/usr/share/selinux/ubuntu/include/apps/userhelper.if is in selinux-policy-ubuntu-dev 0.2.20091117-0ubuntu2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 | ## <summary>SELinux utility to run a shell with a new role</summary>
#######################################
## <summary>
## The role template for the userhelper module.
## </summary>
## <param name="userrole_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The user role.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The user domain associated with the role.
## </summary>
## </param>
#
template(`userhelper_role_template',`
gen_require(`
attribute userhelper_type;
type userhelper_exec_t, userhelper_conf_t;
')
########################################
#
# Declarations
#
type $1_userhelper_t, userhelper_type;
application_domain($1_userhelper_t, userhelper_exec_t)
domain_role_change_exemption($1_userhelper_t)
domain_obj_id_change_exemption($1_userhelper_t)
domain_interactive_fd($1_userhelper_t)
domain_subj_id_change_exemption($1_userhelper_t)
ubac_constrained($1_userhelper_t)
role $2 types $1_userhelper_t;
########################################
#
# Local policy
#
allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_userhelper_t self:process setexec;
allow $1_userhelper_t self:fd use;
allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
allow $1_userhelper_t self:shm create_shm_perms;
allow $1_userhelper_t self:sem create_sem_perms;
allow $1_userhelper_t self:msgq create_msgq_perms;
allow $1_userhelper_t self:msg { send receive };
allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
allow $1_userhelper_t self:unix_dgram_socket sendto;
allow $1_userhelper_t self:unix_stream_socket connectto;
allow $1_userhelper_t self:sock_file read_sock_file_perms;
#Transition to the derived domain.
domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
can_exec($1_userhelper_t, userhelper_exec_t)
dontaudit $3 $1_userhelper_t:process signal;
kernel_read_all_sysctls($1_userhelper_t)
kernel_getattr_debugfs($1_userhelper_t)
kernel_read_system_state($1_userhelper_t)
# Execute shells
corecmd_exec_shell($1_userhelper_t)
# By default, revert to the calling domain when a program is executed
corecmd_bin_domtrans($1_userhelper_t, $3)
# Inherit descriptors from the current session.
domain_use_interactive_fds($1_userhelper_t)
# for when the user types "exec userhelper" at the command line
domain_sigchld_interactive_fds($1_userhelper_t)
dev_read_urand($1_userhelper_t)
# Read /dev directories and any symbolic links.
dev_list_all_dev_nodes($1_userhelper_t)
files_list_var_lib($1_userhelper_t)
# Read the /etc/security/default_type file
files_read_etc_files($1_userhelper_t)
# Read /var.
files_read_var_files($1_userhelper_t)
files_read_var_symlinks($1_userhelper_t)
# for some PAM modules and for cwd
files_search_home($1_userhelper_t)
fs_search_auto_mountpoints($1_userhelper_t)
fs_read_nfs_files($1_userhelper_t)
fs_read_nfs_symlinks($1_userhelper_t)
# Allow $1_userhelper to obtain contexts to relabel TTYs
selinux_get_fs_mount($1_userhelper_t)
selinux_validate_context($1_userhelper_t)
selinux_compute_access_vector($1_userhelper_t)
selinux_compute_create_context($1_userhelper_t)
selinux_compute_relabel_context($1_userhelper_t)
selinux_compute_user_contexts($1_userhelper_t)
# Read the devpts root directory.
term_list_ptys($1_userhelper_t)
# Relabel terminals.
term_relabel_all_user_ttys($1_userhelper_t)
term_relabel_all_user_ptys($1_userhelper_t)
# Access terminals.
term_use_all_user_ttys($1_userhelper_t)
term_use_all_user_ptys($1_userhelper_t)
auth_domtrans_chk_passwd($1_userhelper_t)
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
# Inherit descriptors from the current session.
init_use_fds($1_userhelper_t)
# Write to utmp.
init_manage_utmp($1_userhelper_t)
init_pid_filetrans_utmp($1_userhelper_t)
miscfiles_read_localization($1_userhelper_t)
seutil_read_config($1_userhelper_t)
seutil_read_default_contexts($1_userhelper_t)
# Allow $1_userhelper_t to transition to user domains.
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
ifdef(`distro_redhat',`
optional_policy(`
# Allow transitioning to rpm_t, for up2date
rpm_domtrans($1_userhelper_t)
')
')
optional_policy(`
ethereal_domtrans($1_userhelper_t)
')
optional_policy(`
logging_send_syslog_msg($1_userhelper_t)
')
optional_policy(`
nis_use_ypbind($1_userhelper_t)
')
optional_policy(`
nscd_socket_use($1_userhelper_t)
')
optional_policy(`
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
sysadm_entry_spec_domtrans($1_userhelper_t)
')
')
')
########################################
## <summary>
## Search the userhelper configuration directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userhelper_search_config',`
gen_require(`
type userhelper_conf_t;
')
allow $1 userhelper_conf_t:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to search
## the userhelper configuration directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userhelper_dontaudit_search_config',`
gen_require(`
type userhelper_conf_t;
')
dontaudit $1 userhelper_conf_t:dir search_dir_perms;
')
########################################
## <summary>
## Allow domain to use userhelper file descriptor.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userhelper_use_fd',`
gen_require(`
attribute userhelper_type;
')
allow $1 userhelper_type:fd use;
')
########################################
## <summary>
## Allow domain to send sigchld to userhelper.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userhelper_sigchld',`
gen_require(`
attribute userhelper_type;
')
allow $1 userhelper_type:process sigchld;
')
########################################
## <summary>
## Execute the userhelper program in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`userhelper_exec',`
gen_require(`
type userhelper_exec_t;
')
can_exec($1, userhelper_exec_t)
')
|