[selinux-policy: 549/3172] add su

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:52:05 UTC 2010 

commit 9489149ec06a517f0c3d94f231857fb747f07210
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Aug 8 21:03:23 2005 +0000

    add su

 refpolicy/Changelog                            |    1 +
 refpolicy/policy/modules.conf.targeted_example |  203 ++++++++++++++----------
 refpolicy/policy/modules/admin/su.fc           |    2 +
 refpolicy/policy/modules/admin/su.if           |  149 +++++++++++++++++
 refpolicy/policy/modules/admin/su.te           |   12 ++
 refpolicy/policy/modules/kernel/filesystem.if  |   34 ++++
 6 files changed, 317 insertions(+), 84 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index b04973a..c2b4898 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -8,6 +8,7 @@
 	* Added policies:
 		acct
 		mysql
+		su
 		tmpreaper
 		updfstab
 
diff --git a/refpolicy/policy/modules.conf.targeted_example b/refpolicy/policy/modules.conf.targeted_example
index 488d6f8..c0fbd0a 100644
--- a/refpolicy/policy/modules.conf.targeted_example
+++ b/refpolicy/policy/modules.conf.targeted_example
@@ -60,6 +60,34 @@ files = base
 domain = base
 
 # Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+# 
+usermanage = base
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+# 
+rpm = off
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+# 
+dmesg = base
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+# 
+logrotate = off
+
+# Layer: admin
 # Module: consoletype
 #
 # Determine of the console connected to the controlling terminal.
@@ -74,32 +102,32 @@ consoletype = base
 netutils = base
 
 # Layer: admin
-# Module: usermanage
+# Module: acct
 #
-# Policy for managing user accounts.
+# Berkeley process accounting
 # 
-usermanage = base
+acct = base
 
 # Layer: admin
-# Module: rpm
+# Module: tmpreaper
 #
-# Policy for the RPM package manager.
+# Manage temporary directory sizes and file ages
 # 
-rpm = off
+tmpreaper = base
 
 # Layer: admin
-# Module: dmesg
+# Module: updfstab
 #
-# Policy for dmesg.
+# Red Hat utility to change /etc/fstab.
 # 
-dmesg = base
+updfstab = base
 
 # Layer: admin
-# Module: logrotate
+# Module: su
 #
-# Rotate and archive system logs
+# Run shells with substitute user and group
 # 
-logrotate = off
+su = off
 
 # Layer: apps
 # Module: gpg
@@ -137,25 +165,25 @@ storage = base
 terminal = base
 
 # Layer: services
-# Module: cron
+# Module: remotelogin
 #
-# Periodic execution of scheduled commands.
+# Policy for rshd, rlogind, and telnetd.
 # 
-cron = base
+remotelogin = base
 
 # Layer: services
-# Module: ssh
+# Module: nscd
 #
-# Secure shell client and server policy.
+# Name service cache daemon
 # 
-ssh = off
+nscd = base
 
 # Layer: services
-# Module: remotelogin
+# Module: nis
 #
-# Policy for rshd, rlogind, and telnetd.
+# Policy for NIS (YP) servers and clients
 # 
-remotelogin = base
+nis = base
 
 # Layer: services
 # Module: sendmail
@@ -165,18 +193,18 @@ remotelogin = base
 sendmail = off
 
 # Layer: services
-# Module: mta
+# Module: ssh
 #
-# Policy common to all email tranfer agents.
+# Secure shell client and server policy.
 # 
-mta = base
+ssh = off
 
 # Layer: services
-# Module: nis
+# Module: cron
 #
-# Policy for NIS (YP) servers and clients
+# Periodic execution of scheduled commands.
 # 
-nis = base
+cron = base
 
 # Layer: services
 # Module: inetd
@@ -193,11 +221,32 @@ inetd = base
 kerberos = base
 
 # Layer: services
-# Module: nscd
+# Module: mta
 #
-# Name service cache daemon
+# Policy common to all email tranfer agents.
 # 
-nscd = base
+mta = base
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+# 
+mysql = base
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+# 
+unconfined = base
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = base
 
 # Layer: system
 # Module: selinuxutil
@@ -221,11 +270,11 @@ getty = base
 mount = base
 
 # Layer: system
-# Module: logging
+# Module: ipsec
 #
-# Policy for the kernel message logger and system logging daemon.
+# TCP/IP encryption
 # 
-logging = base
+ipsec = base
 
 # Layer: system
 # Module: locallogin
@@ -235,6 +284,13 @@ logging = base
 locallogin = base
 
 # Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = base
+
+# Layer: system
 # Module: sysnetwork
 #
 # Policy for network configuration: ifconfig and dhcp client.
@@ -242,6 +298,20 @@ locallogin = base
 sysnetwork = base
 
 # Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = base
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+# 
+pcmcia = base
+
+# Layer: system
 # Module: iptables
 #
 # Policy for iptables.
@@ -256,13 +326,6 @@ iptables = base
 userdomain = base
 
 # Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = base
-
-# Layer: system
 # Module: corecommands
 #
 # Core policy for shells, and generic programs
@@ -279,6 +342,13 @@ corecommands = base
 hotplug = base
 
 # Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = base
+
+# Layer: system
 # Module: lvm
 #
 # Policy for logical volume management programs.
@@ -293,18 +363,18 @@ lvm = base
 modutils = base
 
 # Layer: system
-# Module: udev
+# Module: init
 #
-# Policy for udev.
+# System initialization programs (init and init scripts).
 # 
-udev = base
+init = base
 
 # Layer: system
-# Module: init
+# Module: udev
 #
-# System initialization programs (init and init scripts).
+# Policy for udev.
 # 
-init = base
+udev = base
 
 # Layer: system
 # Module: hostname
@@ -314,11 +384,11 @@ init = base
 hostname = base
 
 # Layer: system
-# Module: authlogin
+# Module: raid
 #
-# Common policy for authentication and user login.
+# RAID array management tools
 # 
-authlogin = base
+raid = base
 
 # Layer: system
 # Module: libraries
@@ -328,44 +398,9 @@ authlogin = base
 libraries = base
 
 # Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = base
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-# 
-unconfined = base
-
-# Layer: system
 # Module: miscfiles
 #
 # Miscelaneous files.
 # 
 miscfiles = base
 
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = base
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-# 
-pcmcia = base
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-# 
-raid = base
-
diff --git a/refpolicy/policy/modules/admin/su.fc b/refpolicy/policy/modules/admin/su.fc
new file mode 100644
index 0000000..ed98aba
--- /dev/null
+++ b/refpolicy/policy/modules/admin/su.fc
@@ -0,0 +1,2 @@
+
+/bin/su			--	context_template(system_u:object_r:su_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
new file mode 100644
index 0000000..6dc5216
--- /dev/null
+++ b/refpolicy/policy/modules/admin/su.if
@@ -0,0 +1,149 @@
+## <summary>Run shells with substitute user and group</summary>
+
+template(`su_per_userdomain_template',`
+
+	type $1_su_t;
+	domain_entry_file($1_su_t,su_exec_t)
+	domain_type($1_su_t)
+	domain_role_change_exempt($1_su_t)
+	domain_subj_id_change_exempt($1_su_t)
+	domain_obj_id_change_exempt($1_su_t)
+	domain_wide_inherit_fd($1_su_t)
+	role $1_r types $1_su_t;
+
+	allow $1_t $1_su_t:process signal;
+
+	allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	dontaudit $1_su_t self:capability sys_tty_config;
+	allow $1_su_t self:process { setexec setsched setrlimit };
+	allow $1_su_t self:fifo_file rw_file_perms;
+
+	# Transition from the user domain to this domain.
+	domain_auto_trans($1_t, su_exec_t, $1_su_t)
+	allow $1_t $1_su_t:fd use;
+	allow $1_su_t $1_t:fd use;
+	allow $1_su_t $1_t:fifo_file rw_file_perms;
+	allow $1_su_t $1_t:process sigchld;
+
+	# By default, revert to the calling domain when a shell is executed.
+	corecmd_shell_domtrans($1_su_t,$1_t)
+	allow $1_t $1_su_t:fd use;
+	allow $1_su_t $1_t:fd use;
+	allow $1_su_t $1_t:fifo_file rw_file_perms;
+	allow $1_su_t $1_t:process sigchld;
+
+	kernel_read_system_state($1_su_t)
+	kernel_read_kernel_sysctl($1_su_t)
+
+	# for SSP
+	dev_read_urand($1_su_t)
+
+	fs_search_auto_mountpoints($1_su_t)
+
+	selinux_get_fs_mount($1_su_t)
+	selinux_validate_context($1_su_t)
+	selinux_compute_access_vector($1_su_t)
+	selinux_compute_create_context($1_su_t)
+	selinux_compute_relabel_context($1_su_t)
+	selinux_compute_user_contexts($1_su_t)
+
+	# Relabel ttys and ptys.
+	term_relabel_all_user_ttys($1_su_t)
+	term_relabel_all_user_ptys($1_su_t)
+	# Close and re-open ttys and ptys to get the fd into the correct domain.
+	term_use_all_user_ttys($1_su_t)
+	term_use_all_user_ptys($1_su_t)
+
+	auth_dontaudit_read_shadow($1_su_t)
+
+	domain_wide_inherit_fd($1_su_t)
+
+	files_read_etc_files($1_su_t)
+	files_search_var_lib($1_su_t)
+
+	init_dontaudit_use_fd($1_su_t)
+	# Write to utmp.
+	init_rw_script_pid($1_su_t)
+
+	libs_use_ld_so($1_su_t)
+	libs_use_shared_libs($1_su_t)
+
+	logging_send_syslog_msg($1_su_t)
+
+	miscfiles_read_localization($1_su_t)
+
+	seutil_read_config($1_su_t)
+	seutil_read_default_contexts($1_su_t)
+
+	if(secure_mode)
+	{
+		# Only allow transitions to unprivileged user domains.
+		userdom_spec_domtrans_unpriv_users($1_su_t)
+	} else {
+		# Allow transitions to all user domains
+		userdom_spec_domtrans_all_users($1_su_t)
+	}
+
+	if (use_nfs_home_dirs) {
+		fs_search_nfs($1_su_t)
+	}
+
+	if (use_samba_home_dirs) {
+		fs_search_cifs($1_su_t)
+	}
+
+	optional_policy(`crond.te',`
+		cron_read_pipe($1_su_t)
+	')
+
+	optional_policy(`kerberos.te',`
+		kerberos_use($1_su_t)
+	')
+
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1_su_t)
+	')
+
+	optional_policy(`nscd.te',`
+		nscd_use_socket($1_su_t)
+	')
+
+	ifdef(`TODO',`
+	domain_auto_trans($1_su_t, chkpwd_exec_t, $1_chkpwd_t)
+
+	# Caused by su - init scripts
+	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+
+	# Inherit and use descriptors from gnome-pty-helper.
+	ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
+
+	# Write to the user domain tty.
+	access_terminal($1_su_t, $1)
+
+	allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
+	allow $1_su_t $1_home_t:file create_file_perms;
+
+	ifdef(`user_canbe_sysadm', `
+	allow $1_su_t home_dir_type:dir { search write };
+	', `
+	dontaudit $1_su_t home_dir_type:dir { search write };
+	')
+
+	# Modify .Xauthority file (via xauth program).
+	ifdef(`xauth.te', `
+	file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+	file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+	file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+	domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
+	')
+
+	ifdef(`cyrus.te', `
+	allow $1_su_t cyrus_var_lib_t:dir search;
+	')
+	ifdef(`ssh.te', `
+	# Access sshd cookie files.
+	allow $1_su_t sshd_tmp_t:file rw_file_perms;
+	file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
+	')
+	') dnl end TODO
+')
diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te
new file mode 100644
index 0000000..e01bee1
--- /dev/null
+++ b/refpolicy/policy/modules/admin/su.te
@@ -0,0 +1,12 @@
+
+policy_module(su,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type su_exec_t;
+files_type(su_exec_t)
+
+# Remaining policy in the per-user domain template
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 825818c..09e1c6b 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -403,6 +403,23 @@ interface(`fs_getattr_cifs',`
 
 ########################################
 ## <summary>
+##	Search directories on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the files.
+## </param>
+#
+interface(`fs_search_cifs',`
+	gen_require(`
+		type cifs_t;
+		class dir search;
+	')
+
+	allow $1 cifs_t:dir search;
+')
+
+########################################
+## <summary>
 ##	Read files on a CIFS or SMB filesystem.
 ## </summary>
 ## <param name="domain">
@@ -873,6 +890,23 @@ interface(`fs_getattr_nfs',`
 
 ########################################
 ## <summary>
+##	Search directories on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the files.
+## </param>
+#
+interface(`fs_search_nfs',`
+	gen_require(`
+		type nfs_t;
+		class dir search;
+	')
+
+	allow $1 nfs_t:dir search;
+')
+
+########################################
+## <summary>
 ##	Read files on a NFS filesystem.
 ## </summary>
 ## <param name="domain">

More information about the scm-commits mailing list