From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 3 Jan 2013 10:31:28 -0500
Subject: [refpolicy] [PATCH 8/8] Introduce exec-check interfaces for
 passwd binaries and useradd binaries
In-Reply-To: <1355737370-27628-9-git-send-email-sven.vermeulen@siphos.be>
References: <1355737370-27628-1-git-send-email-sven.vermeulen@siphos.be>
	<1355737370-27628-9-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <50E5A450.30008@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/17/12 04:42, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/usermanage.if |   36 ++++++++++++++++++++++++++++++++++++
>  1 files changed, 36 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
> index 98b8b2d..99e3903 100644
> --- a/policy/modules/admin/usermanage.if
> +++ b/policy/modules/admin/usermanage.if
> @@ -140,6 +140,24 @@ interface(`usermanage_kill_passwd',`
>  
>  ########################################
>  ## <summary>
> +##	Check if the passwd binary is executable.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`usermanage_check_exec_passwd',`
> +	gen_require(`
> +		type passwd_exec_t;
> +	')
> +
> +	allow $1 passwd_exec_t:file { execute getattr_file_perms };
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute passwd in the passwd domain, and
>  ##	allow the specified role the passwd domain.
>  ## </summary>
> @@ -253,6 +271,24 @@ interface(`usermanage_domtrans_useradd',`
>  
>  ########################################
>  ## <summary>
> +##	Check if the useradd binaries are executable.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`usermanage_check_exec_useradd',`
> +	gen_require(`
> +		type useradd_exec_t;
> +	')
> +
> +	allow $1 useradd_exec_t:file { execute getattr_file_perms };
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute useradd in the useradd domain, and
>  ##	allow the specified role the useradd domain.
>  ## </summary>
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com