From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id ABC00138285 for ; Thu, 3 Jan 2013 16:51:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7D0B521C13F; Thu, 3 Jan 2013 16:49:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C862B21C13B for ; Thu, 3 Jan 2013 16:49:55 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id D0B1133D95D for ; Thu, 3 Jan 2013 16:49:54 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 19799E544A for ; Thu, 3 Jan 2013 16:49:52 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1357230247.80a0782dc605b835f9919edb9c99dbe1e80d9950.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/usermanage.if X-VCS-Directories: policy/modules/admin/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 80a0782dc605b835f9919edb9c99dbe1e80d9950 X-VCS-Branch: master Date: Thu, 3 Jan 2013 16:49:52 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 33e69399-3b1b-42ac-a571-687b77878ed6 X-Archives-Hash: 76958de9b820f6c5c282d945d3acf6e1 commit: 80a0782dc605b835f9919edb9c99dbe1e80d9950 Author: Sven Vermeulen siphos be> AuthorDate: Mon Dec 17 09:42:50 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Thu Jan 3 16:24:07 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=80a0782d Introduce exec-check interfaces for passwd binaries and useradd binaries Signed-off-by: Sven Vermeulen siphos.be> --- policy/modules/admin/usermanage.if | 36 ++++++++++++++++++++++++++++++++++++ 1 files changed, 36 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index ace07f5..38aad90 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -140,6 +140,24 @@ interface(`usermanage_kill_passwd',` ######################################## ## +## Check if the passwd binary is executable. +## +## +## +## Domain allowed access. +## +## +# +interface(`usermanage_check_exec_passwd',` + gen_require(` + type passwd_exec_t; + ') + + allow $1 passwd_exec_t:file { execute getattr_file_perms }; +') + +######################################## +## ## Execute passwd in the passwd domain, and ## allow the specified role the passwd domain. ## @@ -253,6 +271,24 @@ interface(`usermanage_domtrans_useradd',` ######################################## ## +## Check if the useradd binaries are executable. +## +## +## +## Domain allowed access. +## +## +# +interface(`usermanage_check_exec_useradd',` + gen_require(` + type useradd_exec_t; + ') + + allow $1 useradd_exec_t:file { execute getattr_file_perms }; +') + +######################################## +## ## Execute useradd in the useradd domain, and ## allow the specified role the useradd domain. ##