Mercurial > google-authenticator
view google-authenticator.te @ 1:0e3c9806a620
changes for centos7
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Thu, 02 Mar 2017 12:45:31 -0800 |
| parents | 524d6c83d8ad |
| children |
line wrap: on
line source
# Name and version, every module should have this. policy_module(google-authenticator, 0.0.1) # List of the types, class and everything else you are going to use in # your module that is not defined in this .te file. If you are getting # any errors when you compile your module that it is unable to find a # type, you probably forgot to declare it here. require { type sshd_t; type user_home_dir_t; type admin_home_t; } # This is where we define our type. A good practise is to append _t for # all types. This is the type we are going to give our # .google_authenticator file. type google_authenticator_t; # What role our type should have. This is almost always going to be # object_r role object_r types google_authenticator_t; # What sshd_t (the context the ssh daemon runs as) should be able to do # with our type (google_authenticator_t), as a file. rename, create and # unlink are base definitions, rw_file_perms is a set of rules. The # rw_file_perms group is defined in # /usr/share/selinux/devel/include/support/obj_perm_sets.spt with a lot # of other groups. Reading this files give you a good overview of what # they allow. allow sshd_t google_authenticator_t:file { rename create unlink rw_file_perms }; # Without this, SELinux will be way too strict as default, as it won't # know what this type really is. Remember that SELinux doesn’t only # deal with files, but sockets and other filetypes as well. Leaving # this out will still allow sshd_t to do its stuff, but you, in your # shell will see a weird file. The only thing you will see is the file # name. Even permissions will be hidden from you. (a fun trick to pull # on your friends.. :] ) An overview of this is located at # http://oss.tresys.com/docs/refpolicy/api/kernel_files.html. files_type(google_authenticator_t) # re-label newly created files on the fly filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator") filetrans_pattern(sshd_t, user_home_dir_t, google_authenticator_t, file, ".google_authenticator~") filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator") filetrans_pattern(sshd_t, admin_home_t, google_authenticator_t, file, ".google_authenticator~")