set r_file_perms; # Read /var, /var/spool allow local_login_t { var_t var_spool_t }:dir search; # for when /var/mail is a sym-link allow local_login_t var_t:lnk_file read; # Read /dev directories and any symbolic links. allow local_login_t device_t:lnk_file r_file_perms; dontaudit local_login_t sysfs_t:dir search; allow local_login_t autofs_t:dir { search read getattr }; allow local_login_t mnt_t:dir r_dir_perms; # FIXME: what is this for? optional_policy(`xdm.te', ` allow xdm_t local_login_t:process signull; ') ifdef(`crack.te', ` allow local_login_t crack_db_t:file r_file_perms; ') # Permit login to search the user home directories. allow local_login_t home_root_t:dir search; allow local_login_t home_dir_type:dir search; # Write to /var/log/btmp allow local_login_t faillog_t:file { append read write }; # Search for mail spool file. allow local_login_t mail_spool_t:dir r_dir_perms; allow local_login_t mail_spool_t:file getattr; allow local_login_t mail_spool_t:lnk_file read; allow local_login_t mouse_device_t:chr_file { getattr setattr }; tunable_policy(`targeted_policy',` unconfined_domain(local_login_t) domain_auto_trans(local_login_t, shell_exec_t, unconfined_t) ') # But also permit other user domains to be entered by login. domain_trans(local_login_t, shell_exec_t, userdomain) allow local_login_t userdomain:process signal; # Do not audit denied attempts to access devices. dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr }; dontaudit local_login_t removable_device_t:blk_file { getattr setattr }; dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr }; dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr }; dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read }; dontaudit local_login_t apm_bios_t:chr_file { getattr setattr }; dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read }; dontaudit local_login_t removable_device_t:chr_file { getattr setattr }; dontaudit local_login_t scanner_device_t:chr_file { getattr setattr }; # Do not audit denied attempts to access /mnt. dontaudit local_login_t mnt_t:dir r_dir_perms; # Create lock file. allow local_login_t var_lock_t:dir rw_dir_perms; allow local_login_t var_lock_t:file create_file_perms; # Read and write ttys. allow local_login_t tty_device_t:chr_file setattr; allow local_login_t ttyfile:chr_file setattr; # Relabel ttys. allow local_login_t tty_device_t:chr_file { relabelfrom relabelto }; allow local_login_t ttyfile:chr_file { relabelfrom relabelto }; optional_policy(`gpm.te',` allow local_login_t gpmctl_t:sock_file { getattr setattr }; ') # Allow setting of attributes on sound devices. allow local_login_t sound_device_t:chr_file { getattr setattr }; # Allow setting of attributes on power management devices. allow local_login_t power_device_t:chr_file { getattr setattr }; #if (use_nfs_home_dirs) { #r_dir_file(local_login_t, nfs_t) #} #if (use_samba_home_dirs) { #r_dir_file(local_login_t, cifs_t) #} ') dnl endif TODO ################################# # # Sulogin local policy # allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow sulogin_t self:fd use; allow sulogin_t self:fifo_file { read getattr lock ioctl write append }; allow sulogin_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; allow sulogin_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; allow sulogin_t self:unix_dgram_socket sendto; allow sulogin_t self:unix_stream_socket connectto; allow sulogin_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write }; allow sulogin_t self:sem { associate getattr setattr create destroy read write unix_read unix_write }; allow sulogin_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write }; allow sulogin_t self:msg { send receive }; kernel_read_system_state(sulogin_t) init_script_get_process_group(sulogin_t) files_read_general_system_config(sulogin_t) libraries_use_dynamic_loader(sulogin_t) libraries_use_shared_libraries(sulogin_t) logging_send_system_log_message(sulogin_t) selinux_read_config(sulogin_t) selinux_read_default_contexts(sulogin_t) authlogin_read_shadow_passwords(sulogin_t) # suse and debian do not use pam with sulogin... ifdef(`monolithic_policy',` ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')') ') dnl end monolithic_policy tunable_policy(`sulogin_no_pam', ` allow sulogin_t self:capability sys_tty_config; init_get_process_group(sulogin_t) #domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t) ', ` allow sulogin_t self:process setexec; kernel_get_selinuxfs_mount_point(sulogin_t) kernel_validate_selinux_context(sulogin_t) kernel_compute_selinux_access_vector(sulogin_t) kernel_compute_selinux_create_context(sulogin_t) kernel_compute_selinux_relabel_context(sulogin_t) kernel_compute_selinux_reachable_user_contexts(sulogin_t) #domain_trans(sulogin_t, shell_exec_t, sysadm_t) ') ifdef(`TODO',` allow sulogin_t unpriv_userdomain:fd use; can_ypbind(sulogin_t) ifdef(`automount.te', ` allow sulogin_t autofs_t:dir { search getattr }; ') allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search; # because file systems are not mounted dontaudit sulogin_t file_t:dir search; ') dnl endif TODO