190 lines
4 KiB
Text
190 lines
4 KiB
Text
|
## <summary>Execute a command with a substitute user</summary>
|
||
|
|
|
||
|
|
#######################################
|
||
|
|
## <summary>
|
||
|
|
## The role template for the sudo module.
|
||
|
|
## </summary>
|
||
|
|
## <desc>
|
||
|
|
## <p>
|
||
|
|
## This template creates a derived domain which is allowed
|
||
|
|
## to change the linux user id, to run commands as a different
|
||
|
|
## user.
|
||
|
|
## </p>
|
||
|
|
## </desc>
|
||
|
|
## <param name="role_prefix">
|
||
|
|
## <summary>
|
||
|
|
## The prefix of the user role (e.g., user
|
||
|
|
## is the prefix for user_r).
|
||
|
|
## </summary>
|
||
|
|
## </param>
|
||
|
|
## <param name="user_role">
|
||
|
|
## <summary>
|
||
|
|
## The user role.
|
||
|
|
## </summary>
|
||
|
|
## </param>
|
||
|
|
## <param name="user_domain">
|
||
|
|
## <summary>
|
||
|
|
## The user domain associated with the role.
|
||
|
|
## </summary>
|
||
|
|
## </param>
|
||
|
|
#
|
||
|
|
template(`sudo_role_template',`
|
||
|
|
|
||
|
|
gen_require(`
|
||
|
|
type sudo_exec_t;
|
||
|
|
type sudo_db_t;
|
||
|
|
attribute sudodomain;
|
||
|
|
')
|
||
|
|
|
||
|
|
##############################
|
||
|
|
#
|
||
|
|
# Declarations
|
||
|
|
#
|
||
|
|
|
||
|
|
type $1_sudo_t, sudodomain;
|
||
|
|
userdom_user_application_domain($1_sudo_t, sudo_exec_t)
|
||
|
|
domain_interactive_fd($1_sudo_t)
|
||
|
|
domain_role_change_exemption($1_sudo_t)
|
||
|
|
role $2 types $1_sudo_t;
|
||
|
|
userdom_home_manager($1_sudo_t)
|
||
|
|
|
||
|
|
type $1_sudo_tmp_t;
|
||
|
|
files_tmp_file($1_sudo_tmp_t)
|
||
|
|
|
||
|
|
allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
|
||
|
|
files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
|
||
|
|
|
||
|
|
allow $1_sudo_t $3:dir search_dir_perms;;
|
||
|
|
allow $1_sudo_t $3:file read_file_perms;;
|
||
|
|
allow $1_sudo_t $3:key search;
|
||
|
|
|
||
|
|
allow $1_sudo_t $1_t:unix_stream_socket { connectto read write };
|
||
|
|
|
||
|
|
# Enter this derived domain from the user domain
|
||
|
|
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
|
||
|
|
|
||
|
|
# By default, revert to the calling domain when a shell is executed.
|
||
|
|
corecmd_shell_domtrans($1_sudo_t, $3)
|
||
|
|
corecmd_bin_domtrans($1_sudo_t, $3)
|
||
|
|
userdom_domtrans_user_home($1_sudo_t, $3)
|
||
|
|
userdom_domtrans_user_tmp($1_sudo_t, $3)
|
||
|
|
domain_entry_file($3, sudo_exec_t)
|
||
|
|
domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3)
|
||
|
|
|
||
|
|
allow $3 $1_sudo_t:fd use;
|
||
|
|
allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
|
||
|
|
allow $3 $1_sudo_t:process signal_perms;
|
||
|
|
|
||
|
|
kernel_read_system_state($1_sudo_t)
|
||
|
|
seutil_libselinux_linked($1_sudo_t)
|
||
|
|
|
||
|
|
auth_run_chk_passwd($1_sudo_t, $2)
|
||
|
|
auth_use_nsswitch($1_sudo_t)
|
||
|
|
|
||
|
|
logging_send_syslog_msg($1_sudo_t)
|
||
|
|
logging_read_syslog_pid($1_sudo_t)
|
||
|
|
|
||
|
|
term_use_generic_ptys($1_sudo_t)
|
||
|
|
term_setattr_generic_ptys($1_sudo_t)
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
mta_role($2, $1_sudo_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
rpm_run($1_sudo_t, $2)
|
||
|
|
')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
kerberos_manage_host_rcache($1_sudo_t)
|
||
|
|
kerberos_read_config($1_sudo_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
systemd_domtrans_systemctl($1_sudo_t, $3)
|
||
|
|
systemd_systemctl_entrypoint($3)
|
||
|
|
')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
userdom_write_user_tmp_sockets($1_sudo_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
usermanage_domtrans_passwd($1_sudo_t)
|
||
|
|
')
|
||
|
|
')
|
||
|
|
|
||
|
|
########################################
|
||
|
|
## <summary>
|
||
|
|
## Send a SIGCHLD signal to the sudo domain.
|
||
|
|
## </summary>
|
||
|
|
## <param name="domain">
|
||
|
|
## <summary>
|
||
|
|
## Domain allowed access.
|
||
|
|
## </summary>
|
||
|
|
## </param>
|
||
|
|
#
|
||
|
|
interface(`sudo_sigchld',`
|
||
|
|
gen_require(`
|
||
|
|
attribute sudodomain;
|
||
|
|
')
|
||
|
|
|
||
|
|
allow $1 sudodomain:process sigchld;
|
||
|
|
')
|
||
|
|
|
||
|
|
#######################################
|
||
|
|
## <summary>
|
||
|
|
## Allow execute sudo in called domain.
|
||
|
|
## This interfaces is added for nova-stack policy.
|
||
|
|
## </summary>
|
||
|
|
## <param name="domain">
|
||
|
|
## <summary>
|
||
|
|
## Domain allowed access.
|
||
|
|
## </summary>
|
||
|
|
## </param>
|
||
|
|
#
|
||
|
|
interface(`sudo_exec',`
|
||
|
|
gen_require(`
|
||
|
|
type sudo_exec_t;
|
||
|
|
')
|
||
|
|
|
||
|
|
can_exec($1, sudo_exec_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
######################################
|
||
|
|
## <summary>
|
||
|
|
## Allow to manage sudo database in called domain.
|
||
|
|
## </summary>
|
||
|
|
## <param name="domain">
|
||
|
|
## <summary>
|
||
|
|
## Domain allowed access.
|
||
|
|
## </summary>
|
||
|
|
## </param>
|
||
|
|
#
|
||
|
|
interface(`sudo_manage_db',`
|
||
|
|
gen_require(`
|
||
|
|
type sudo_db_t;
|
||
|
|
')
|
||
|
|
|
||
|
|
manage_dirs_pattern($1, sudo_db_t, sudo_db_t)
|
||
|
|
manage_files_pattern($1, sudo_db_t, sudo_db_t)
|
||
|
|
')
|
||
|
|
|
||
|
|
########################################
|
||
|
|
## <summary>
|
||
|
|
## Transition to sudo log named content
|
||
|
|
## </summary>
|
||
|
|
## <param name="domain">
|
||
|
|
## <summary>
|
||
|
|
## Domain allowed access.
|
||
|
|
## </summary>
|
||
|
|
## </param>
|
||
|
|
#
|
||
|
|
interface(`sudo_filetrans_named_content_log',`
|
||
|
|
gen_require(`
|
||
|
|
type sudo_log_t;
|
||
|
|
')
|
||
|
|
|
||
|
|
logging_log_filetrans($1, sudo_log_t, file, "sudo.log")
|
||
|
|
')
|