Mercurial > google-authenticator
comparison google-authenticator.te @ 0:524d6c83d8ad
initial version
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Wed, 01 Mar 2017 10:08:26 -0800 |
| parents | |
| children | 0e3c9806a620 |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:524d6c83d8ad |
|---|---|
| 1 # Name and version, every module should have this. | |
| 2 | |
| 3 policy_module(google_authenticator, 0.0.1) | |
| 4 | |
| 5 | |
| 6 # List of the types, class and everything else you are going to use in | |
| 7 # your module that is not defined in this .te file. If you are getting | |
| 8 # any errors when you compile your module that it is unable to find a | |
| 9 # type, you probably forgot to declare it here. | |
| 10 | |
| 11 require { | |
| 12 type sshd_t; | |
| 13 type user_home_dir_t; | |
| 14 type admin_home_t; | |
| 15 } | |
| 16 | |
| 17 | |
| 18 # This is where we define our type. A good practise is to append _t for | |
| 19 # all types. This is the type we are going to give our | |
| 20 # .google_authenticator file. | |
| 21 | |
| 22 type google_authenticator_t; | |
| 23 | |
| 24 | |
| 25 # What role our type should have. This is almost always going to be | |
| 26 # object_r | |
| 27 | |
| 28 role object_r types google_authenticator_t; | |
| 29 | |
| 30 | |
| 31 # What sshd_t (the context the ssh daemon runs as) should be able to do | |
| 32 # with our type (google_authenticator_t), as a file. rename, create and | |
| 33 # unlink are base definitions, rw_file_perms is a set of rules. The | |
| 34 # rw_file_perms group is defined in | |
| 35 # /usr/share/selinux/devel/include/support/obj_perm_sets.spt with a lot | |
| 36 # of other groups. Reading this files give you a good overview of what | |
| 37 # they allow. | |
| 38 | |
| 39 allow sshd_t google_authenticator_t:file { rename create unlink rw_file_perms }; | |
| 40 | |
| 41 | |
| 42 # Without this, SELinux will be way too strict as default, as it won't | |
| 43 # know what this type really is. Remember that SELinux doesn’t only | |
| 44 # deal with files, but sockets and other filetypes as well. Leaving | |
| 45 # this out will still allow sshd_t to do its stuff, but you, in your | |
| 46 # shell will see a weird file. The only thing you will see is the file | |
| 47 # name. Even permissions will be hidden from you. (a fun trick to pull | |
| 48 # on your friends.. :] ) An overview of this is located at | |
| 49 # http://oss.tresys.com/docs/refpolicy/api/kernel_files.html. | |
| 50 | |
| 51 files_type(google_authenticator_t) | |
| 52 | |
| 53 | |
| 54 # re-label newly created files on the fly | |
| 55 | |
| 56 filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator") | |
| 57 filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator~") | |
| 58 filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator") | |
| 59 filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator~") |