1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
|
## <summary>Execute a command with a substitute user</summary>
#######################################
## <summary>
## The role template for the sudo module.
## </summary>
## <desc>
## <p>
## This template creates a derived domain which is allowed
## to change the linux user id, to run commands as a different
## user.
## </p>
## </desc>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
## <param name="user_exec_domain">
## <summary>
## User exec domain for execute and transition access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
#
template(`sudo_role_template',`
gen_require(`
type sudo_exec_t;
attribute sudodomain;
')
##############################
#
# Declarations
#
type $1_sudo_t, sudodomain;
userdom_user_application_domain($1_sudo_t, sudo_exec_t)
domain_interactive_fd($1_sudo_t)
domain_role_change_exemption($1_sudo_t)
role $4 types $1_sudo_t;
##############################
#
# Local Policy
#
# Use capabilities.
allow $1_sudo_t self:capability { chown dac_override fowner kill setgid setuid sys_nice sys_resource };
allow $1_sudo_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
allow $1_sudo_t self:shm create_shm_perms;
allow $1_sudo_t self:sem create_sem_perms;
allow $1_sudo_t self:msgq create_msgq_perms;
allow $1_sudo_t self:msg { receive send };
allow $1_sudo_t self:netlink_selinux_socket create_socket_perms;
allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
allow $1_sudo_t self:key manage_key_perms;
dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
# allow getting the process group of the parent process
allow $1_sudo_t $2:process getpgid;
allow $1_sudo_t $2:unix_stream_socket rw_socket_perms;
# allow accessing /proc/pid/stat of the calling domain
ps_process_pattern($1_sudo_t, $2)
dontaudit $1_sudo_t $3:socket_class_set { read write };
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $2)
corecmd_bin_domtrans($1_sudo_t, $2)
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
kernel_link_key($1_sudo_t)
kernel_dontaudit_getattr_proc($1_sudo_t)
corecmd_exec_all_executables($1_sudo_t)
dev_getattr_fs($1_sudo_t)
dev_read_urand($1_sudo_t)
dev_rw_generic_usb_dev($1_sudo_t)
dev_read_sysfs($1_sudo_t)
domain_use_interactive_fds($1_sudo_t)
domain_sigchld_interactive_fds($1_sudo_t)
domain_getattr_all_entry_files($1_sudo_t)
files_read_etc_files($1_sudo_t)
files_read_var_files($1_sudo_t)
files_read_usr_symlinks($1_sudo_t)
files_getattr_usr_files($1_sudo_t)
# for some PAM modules and for cwd
files_dontaudit_search_home($1_sudo_t)
files_list_tmp($1_sudo_t)
fs_search_auto_mountpoints($1_sudo_t)
fs_getattr_xattr_fs($1_sudo_t)
selinux_validate_context($1_sudo_t)
selinux_compute_relabel_context($1_sudo_t)
term_getattr_pty_fs($1_sudo_t)
term_dontaudit_getattr_unallocated_ttys($1_sudo_t)
term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t)
auth_run_chk_passwd($1_sudo_t, $4)
# sudo stores a token in the pam runtime directory
auth_manage_pam_runtime_dirs($1_sudo_t)
auth_manage_pam_runtime_files($1_sudo_t)
auth_use_pam($1_sudo_t)
auth_runtime_filetrans_pam_runtime($1_sudo_t, dir, "sudo")
init_getpgid($1_sudo_t)
init_rw_utmp($1_sudo_t)
logging_send_audit_msgs($1_sudo_t)
logging_send_syslog_msg($1_sudo_t)
miscfiles_read_localization($1_sudo_t)
seutil_read_default_contexts($1_sudo_t)
seutil_libselinux_linked($1_sudo_t)
userdom_spec_domtrans_all_users($1_sudo_t)
userdom_create_all_users_keys($1_sudo_t)
userdom_create_user_pty($1_sudo_t)
userdom_manage_user_home_content_files($1_sudo_t)
userdom_manage_user_home_content_symlinks($1_sudo_t)
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_setattr_user_ptys($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
userdom_dontaudit_rw_user_tmp_pipes($1_sudo_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content($1_sudo_t)
userdom_dontaudit_search_user_home_dirs($1_sudo_t)
# allow forwarding signals to the child process
userdom_signal_all_users($1_sudo_t)
tunable_policy(`allow_polyinstantiation',`
allow $1_sudo_t self:capability sys_admin;
fs_mount_xattr_fs($1_sudo_t)
fs_unmount_xattr_fs($1_sudo_t)
')
tunable_policy(`sudo_allow_user_exec_domains',`
allow $1_sudo_t $3:key search;
# allow accessing /proc/pid/stat
ps_process_pattern($1_sudo_t, $3)
# Transmit SIGWINCH to children
allow $1_sudo_t $3:process signal;
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
allow $3 $1_sudo_t:process signal_perms;
',`
allow $1_sudo_t $2:key search;
# Transmit SIGWINCH to children
allow $1_sudo_t $2:process signal;
# Enter this derived domain from the user domain
domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
allow $2 $1_sudo_t:fd use;
allow $2 $1_sudo_t:fifo_file rw_fifo_file_perms;
allow $2 $1_sudo_t:process signal_perms;
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_sudo_t)
')
optional_policy(`
auth_use_pam_systemd($1_sudo_t)
systemd_dbus_chat_logind($1_sudo_t)
systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
ifdef(`init_systemd',`
init_dbus_chat($1_sudo_t)
systemd_read_logind_state($1_sudo_t)
')
')
optional_policy(`
fprintd_dbus_chat($1_sudo_t)
')
optional_policy(`
su_signal_all($1_sudo_t)
')
ifdef(`distro_gentoo',`
# Fix bug 549640 - Add dontaudit getattr on chr and blk devices as is done with regular user domains too
dev_dontaudit_getattr_all_blk_files($1_sudo_t)
dev_dontaudit_getattr_all_chr_files($1_sudo_t)
')
')
########################################
## <summary>
## Send a SIGCHLD signal to the sudo domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sudo_sigchld',`
gen_require(`
attribute sudodomain;
')
allow $1 sudodomain:process sigchld;
')
########################################
## <summary>
## Execute sudo in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sudo_exec',`
gen_require(`
type sudo_exec_t;
')
can_exec($1, sudo_exec_t)
corecmd_search_bin($1)
')
|