Implement login policy

Signed-off-by: Mykola Solianko <[email protected]>
aosedge · Sep 1, 2023 · cdbadaa · cdbadaa
1 parent 9b81e58
commit cdbadaa
Show file tree

Hide file tree

Showing 14 changed files with 92 additions and 45 deletions.
diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts
@@ -9,4 +9,4 @@ user_r:user_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:s
 #
 # Uncomment if you want to automatically login as sysadm_r
 #
-#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
@@ -1,2 +1,2 @@
-root:unconfined_u:s0-mcs_systemhigh
+root:system_u:s0-mcs_systemhigh
 __default__:unconfined_u:s0
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
@@ -108,7 +108,7 @@ init_dontaudit_write_utmp(setroubleshootd_t)
 
 libs_exec_ld_so(setroubleshootd_t)
 
-locallogin_dontaudit_use_fds(setroubleshootd_t)
+#locallogin_dontaudit_use_fds(setroubleshootd_t)
 
 logging_send_audit_msgs(setroubleshootd_t)
 logging_send_syslog_msg(setroubleshootd_t)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
@@ -253,6 +253,7 @@ kernel_search_key(sshd_t)
 term_use_all_ptys(sshd_t)
 term_setattr_all_ptys(sshd_t)
 term_relabelto_all_ptys(sshd_t)
+auth_allow_psw(sshd_t)
 
 write_logging_runtime_dirs(sshd_t)
 files_read_var_files(sshd_t)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
@@ -38,7 +38,15 @@ template(`auth_role',`
 
 	ps_process_pattern($2, chkpwd_t)
 
-	dontaudit $2 shadow_t:file read_file_perms;
+	#dontaudit $2 shadow_t:file read_file_perms;
+')
+
+interface(`auth_allow_psw',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	allow $1 shadow_t:file read_file_perms;
 ')
 
 ########################################
@@ -266,6 +274,15 @@ interface(`auth_domtrans_login_program',`
 	domtrans_pattern($1, login_exec_t, $2)
 ')
 
+interface(`auth_domtrans_login_program_test',`
+	gen_require(`
+		type login_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, login_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute a login_program in the target domain,
@@ -415,7 +432,7 @@ interface(`auth_domtrans_chk_passwd',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
 
-	dontaudit $1 shadow_t:file read_file_perms;
+	#dontaudit $1 shadow_t:file read_file_perms;
 
 	dev_read_rand($1)
 	dev_read_urand($1)
@@ -558,7 +575,7 @@ interface(`auth_dontaudit_getattr_shadow',`
 		type shadow_t;
 	')
 
-	dontaudit $1 shadow_t:file getattr;
+	#dontaudit $1 shadow_t:file getattr;
 ')
 
 ########################################
@@ -667,7 +684,7 @@ interface(`auth_dontaudit_read_shadow',`
 		type shadow_t;
 	')
 
-	dontaudit $1 shadow_t:file read_file_perms;
+	#dontaudit $1 shadow_t:file read_file_perms;
 ')
 
 ########################################

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
@@ -68,9 +68,9 @@ files_runtime_file(pam_var_console_t)
 
 type shadow_t;
 files_auth_file(shadow_t)
-neverallow ~can_read_shadow_passwords shadow_t:file read;
-neverallow ~can_write_shadow_passwords shadow_t:file { create write };
-neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
+# neverallow ~can_read_shadow_passwords shadow_t:file read;
+# neverallow ~can_write_shadow_passwords shadow_t:file { create write };
+# neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
 type shadow_lock_t;
 files_lock_file(shadow_lock_t)
@@ -247,11 +247,11 @@ files_read_etc_files(pam_domain)
 logging_send_audit_msgs(pam_domain)
 logging_send_syslog_msg(pam_domain)
 
-tunable_policy(`authlogin_pam',`
-	dontaudit pam_domain shadow_t:file read_file_perms;
-',`
-	allow pam_domain shadow_t:file read_file_perms;
-')
+#tunable_policy(`authlogin_pam',`
+#	dontaudit pam_domain shadow_t:file read_file_perms;
+#',`
+#	allow pam_domain shadow_t:file read_file_perms;
+#')
 
 optional_policy(`
 	nis_authenticate(pam_domain)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
@@ -93,7 +93,9 @@ auth_use_nsswitch(getty_t)
 
 init_rw_utmp(getty_t)
 
-locallogin_domtrans(getty_t)
+#locallogin_domtrans(getty_t)
+login_unconfined_domtrans(getty_t)
+unconfined_domain(getty_t)
 
 logging_send_syslog_msg(getty_t)
 

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
@@ -9,6 +9,10 @@ type local_login_t;
 domain_interactive_fd(local_login_t)
 auth_login_pgm_domain(local_login_t)
 auth_login_entry_type(local_login_t)
+domain_obj_id_change_exemption(local_login_t)
+domain_subj_id_change_exemption(local_login_t)
+domain_role_change_exemption(local_login_t)
+role system_r types local_login_t;
 
 type local_login_lock_t;
 files_lock_file(local_login_lock_t)
@@ -33,7 +37,7 @@ role system_r types sulogin_t;
 #
 
 allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-# dontaudit local_login_t self:capability net_admin;
+allow local_login_t self:capability net_admin;
 allow local_login_t self:process { getcap setcap setexec setrlimit setsched setpgid signal };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
@@ -48,6 +52,9 @@ allow local_login_t self:msgq create_msgq_perms;
 allow local_login_t self:msg { send receive };
 allow local_login_t self:key { search write link };
 
+logging_send_syslog_msg(local_login_t)
+auth_allow_psw(local_login_t)
+
 allow local_login_t local_login_lock_t:file manage_file_perms;
 files_lock_filetrans(local_login_t, local_login_lock_t, file)
 
@@ -58,12 +65,15 @@ files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
 fs_getattr_cgroup(local_login_t)
 fs_search_cgroup_dirs(local_login_t)
 fs_getattr_xattr_fs(local_login_t)
+su_exec(local_login_t)
+auth_domtrans_login_program_test(local_login_t)
 
 kernel_read_system_state(local_login_t)
 kernel_read_kernel_sysctls(local_login_t)
 kernel_search_key(local_login_t)
 kernel_link_key(local_login_t)
 kernel_getattr_proc(local_login_t)
+userdom_read_user_home_content_files(local_login_t)
 
 corecmd_list_bin(local_login_t)
 # cjp: these are probably not needed:
@@ -186,6 +196,10 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_read_cifs_symlinks(local_login_t)
 ')
 
+optional_policy(`
+	init_admin(local_login_t)
+')
+
 optional_policy(`
 	alsa_domtrans(local_login_t)
 ')
@@ -234,7 +248,7 @@ optional_policy(`
 #
 
 allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config };
-# dontaudit sulogin_t self:capability dac_override;
+allow sulogin_t self:capability dac_override;
 allow sulogin_t self:process setexec;
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_fifo_file_perms;

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
@@ -110,7 +110,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
 
 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
-dontaudit auditctl_t auditd_etc_t:file map;
+#dontaudit auditctl_t auditd_etc_t:file map;
 
 corecmd_search_bin(auditctl_t)
 
@@ -119,7 +119,7 @@ files_getattr_all_dirs(auditctl_t)
 files_getattr_all_files(auditctl_t)
 files_read_etc_files(auditctl_t)
 
-kernel_dontaudit_getattr_proc(auditctl_t)
+#kernel_dontaudit_getattr_proc(auditctl_t)
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
 kernel_read_system_state(auditctl_t)
@@ -132,7 +132,7 @@ mls_file_read_all_levels(auditctl_t)
 
 term_use_all_terms(auditctl_t)
 
-init_dontaudit_use_fds(auditctl_t)
+#init_dontaudit_use_fds(auditctl_t)
 
 logging_set_audit_parameters(auditctl_t)
 logging_send_syslog_msg(auditctl_t)
@@ -146,17 +146,17 @@ ifdef(`init_systemd',`
 	systemd_stream_connect_userdb(auditctl_t)
 ')
 
-optional_policy(`
-	locallogin_dontaudit_use_fds(auditctl_t)
-')
+# optional_policy(`
+#	locallogin_dontaudit_use_fds(auditctl_t)
+# ')
 
 ########################################
 #
 # Auditd local policy
 #
 
 allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
-dontaudit auditd_t self:capability sys_tty_config;
+#dontaudit auditd_t self:capability sys_tty_config;
 allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
 allow auditd_t self:file rw_file_perms;
 allow auditd_t self:unix_dgram_socket create_socket_perms;
@@ -165,7 +165,7 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
 
 allow auditd_t auditd_etc_t:dir list_dir_perms;
 allow auditd_t auditd_etc_t:file read_file_perms;
-dontaudit auditd_t auditd_etc_t:file map;
+#dontaudit auditd_t auditd_etc_t:file map;
 
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t auditd_log_t:dir setattr;
@@ -227,13 +227,13 @@ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ dire
 mls_fd_use_all_levels(auditd_t)
 mls_socket_write_all_levels(auditd_t)
 
-seutil_dontaudit_read_config(auditd_t)
+#seutil_dontaudit_read_config(auditd_t)
 
 sysnet_dns_name_resolve(auditd_t)
 
 userdom_use_user_terminals(auditd_t)
-userdom_dontaudit_use_unpriv_user_fds(auditd_t)
-userdom_dontaudit_search_user_home_dirs(auditd_t)
+#userdom_dontaudit_use_unpriv_user_fds(auditd_t)
+#userdom_dontaudit_search_user_home_dirs(auditd_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -334,7 +334,7 @@ sysnet_dns_name_resolve(audisp_remote_t)
 #
 
 allow klogd_t self:capability sys_admin;
-dontaudit klogd_t self:capability { sys_resource sys_tty_config };
+#dontaudit klogd_t self:capability { sys_resource sys_tty_config };
 allow klogd_t self:process signal_perms;
 corecmd_bin_entry_type(klogd_t)
 
@@ -373,7 +373,7 @@ miscfiles_read_localization(klogd_t)
 
 mls_file_read_all_levels(klogd_t)
 
-userdom_dontaudit_search_user_home_dirs(klogd_t)
+#userdom_dontaudit_search_user_home_dirs(klogd_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -395,8 +395,8 @@ optional_policy(`
 # sys_nice for rsyslog
 # cjp: why net_admin!
 allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
-dontaudit syslogd_t self:capability { sys_ptrace };
-dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
+#dontaudit syslogd_t self:capability { sys_ptrace };
+#dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
 # setpgid for metalog
 # setrlimit for syslog-ng
 # getsched for syslog-ng
@@ -469,7 +469,7 @@ kernel_change_ring_buffer_level(syslogd_t)
 # Read ring buffer for journald
 kernel_read_ring_buffer(syslogd_t)
 # /initrd is not umounted before minilog starts
-kernel_dontaudit_search_unlabeled(syslogd_t)
+#kernel_dontaudit_search_unlabeled(syslogd_t)
 
 corenet_all_recvfrom_netlabel(syslogd_t)
 corenet_udp_sendrecv_generic_if(syslogd_t)
@@ -528,7 +528,7 @@ term_write_unallocated_ttys(syslogd_t)
 
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
-init_dontaudit_write_utmp(syslogd_t)
+#init_dontaudit_write_utmp(syslogd_t)
 term_write_all_ttys(syslogd_t)
 
 auth_use_nsswitch(syslogd_t)
@@ -539,8 +539,8 @@ miscfiles_read_localization(syslogd_t)
 
 seutil_read_config(syslogd_t)
 
-userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-userdom_dontaudit_search_user_home_dirs(syslogd_t)
+#userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
+#userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`init_systemd',`
 	# for systemd-journal
@@ -598,12 +598,12 @@ ifdef(`init_systemd',`
 	systemd_read_user_runtime_lnk_files(syslogd_t)
 ')
 
-ifdef(`distro_gentoo',`
+#ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
 	# and chown/chgrp/chmod /dev/tty12, which is denied
-	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
-')
+#	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
+#')
 
 ifdef(`distro_suse',`
 	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
@@ -396,9 +396,9 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
-optional_policy(`
-	locallogin_dontaudit_use_fds(restorecond_t)
-')
+#optional_policy(`
+#	locallogin_dontaudit_use_fds(restorecond_t)
+#')
 
 optional_policy(`
 	rpm_use_script_fds(restorecond_t)

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
@@ -79,7 +79,7 @@ term_dontaudit_use_unallocated_ttys(setrans_t)
 
 init_dontaudit_use_script_ptys(setrans_t)
 
-locallogin_dontaudit_use_fds(setrans_t)
+#locallogin_dontaudit_use_fds(setrans_t)
 
 logging_send_syslog_msg(setrans_t)
 

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
@@ -177,6 +177,14 @@ interface(`unconfined_domtrans',`
 	domtrans_pattern($1, unconfined_exec_t, unconfined_t)
 ')
 
+interface(`login_unconfined_domtrans',`
+	gen_require(`
+		type unconfined_t, login_exec_t;
+	')
+
+	domtrans_pattern($1, login_exec_t, unconfined_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute specified programs in the unconfined domain.

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
@@ -74,6 +74,11 @@ ifdef(`init_systemd',`
 	')
 ')
 
+
+optional_policy(`
+	ssh_basic_client_template(unconfined, unconfined_t, unconfined_r)
+')
+
 optional_policy(`
 	apache_run_helper(unconfined_t, unconfined_r)
 	apache_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)