[selinux-policy: 122/3172] add sulogin

Thu Oct 7 19:15:38 UTC 2010

commit 5d7e8ba6fb70ec7b854f7d805e6db46767ea16d8
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon May 9 15:38:06 2005 +0000

    add sulogin

 refpolicy/policy/modules/system/init.if       |   28 +++++++++
 refpolicy/policy/modules/system/locallogin.te |   82 ++++++++++++++++++++++++-
 2 files changed, 108 insertions(+), 2 deletions(-)
---

diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 319608d..d5a3356 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -20,6 +20,20 @@ class process { transition noatsecure siginh rlimitinh };
 
 ########################################
 #
+# init_get_process_group(domain)
+#
+define(`init_get_process_group',`
+requires_block_template(`$0'_depend)
+allow $1 init_t:process getpgid;
+')
+
+define(`init_get_process_group_depend',`
+type init_t;
+class process getpgid;
+')
+
+########################################
+#
 # init_get_control_channel_attributes(domain)
 #
 define(`init_get_control_channel_attributes',`
@@ -185,6 +199,20 @@ class chr_file { read write };
 
 ########################################
 #
+# init_script_get_process_group(domain)
+#
+define(`init_script_get_process_group',`
+requires_block_template(`$0'_depend)
+allow $1 initrc_t:process getpgid;
+')
+
+define(`init_script_get_process_group_depend',`
+type initrc_t;
+class process getpgid;
+')
+
+########################################
+#
 # init_script_read_runtime_data(domain)
 #
 define(`init_script_read_runtime_data',`
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index add1d33..6bdec67 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -9,16 +9,24 @@ policy_module(locallogin,1.0)
 
 type local_login_t; #, privuser, privrole, auth_chkpwd, privowner, nscd_client_domain;
 domain_make_domain(local_login_t)
-authlogin_make_login_program_entrypoint(local_login_t)
 domain_make_file_descriptors_widely_inheritable(local_login_t)
+authlogin_make_login_program_entrypoint(local_login_t)
 role system_r types local_login_t;
 
 type local_login_tmp_t;
 files_make_file(local_login_tmp_t)
 
+type sulogin_t;
+type sulogin_exec_t;
+domain_make_init_domain(sulogin_t,sulogin_exec_t)
+domain_make_system_domain(sulogin_t,sulogin_exec_t)
+domain_make_file_descriptors_widely_inheritable(sulogin_t)
+
+role system_r types sulogin_t;
+
 ########################################
 #
-# Local policy
+# Local login local policy
 #
 
 allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
@@ -191,3 +199,73 @@ allow local_login_t power_device_t:chr_file { getattr setattr };
 #r_dir_file(local_login_t, cifs_t)
 #}
 ') dnl endif TODO
+
+#################################
+# 
+# Sulogin local policy
+#
+
+allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+allow sulogin_t self:fd use;
+allow sulogin_t self:fifo_file { read getattr lock ioctl write append };
+allow sulogin_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow sulogin_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow sulogin_t self:unix_dgram_socket sendto;
+allow sulogin_t self:unix_stream_socket connectto;
+allow sulogin_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
+allow sulogin_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+allow sulogin_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow sulogin_t self:msg { send receive };
+
+kernel_read_system_state(sulogin_t)
+
+init_script_get_process_group(sulogin_t)
+
+files_read_general_system_config(sulogin_t)
+
+libraries_use_dynamic_loader(sulogin_t)
+libraries_read_shared_libraries(sulogin_t)
+
+logging_send_system_log_message(sulogin_t)
+
+selinux_read_config(sulogin_t)
+selinux_read_default_contexts(sulogin_t)
+
+authlogin_read_shadow_passwords(sulogin_t)
+
+# suse and debian do not use pam with sulogin...
+ifdef(`monolithic_policy',`
+ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ifdef(`distro_debian', `define(`sulogin_no_pam')')
+') dnl end monolithic_policy
+
+tunable_policy(`sulogin_no_pam', `
+allow sulogin_t self:capability sys_tty_config;
+init_get_process_group(sulogin_t)
+#domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
+', `
+allow sulogin_t self:process setexec;
+kernel_get_selinuxfs_mount_point(sulogin_t)
+kernel_validate_selinux_context(sulogin_t)
+kernel_compute_selinux_av(sulogin_t)
+kernel_compute_create(sulogin_t)
+kernel_compute_relabel(sulogin_t)
+kernel_compute_reachable_user_contexts(sulogin_t)
+#domain_trans(sulogin_t, shell_exec_t, sysadm_t)
+')
+
+ifdef(`TODO',`
+#, privrole, privowner, privuser;
+
+allow sulogin_t unpriv_userdomain:fd use;
+can_ypbind(sulogin_t)
+ifdef(`automount.te', `
+allow sulogin_t autofs_t:dir { search getattr };
+')
+
+allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
+allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+
+# because file systems are not mounted
+dontaudit sulogin_t file_t:dir search;
+') dnl endif TODO
