[selinux-policy: 498/3172] fixes for targeted policy

[Daniel J Walsh]

commit 8b0bbdda3404ba94ab451b0bd2930ff588d1d869
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jul 19 18:40:19 2005 +0000

    fixes for targeted policy

 refpolicy/policy/modules/system/authlogin.if  |   30 +++++++++++++++++++++++++
 refpolicy/policy/modules/system/mount.te      |    2 +-
 refpolicy/policy/modules/system/unconfined.if |    6 +---
 refpolicy/policy/modules/system/unconfined.te |    2 +-
 4 files changed, 34 insertions(+), 6 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 89c56c2..9cc216e 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -682,3 +682,33 @@ interface(`auth_manage_login_records',`
 	logging_rw_log_dir($1)
 	allow $1 wtmp_t:file create_file_perms;
 ')
+
+########################################
+## <summary>
+##	Unconfined access to the authlogin module.
+## </summary>
+## <desc>
+##	<p>
+##	Unconfined access to the authlogin module.
+##	</p>
+##	<p>
+##	Currently, this only allows assertions for
+##	the shadow passwords file (/etc/shadow) to
+##	be passed.  No access is granted yet.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_unconfined',`
+	gen_require(`
+		attribute can_read_shadow_passwords;
+		attribute can_write_shadow_passwords;
+		attribute can_relabelto_shadow_passwords;
+	')
+
+	typeattribute $1 can_read_shadow_passwords;
+	typeattribute $1 can_write_shadow_passwords;
+	typeattribute $1 can_relabelto_shadow_passwords;
+')
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 19ed6b1..cb9d29a 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -116,7 +116,7 @@ optional_policy(`portmap.te', `
 ')
 
 # for kernel package installation
-optional_policy(`mount.te', `
+optional_policy(`rpm.te', `
 	rpm_rw_pipe(mount_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index d2e306e..1ffc6f3 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -37,10 +37,8 @@ template(`unconfined_domain_template',`
 		allow $1 self:process execmem;
 	')
 
-	# to satisfy assertions:
 	optional_policy(`authlogin.te',`
-		auth_manage_shadow($1)
-		auth_relabelto_shadow($1)
+		auth_unconfined($1)
 	')
 
 	optional_policy(`bootloader.te',`
@@ -136,7 +134,7 @@ interface(`unconfined_shell_domtrans',`
 		type unconfined_t;
 	')
 
-	corecmd_domtrans_shell($1,unconfined_t)
+	corecmd_shell_domtrans($1,unconfined_t)
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 48845cc..80a543d 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -25,7 +25,7 @@ ifdef(`targeted_policy',`
 
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
-#	typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+	typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
 
 	init_domtrans_script(unconfined_t)