psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   master_contrib
  2.   userhelper.if
Blob Blame History Raw 
## <summary>SELinux utility to run a shell with a new role</summary>

#######################################
## <summary>
##	The role template for the userhelper module.
## </summary>
## <param name="userrole_prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <param name="user_role">
##	<summary>
##	The user role.
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	The user domain associated with the role.
##	</summary>
## </param>
#
template(`userhelper_role_template',`
	gen_require(`
		attribute userhelper_type;
		type userhelper_exec_t, userhelper_conf_t;
		class dbus send_msg;
	')

	########################################
	#
	# Declarations
	#

	type $1_userhelper_t, userhelper_type;
	userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
	domain_role_change_exemption($1_userhelper_t)
	domain_obj_id_change_exemption($1_userhelper_t)
	domain_interactive_fd($1_userhelper_t)
	domain_subj_id_change_exemption($1_userhelper_t)
	role $2 types $1_userhelper_t;

	########################################
	#
	# Local policy
	#
	allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
	allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	allow $1_userhelper_t self:process setexec;
	allow $1_userhelper_t self:fd use;
	allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
	allow $1_userhelper_t self:shm create_shm_perms;
	allow $1_userhelper_t self:sem create_sem_perms;
	allow $1_userhelper_t self:msgq create_msgq_perms;
	allow $1_userhelper_t self:msg { send receive };
	allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
	allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
	allow $1_userhelper_t self:unix_dgram_socket sendto;
	allow $1_userhelper_t self:unix_stream_socket connectto;
	allow $1_userhelper_t self:sock_file read_sock_file_perms;

	#Transition to the derived domain.
	domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)

	allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
	rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)

	can_exec($1_userhelper_t, userhelper_exec_t)

	dontaudit $3 $1_userhelper_t:process signal;

	kernel_read_all_sysctls($1_userhelper_t)
	kernel_getattr_debugfs($1_userhelper_t)
	kernel_read_system_state($1_userhelper_t)

	# Execute shells
	corecmd_exec_shell($1_userhelper_t)
	# By default, revert to the calling domain when a program is executed
	corecmd_bin_domtrans($1_userhelper_t, $3)

	# Inherit descriptors from the current session.
	domain_use_interactive_fds($1_userhelper_t)
	# for when the user types "exec userhelper" at the command line
	domain_sigchld_interactive_fds($1_userhelper_t)

	dev_read_urand($1_userhelper_t)
	# Read /dev directories and any symbolic links.
	dev_list_all_dev_nodes($1_userhelper_t)

	files_list_var_lib($1_userhelper_t)
	# Read the /etc/security/default_type file
	files_read_etc_files($1_userhelper_t)
	# Read /var.
	files_read_var_files($1_userhelper_t)
	files_read_var_symlinks($1_userhelper_t)
	# for some PAM modules and for cwd
	files_search_home($1_userhelper_t)

	fs_search_auto_mountpoints($1_userhelper_t)
	fs_read_nfs_files($1_userhelper_t)
	fs_read_nfs_symlinks($1_userhelper_t)

	# Allow $1_userhelper to obtain contexts to relabel TTYs
	selinux_get_fs_mount($1_userhelper_t)
	selinux_validate_context($1_userhelper_t)
	selinux_compute_access_vector($1_userhelper_t)
	selinux_compute_create_context($1_userhelper_t)
	selinux_compute_relabel_context($1_userhelper_t)
	selinux_compute_user_contexts($1_userhelper_t)

	# Read the devpts root directory.
	term_list_ptys($1_userhelper_t)
	# Relabel terminals.
	term_relabel_all_ttys($1_userhelper_t)
	term_relabel_all_ptys($1_userhelper_t)
	# Access terminals.
	term_use_all_ttys($1_userhelper_t)
	term_use_all_ptys($1_userhelper_t)

	auth_domtrans_chk_passwd($1_userhelper_t)
	auth_manage_pam_pid($1_userhelper_t)
	auth_manage_var_auth($1_userhelper_t)
	auth_search_pam_console_data($1_userhelper_t)
	auth_use_nsswitch($1_userhelper_t)

	logging_send_syslog_msg($1_userhelper_t)

	# Inherit descriptors from the current session.
	init_use_fds($1_userhelper_t)
	# Write to utmp.
	init_manage_utmp($1_userhelper_t)
	init_pid_filetrans_utmp($1_userhelper_t)


	seutil_read_config($1_userhelper_t)
	seutil_read_default_contexts($1_userhelper_t)

	# Allow $1_userhelper_t to transition to user domains.
	userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
	userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)

	ifdef(`distro_redhat',`
		optional_policy(`
			# Allow transitioning to rpm_t, for up2date
			rpm_domtrans($1_userhelper_t)
		')
	')

	optional_policy(`
		tunable_policy(`! secure_mode',`
			#if we are not in secure mode then we can transition to sysadm_t
			sysadm_bin_spec_domtrans($1_userhelper_t)
			sysadm_entry_spec_domtrans($1_userhelper_t)
		')
	')
')

########################################
## <summary>
##	Search the userhelper configuration directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`userhelper_search_config',`
	gen_require(`
		type userhelper_conf_t;
	')

	allow $1 userhelper_conf_t:dir search_dir_perms;
')

########################################
## <summary>
##	Do not audit attempts to search
##	the userhelper configuration directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`userhelper_dontaudit_search_config',`
	gen_require(`
		type userhelper_conf_t;
	')

	dontaudit $1 userhelper_conf_t:dir search_dir_perms;
')

########################################
## <summary>
##	Allow domain to use userhelper file descriptor.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`userhelper_use_fd',`
	gen_require(`
		attribute userhelper_type;
	')

	allow $1 userhelper_type:fd use;
')

########################################
## <summary>
##	Allow domain to send sigchld to userhelper.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`userhelper_sigchld',`
	gen_require(`
		attribute userhelper_type;
	')

	allow $1 userhelper_type:process sigchld;
')

########################################
## <summary>
##	Execute the userhelper program in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`userhelper_exec',`
	gen_require(`
		type userhelper_exec_t;
	')

	can_exec($1, userhelper_exec_t)
')

#######################################
## <summary>
##	The role template for the consolehelper module.
## </summary>
## <desc>
##	<p>
##	This template creates a derived domains which are used
##	for consolehelper applications.
##	</p>
## </desc>
## <param name="role_prefix">
##	<summary>
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
## <param name="user_role">
##	<summary>
##	The role associated with the user domain.
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	The type of the user domain.
##	</summary>
## </param>
#
template(`userhelper_console_role_template',`
	gen_require(`
		type consolehelper_exec_t;
		attribute consolehelper_domain;
		class dbus send_msg;
	')
	type $1_consolehelper_t, consolehelper_domain;
	domain_type($1_consolehelper_t)
	domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
	role $2 types $1_consolehelper_t;

	domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)

	allow $3 $1_consolehelper_t:process signal;
	allow $3 $1_consolehelper_t:dbus send_msg;
	allow $1_consolehelper_t $3:dbus send_msg;
	allow $1_consolehelper_t $3:unix_stream_socket connectto;

	kernel_read_system_state($1_consolehelper_t)

	auth_use_pam($1_consolehelper_t)

	userdom_manage_tmpfs_role($2, $1_consolehelper_t)

	optional_policy(`
		dbus_connect_session_bus($1_consolehelper_t)
	')

	optional_policy(`
		shutdown_run($1_consolehelper_t, $2)
		shutdown_send_sigchld($3)
	')

	optional_policy(`
		mock_run($1_consolehelper_t, $2)
	')

	optional_policy(`
		xserver_run_xauth($1_consolehelper_t, $2)
		xserver_read_xdm_pid($1_consolehelper_t)
	')
')

########################################
## <summary>
##	Execute the consolehelper program in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`userhelper_exec_console',`
	gen_require(`
		type consolehelper_exec_t;
	')

	can_exec($1, consolehelper_exec_t)
')
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.