1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
## <summary>Execute a command with a substitute user</summary>
#######################################
## <summary>
## The role template for the sudo module.
## </summary>
## <desc>
## <p>
## This template creates a derived domain which is allowed
## to change the linux user id, to run commands as a different
## user.
## </p>
## </desc>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The user role.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The user domain associated with the role.
## </summary>
## </param>
#
template(`sudo_role_template',`
gen_require(`
type sudo_exec_t;
attribute sudodomain;
')
##############################
#
# Declarations
#
type $1_sudo_t, sudodomain;
userdom_user_application_domain($1_sudo_t, sudo_exec_t)
domain_interactive_fd($1_sudo_t)
domain_role_change_exemption($1_sudo_t)
role $2 types $1_sudo_t;
##############################
#
# Local Policy
#
# Use capabilities.
allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
allow $1_sudo_t self:shm create_shm_perms;
allow $1_sudo_t self:sem create_sem_perms;
allow $1_sudo_t self:msgq create_msgq_perms;
allow $1_sudo_t self:msg { send receive };
allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
allow $1_sudo_t self:key manage_key_perms;
allow $1_sudo_t $3:key search;
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
allow $3 $1_sudo_t:process signal_perms;
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
kernel_link_key($1_sudo_t)
corecmd_read_bin_symlinks($1_sudo_t)
corecmd_exec_all_executables($1_sudo_t)
dev_getattr_fs($1_sudo_t)
dev_read_urand($1_sudo_t)
dev_rw_generic_usb_dev($1_sudo_t)
dev_read_sysfs($1_sudo_t)
domain_use_interactive_fds($1_sudo_t)
domain_sigchld_interactive_fds($1_sudo_t)
domain_getattr_all_entry_files($1_sudo_t)
files_read_etc_files($1_sudo_t)
files_read_var_files($1_sudo_t)
files_read_usr_symlinks($1_sudo_t)
files_getattr_usr_files($1_sudo_t)
# for some PAM modules and for cwd
files_dontaudit_search_home($1_sudo_t)
files_list_tmp($1_sudo_t)
fs_search_auto_mountpoints($1_sudo_t)
fs_getattr_xattr_fs($1_sudo_t)
selinux_validate_context($1_sudo_t)
selinux_compute_relabel_context($1_sudo_t)
term_getattr_pty_fs($1_sudo_t)
term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t)
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid($1_sudo_t)
auth_use_nsswitch($1_sudo_t)
init_rw_utmp($1_sudo_t)
logging_send_audit_msgs($1_sudo_t)
logging_send_syslog_msg($1_sudo_t)
miscfiles_read_localization($1_sudo_t)
seutil_search_default_contexts($1_sudo_t)
seutil_libselinux_linked($1_sudo_t)
userdom_spec_domtrans_all_users($1_sudo_t)
userdom_create_all_users_keys($1_sudo_t)
userdom_manage_user_home_content_files($1_sudo_t)
userdom_manage_user_home_content_symlinks($1_sudo_t)
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content($1_sudo_t)
userdom_dontaudit_search_user_home_dirs($1_sudo_t)
ifdef(`hide_broken_symptoms', `
dontaudit $1_sudo_t $3:socket_class_set { read write };
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_sudo_t)
')
optional_policy(`
dbus_system_bus_client($1_sudo_t)
')
optional_policy(`
fprintd_dbus_chat($1_sudo_t)
')
')
########################################
## <summary>
## Send a SIGCHLD signal to the sudo domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sudo_sigchld',`
gen_require(`
attribute sudodomain;
')
allow $1 sudodomain:process sigchld;
')
|