|
Dominick Grift |
9641916 |
## <summary>A wrapper that helps users run system programs.</summary>
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
#######################################
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## The role template for the userhelper module.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## <param name="userrole_prefix">
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## The prefix of the user role (e.g., user
|
|
Chris PeBenito |
9401ae1 |
## is the prefix for user_r).
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## </param>
|
|
Chris PeBenito |
9401ae1 |
## <param name="user_role">
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## The user role.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## </param>
|
|
Chris PeBenito |
9401ae1 |
## <param name="user_domain">
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## The user domain associated with the role.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## </param>
|
|
Chris PeBenito |
9401ae1 |
#
|
|
Chris PeBenito |
9401ae1 |
template(`userhelper_role_template',`
|
|
Chris PeBenito |
9401ae1 |
gen_require(`
|
|
Dominick Grift |
9641916 |
attribute userhelper_type, consolehelper_type;
|
|
Dominick Grift |
9641916 |
attribute_role userhelper_roles, consolehelper_roles;
|
|
Dominick Grift |
9641916 |
type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t;
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
########################################
|
|
Chris PeBenito |
9401ae1 |
#
|
|
Chris PeBenito |
9401ae1 |
# Declarations
|
|
Chris PeBenito |
9401ae1 |
#
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
9641916 |
type $1_consolehelper_t, consolehelper_type;
|
|
Dominick Grift |
9641916 |
userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t)
|
|
Dominick Grift |
9641916 |
|
|
Dominick Grift |
9641916 |
role consolehelper_roles types $1_consolehelper_t;
|
|
Dominick Grift |
9641916 |
roleattribute $2 consolehelper_roles;
|
|
Dominick Grift |
9641916 |
|
|
Chris PeBenito |
9401ae1 |
type $1_userhelper_t, userhelper_type;
|
|
Chris PeBenito |
66b26ac |
userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
|
|
Dominick Grift |
9641916 |
|
|
Chris PeBenito |
9401ae1 |
domain_role_change_exemption($1_userhelper_t)
|
|
Chris PeBenito |
9401ae1 |
domain_obj_id_change_exemption($1_userhelper_t)
|
|
Chris PeBenito |
9401ae1 |
domain_interactive_fd($1_userhelper_t)
|
|
Chris PeBenito |
9401ae1 |
domain_subj_id_change_exemption($1_userhelper_t)
|
|
Dominick Grift |
9641916 |
|
|
Dominick Grift |
9641916 |
role userhelper_roles types $1_userhelper_t;
|
|
Dominick Grift |
9641916 |
roleattribute $2 userhelper_roles;
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
########################################
|
|
Chris PeBenito |
9401ae1 |
#
|
|
Dominick Grift |
9641916 |
# Consolehelper local policy
|
|
Chris PeBenito |
9401ae1 |
#
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
9641916 |
domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
9641916 |
allow $3 $1_consolehelper_t:process { ptrace signal_perms };
|
|
Dominick Grift |
9641916 |
ps_process_pattern($3, $1_consolehelper_t)
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
9641916 |
auth_use_pam($1_consolehelper_t)
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
9641916 |
optional_policy(`
|
|
Dominick Grift |
9641916 |
dbus_connect_all_session_bus($1_consolehelper_t)
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
9641916 |
optional_policy(`
|
|
Dominick Grift |
9641916 |
userhelper_dbus_chat_all_consolehelper($3)
|
|
Dominick Grift |
9641916 |
')
|
|
Dominick Grift |
9641916 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
9641916 |
########################################
|
|
Dominick Grift |
9641916 |
#
|
|
Dominick Grift |
9641916 |
# Userhelper local policy
|
|
Dominick Grift |
9641916 |
#
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
9641916 |
domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
9641916 |
dontaudit $3 $1_userhelper_t:process signal;
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
9641916 |
corecmd_bin_domtrans($1_userhelper_t, $3)
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
auth_domtrans_chk_passwd($1_userhelper_t)
|
|
Dominick Grift |
9641916 |
auth_use_nsswitch($1_userhelper_t)
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
|
|
Chris PeBenito |
9401ae1 |
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
optional_policy(`
|
|
Chris PeBenito |
9401ae1 |
tunable_policy(`! secure_mode',`
|
|
Chris PeBenito |
9401ae1 |
sysadm_bin_spec_domtrans($1_userhelper_t)
|
|
Chris PeBenito |
9401ae1 |
sysadm_entry_spec_domtrans($1_userhelper_t)
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
########################################
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Dominick Grift |
9641916 |
## Search userhelper configuration directories.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## <param name="domain">
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## Domain allowed access.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## </param>
|
|
Chris PeBenito |
9401ae1 |
#
|
|
Chris PeBenito |
9401ae1 |
interface(`userhelper_search_config',`
|
|
Chris PeBenito |
9401ae1 |
gen_require(`
|
|
Chris PeBenito |
9401ae1 |
type userhelper_conf_t;
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
allow $1 userhelper_conf_t:dir search_dir_perms;
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
########################################
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## Do not audit attempts to search
|
|
Dominick Grift |
9641916 |
## userhelper configuration directories.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## <param name="domain">
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## Domain to not audit.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## </param>
|
|
Chris PeBenito |
9401ae1 |
#
|
|
Chris PeBenito |
9401ae1 |
interface(`userhelper_dontaudit_search_config',`
|
|
Chris PeBenito |
9401ae1 |
gen_require(`
|
|
Chris PeBenito |
9401ae1 |
type userhelper_conf_t;
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
dontaudit $1 userhelper_conf_t:dir search_dir_perms;
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
########################################
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Dominick Grift |
9641916 |
## Send and receive messages from
|
|
Dominick Grift |
9641916 |
## consolehelper over dbus.
|
|
Dominick Grift |
9641916 |
## </summary>
|
|
Dominick Grift |
9641916 |
## <param name="domain">
|
|
Dominick Grift |
9641916 |
## <summary>
|
|
Dominick Grift |
9641916 |
## Domain allowed access.
|
|
Dominick Grift |
9641916 |
## </summary>
|
|
Dominick Grift |
9641916 |
## </param>
|
|
Dominick Grift |
9641916 |
#
|
|
Dominick Grift |
9641916 |
interface(`userhelper_dbus_chat_all_consolehelper',`
|
|
Dominick Grift |
9641916 |
gen_require(`
|
|
Dominick Grift |
9641916 |
attribute consolehelper_type;
|
|
Dominick Grift |
9641916 |
class dbus send_msg;
|
|
Dominick Grift |
9641916 |
')
|
|
Dominick Grift |
9641916 |
|
|
Dominick Grift |
9641916 |
allow $1 consolehelper_type:dbus send_msg;
|
|
Dominick Grift |
9641916 |
allow consolehelper_type $1:dbus send_msg;
|
|
Dominick Grift |
9641916 |
')
|
|
Dominick Grift |
9641916 |
|
|
Dominick Grift |
9641916 |
########################################
|
|
Dominick Grift |
9641916 |
## <summary>
|
|
Dominick Grift |
9641916 |
## Use userhelper all userhelper file descriptors.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## <param name="domain">
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## Domain allowed access.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## </param>
|
|
Chris PeBenito |
9401ae1 |
#
|
|
Chris PeBenito |
9401ae1 |
interface(`userhelper_use_fd',`
|
|
Chris PeBenito |
9401ae1 |
gen_require(`
|
|
Chris PeBenito |
9401ae1 |
attribute userhelper_type;
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
allow $1 userhelper_type:fd use;
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
########################################
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Dominick Grift |
9641916 |
## Send child terminated signals to all userhelper.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## <param name="domain">
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## Domain allowed access.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## </param>
|
|
Chris PeBenito |
9401ae1 |
#
|
|
Chris PeBenito |
9401ae1 |
interface(`userhelper_sigchld',`
|
|
Chris PeBenito |
9401ae1 |
gen_require(`
|
|
Chris PeBenito |
9401ae1 |
attribute userhelper_type;
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
allow $1 userhelper_type:process sigchld;
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Chris PeBenito |
9401ae1 |
########################################
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## Execute the userhelper program in the caller domain.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## <param name="domain">
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## Domain allowed access.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
Chris PeBenito |
9401ae1 |
## </param>
|
|
Chris PeBenito |
9401ae1 |
#
|
|
Chris PeBenito |
9401ae1 |
interface(`userhelper_exec',`
|
|
Chris PeBenito |
9401ae1 |
gen_require(`
|
|
Chris PeBenito |
9401ae1 |
type userhelper_exec_t;
|
|
Chris PeBenito |
9401ae1 |
')
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
9641916 |
corecmd_search_bin($1)
|
|
Chris PeBenito |
9401ae1 |
can_exec($1, userhelper_exec_t)
|
|
Chris PeBenito |
9401ae1 |
')
|