Mercurial > google-authenticator

annotate google-authenticator.te @ 0:524d6c83d8ad

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
initial version
author Carl Byington <carl@five-ten-sg.com>
date Wed, 01 Mar 2017 10:08:26 -0800
parents
children 0e3c9806a620
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
1 # Name and version, every module should have this.
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
2
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
3 policy_module(google_authenticator, 0.0.1)
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
4
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
5
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
6 # List of the types, class and everything else you are going to use in
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
7 # your module that is not defined in this .te file. If you are getting
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
8 # any errors when you compile your module that it is unable to find a
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
9 # type, you probably forgot to declare it here.
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
10
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
11 require {
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
12 type sshd_t;
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
13 type user_home_dir_t;
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
14 type admin_home_t;
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
15 }
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
16
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
17
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
18 # This is where we define our type. A good practise is to append _t for
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
19 # all types. This is the type we are going to give our
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
20 # .google_authenticator file.
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
21
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
22 type google_authenticator_t;
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
23
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
24
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
25 # What role our type should have. This is almost always going to be
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
26 # object_r
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
27
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
28 role object_r types google_authenticator_t;
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
29
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
30
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
31 # What sshd_t (the context the ssh daemon runs as) should be able to do
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
32 # with our type (google_authenticator_t), as a file. rename, create and
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
33 # unlink are base definitions, rw_file_perms is a set of rules. The
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
34 # rw_file_perms group is defined in
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
35 # /usr/share/selinux/devel/include/support/obj_perm_sets.spt with a lot
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
36 # of other groups. Reading this files give you a good overview of what
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
37 # they allow.
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
38
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
39 allow sshd_t google_authenticator_t:file { rename create unlink rw_file_perms };
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
40
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
41
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
42 # Without this, SELinux will be way too strict as default, as it won't
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
43 # know what this type really is. Remember that SELinux doesn’t only
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
44 # deal with files, but sockets and other filetypes as well. Leaving
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
45 # this out will still allow sshd_t to do its stuff, but you, in your
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
46 # shell will see a weird file. The only thing you will see is the file
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
47 # name. Even permissions will be hidden from you. (a fun trick to pull
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
48 # on your friends.. :] ) An overview of this is located at
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
49 # http://oss.tresys.com/docs/refpolicy/api/kernel_files.html.
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
50
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
51 files_type(google_authenticator_t)
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
52
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
53
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
54 # re-label newly created files on the fly
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
55
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
56 filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator")
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
57 filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator~")
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
58 filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator")
524d6c83d8ad initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
59 filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator~")