diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc index 60b26f4..bdf8c89 100644 --- a/policy/modules/services/oddjob.fc +++ b/policy/modules/services/oddjob.fc @@ -1,4 +1,4 @@ -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if index 9bac058..6433998 100644 --- a/policy/modules/services/oddjob.if +++ b/policy/modules/services/oddjob.if @@ -84,3 +84,28 @@ interface(`oddjob_domtrans_mkhomedir',` domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) ') + +######################################## +## +## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`oddjob_run_mkhomedir',` + gen_require(` + type oddjob_mkhomedir_t; + ') + + oddjob_domtrans_mkhomedir($1) + role $2 types oddjob_mkhomedir_t; +') diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te index 44f5971..258802a 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -1,5 +1,5 @@ -policy_module(oddjob, 1.6.0) +policy_module(oddjob, 1.6.1) ######################################## # @@ -10,18 +10,25 @@ type oddjob_t; type oddjob_exec_t; domain_type(oddjob_t) init_daemon_domain(oddjob_t, oddjob_exec_t) +domain_obj_id_change_exemption(oddjob_t) +domain_role_change_exemption(oddjob_t) domain_subj_id_change_exemption(oddjob_t) type oddjob_mkhomedir_t; type oddjob_mkhomedir_exec_t; domain_type(oddjob_mkhomedir_t) -init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) +domain_obj_id_change_exemption(oddjob_mkhomedir_t) +init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) # pid files type oddjob_var_run_t; files_pid_file(oddjob_var_run_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) +') + ######################################## # # oddjob local policy @@ -65,13 +72,32 @@ optional_policy(` # oddjob_mkhomedir local policy # +allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; +allow oddjob_mkhomedir_t self:process setfscreate; allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; +kernel_read_system_state(oddjob_mkhomedir_t) + files_read_etc_files(oddjob_mkhomedir_t) +auth_use_nsswitch(oddjob_mkhomedir_t) + +logging_send_syslog_msg(oddjob_mkhomedir_t) + miscfiles_read_localization(oddjob_mkhomedir_t) +selinux_get_fs_mount(oddjob_mkhomedir_t) +selinux_validate_context(oddjob_mkhomedir_t) +selinux_compute_access_vector(oddjob_mkhomedir_t) +selinux_compute_create_context(oddjob_mkhomedir_t) +selinux_compute_relabel_context(oddjob_mkhomedir_t) +selinux_compute_user_contexts(oddjob_mkhomedir_t) + +seutil_read_config(oddjob_mkhomedir_t) +seutil_read_file_contexts(oddjob_mkhomedir_t) +seutil_read_default_contexts(oddjob_mkhomedir_t) + # Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)