Mercurial > google-authenticator
diff google-authenticator.te @ 0:524d6c83d8ad
initial version
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Wed, 01 Mar 2017 10:08:26 -0800 |
| parents | |
| children | 0e3c9806a620 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/google-authenticator.te Wed Mar 01 10:08:26 2017 -0800 @@ -0,0 +1,59 @@ +# Name and version, every module should have this. + +policy_module(google_authenticator, 0.0.1) + + +# List of the types, class and everything else you are going to use in +# your module that is not defined in this .te file. If you are getting +# any errors when you compile your module that it is unable to find a +# type, you probably forgot to declare it here. + +require { + type sshd_t; + type user_home_dir_t; + type admin_home_t; +} + + +# This is where we define our type. A good practise is to append _t for +# all types. This is the type we are going to give our +# .google_authenticator file. + +type google_authenticator_t; + + +# What role our type should have. This is almost always going to be +# object_r + +role object_r types google_authenticator_t; + + +# What sshd_t (the context the ssh daemon runs as) should be able to do +# with our type (google_authenticator_t), as a file. rename, create and +# unlink are base definitions, rw_file_perms is a set of rules. The +# rw_file_perms group is defined in +# /usr/share/selinux/devel/include/support/obj_perm_sets.spt with a lot +# of other groups. Reading this files give you a good overview of what +# they allow. + +allow sshd_t google_authenticator_t:file { rename create unlink rw_file_perms }; + + +# Without this, SELinux will be way too strict as default, as it won't +# know what this type really is. Remember that SELinux doesn’t only +# deal with files, but sockets and other filetypes as well. Leaving +# this out will still allow sshd_t to do its stuff, but you, in your +# shell will see a weird file. The only thing you will see is the file +# name. Even permissions will be hidden from you. (a fun trick to pull +# on your friends.. :] ) An overview of this is located at +# http://oss.tresys.com/docs/refpolicy/api/kernel_files.html. + +files_type(google_authenticator_t) + + +# re-label newly created files on the fly + +filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator") +filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator~") +filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator") +filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator~")