[selinux-policy: 498/3172] fixes for targeted policy
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:47:41 UTC 2010
commit 8b0bbdda3404ba94ab451b0bd2930ff588d1d869
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jul 19 18:40:19 2005 +0000
fixes for targeted policy
refpolicy/policy/modules/system/authlogin.if | 30 +++++++++++++++++++++++++
refpolicy/policy/modules/system/mount.te | 2 +-
refpolicy/policy/modules/system/unconfined.if | 6 +---
refpolicy/policy/modules/system/unconfined.te | 2 +-
4 files changed, 34 insertions(+), 6 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 89c56c2..9cc216e 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -682,3 +682,33 @@ interface(`auth_manage_login_records',`
logging_rw_log_dir($1)
allow $1 wtmp_t:file create_file_perms;
')
+
+########################################
+## <summary>
+## Unconfined access to the authlogin module.
+## </summary>
+## <desc>
+## <p>
+## Unconfined access to the authlogin module.
+## </p>
+## <p>
+## Currently, this only allows assertions for
+## the shadow passwords file (/etc/shadow) to
+## be passed. No access is granted yet.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`auth_unconfined',`
+ gen_require(`
+ attribute can_read_shadow_passwords;
+ attribute can_write_shadow_passwords;
+ attribute can_relabelto_shadow_passwords;
+ ')
+
+ typeattribute $1 can_read_shadow_passwords;
+ typeattribute $1 can_write_shadow_passwords;
+ typeattribute $1 can_relabelto_shadow_passwords;
+')
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 19ed6b1..cb9d29a 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -116,7 +116,7 @@ optional_policy(`portmap.te', `
')
# for kernel package installation
-optional_policy(`mount.te', `
+optional_policy(`rpm.te', `
rpm_rw_pipe(mount_t)
')
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index d2e306e..1ffc6f3 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -37,10 +37,8 @@ template(`unconfined_domain_template',`
allow $1 self:process execmem;
')
- # to satisfy assertions:
optional_policy(`authlogin.te',`
- auth_manage_shadow($1)
- auth_relabelto_shadow($1)
+ auth_unconfined($1)
')
optional_policy(`bootloader.te',`
@@ -136,7 +134,7 @@ interface(`unconfined_shell_domtrans',`
type unconfined_t;
')
- corecmd_domtrans_shell($1,unconfined_t)
+ corecmd_shell_domtrans($1,unconfined_t)
')
########################################
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 48845cc..80a543d 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -25,7 +25,7 @@ ifdef(`targeted_policy',`
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
-# typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+ typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
init_domtrans_script(unconfined_t)
More information about the scm-commits
mailing list