psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Blame userhelper.if

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   a9f692104ea3ad2bd18acd8da595794aa4c0ef0c
  2.   userhelper.if
Blob History Raw
Dominick Grift 9641916 
## <summary>A wrapper that helps users run system programs.</summary>
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
#######################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	The role template for the userhelper module.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="userrole_prefix">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	The prefix of the user role (e.g., user
Chris PeBenito 9401ae1 
##	is the prefix for user_r).
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
## <param name="user_role">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	The user role.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
## <param name="user_domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	The user domain associated with the role.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
template(`userhelper_role_template',`
Chris PeBenito 9401ae1 
	gen_require(`
Dominick Grift 9641916 
		attribute userhelper_type, consolehelper_type;
Dominick Grift 9641916 
		attribute_role userhelper_roles, consolehelper_roles;
Dominick Grift 9641916 
		type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	########################################
Chris PeBenito 9401ae1 
	#
Chris PeBenito 9401ae1 
	# Declarations
Chris PeBenito 9401ae1 
	#
Chris PeBenito 9401ae1
Dominick Grift 9641916 
	type $1_consolehelper_t, consolehelper_type;
Dominick Grift 9641916 
	userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t)
Dominick Grift 9641916
Dominick Grift 9641916 
	role consolehelper_roles types $1_consolehelper_t;
Dominick Grift 9641916 
	roleattribute $2 consolehelper_roles;
Dominick Grift 9641916
Chris PeBenito 9401ae1 
	type $1_userhelper_t, userhelper_type;
Chris PeBenito 66b26ac 
	userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
Dominick Grift 9641916
Chris PeBenito 9401ae1 
	domain_role_change_exemption($1_userhelper_t)
Chris PeBenito 9401ae1 
	domain_obj_id_change_exemption($1_userhelper_t)
Chris PeBenito 9401ae1 
	domain_interactive_fd($1_userhelper_t)
Chris PeBenito 9401ae1 
	domain_subj_id_change_exemption($1_userhelper_t)
Dominick Grift 9641916
Dominick Grift 9641916 
	role userhelper_roles types $1_userhelper_t;
Dominick Grift 9641916 
	roleattribute $2 userhelper_roles;
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	########################################
Chris PeBenito 9401ae1 
	#
Dominick Grift 9641916 
	# Consolehelper local policy
Chris PeBenito 9401ae1 
	#
Chris PeBenito 9401ae1
Dominick Grift 9641916 
	domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
Chris PeBenito 9401ae1
Dominick Grift 9641916 
	allow $3 $1_consolehelper_t:process { ptrace signal_perms };
Dominick Grift 9641916 
	ps_process_pattern($3, $1_consolehelper_t)
Chris PeBenito 9401ae1
Dominick Grift 9641916 
	auth_use_pam($1_consolehelper_t)
Chris PeBenito 9401ae1
Dominick Grift 9641916 
	optional_policy(`
Dominick Grift 9641916 
		dbus_connect_all_session_bus($1_consolehelper_t)
Chris PeBenito 9401ae1
Dominick Grift 9641916 
		optional_policy(`
Dominick Grift 9641916 
			userhelper_dbus_chat_all_consolehelper($3)
Dominick Grift 9641916 
		')
Dominick Grift 9641916 
	')
Chris PeBenito 9401ae1
Dominick Grift 9641916 
	########################################
Dominick Grift 9641916 
	#
Dominick Grift 9641916 
	# Userhelper local policy
Dominick Grift 9641916 
	#
Chris PeBenito 9401ae1
Dominick Grift 9641916 
	domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
Chris PeBenito 9401ae1
Dominick Grift 9641916 
	dontaudit $3 $1_userhelper_t:process signal;
Chris PeBenito 9401ae1
Dominick Grift 9641916 
	corecmd_bin_domtrans($1_userhelper_t, $3)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	auth_domtrans_chk_passwd($1_userhelper_t)
Dominick Grift 9641916 
	auth_use_nsswitch($1_userhelper_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
Chris PeBenito 9401ae1 
	userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	optional_policy(`
Chris PeBenito 9401ae1 
		tunable_policy(`! secure_mode',`
Chris PeBenito 9401ae1 
			sysadm_bin_spec_domtrans($1_userhelper_t)
Chris PeBenito 9401ae1 
			sysadm_entry_spec_domtrans($1_userhelper_t)
Chris PeBenito 9401ae1 
		')
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
## <summary>
Dominick Grift 9641916 
##	Search userhelper configuration directories.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed access.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`userhelper_search_config',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type userhelper_conf_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	allow $1 userhelper_conf_t:dir search_dir_perms;
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	Do not audit attempts to search
Dominick Grift 9641916 
##	userhelper configuration directories.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain to not audit.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`userhelper_dontaudit_search_config',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type userhelper_conf_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	dontaudit $1 userhelper_conf_t:dir search_dir_perms;
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
## <summary>
Dominick Grift 9641916 
##	Send and receive messages from
Dominick Grift 9641916 
##	consolehelper over dbus.
Dominick Grift 9641916 
## </summary>
Dominick Grift 9641916 
## <param name="domain">
Dominick Grift 9641916 
##	<summary>
Dominick Grift 9641916 
##	Domain allowed access.
Dominick Grift 9641916 
##	</summary>
Dominick Grift 9641916 
## </param>
Dominick Grift 9641916 
#
Dominick Grift 9641916 
interface(`userhelper_dbus_chat_all_consolehelper',`
Dominick Grift 9641916 
	gen_require(`
Dominick Grift 9641916 
		attribute consolehelper_type;
Dominick Grift 9641916 
		class dbus send_msg;
Dominick Grift 9641916 
	')
Dominick Grift 9641916
Dominick Grift 9641916 
	allow $1 consolehelper_type:dbus send_msg;
Dominick Grift 9641916 
	allow consolehelper_type $1:dbus send_msg;
Dominick Grift 9641916 
')
Dominick Grift 9641916
Dominick Grift 9641916 
########################################
Dominick Grift 9641916 
## <summary>
Dominick Grift 9641916 
##	Use userhelper all userhelper file descriptors.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed access.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`userhelper_use_fd',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		attribute userhelper_type;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	allow $1 userhelper_type:fd use;
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
## <summary>
Dominick Grift 9641916 
##	Send child terminated signals to all userhelper.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed access.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`userhelper_sigchld',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		attribute userhelper_type;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	allow $1 userhelper_type:process sigchld;
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	Execute the userhelper program in the caller domain.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed access.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`userhelper_exec',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type userhelper_exec_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Dominick Grift 9641916 
	corecmd_search_bin($1)
Chris PeBenito 9401ae1 
	can_exec($1, userhelper_exec_t)
Chris PeBenito 9401ae1 
')
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.