[selinux-policy: 2766/3172] Usermanage patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:06:07 UTC 2010
commit 3bcfe5beb7c20aa85b3d9280c4ef5774cdc44e6d
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jul 6 10:56:20 2010 -0400
Usermanage patch from Dan Walsh.
Broken leaks of sockets
useradd runs semanage for -Z.
passwd_t needs sys_nice
useradd run within a samba_controler needs to append to the samba log.
policy/modules/admin/usermanage.if | 18 ++++++++++++++++++
policy/modules/admin/usermanage.te | 13 +++++++++++--
2 files changed, 29 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 0950bc7..3a87501 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -18,6 +18,10 @@ interface(`usermanage_domtrans_chfn',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, chfn_exec_t, chfn_t)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit chfn_t $1:socket_class_set { read write };
+ ')
')
########################################
@@ -63,6 +67,10 @@ interface(`usermanage_domtrans_groupadd',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, groupadd_exec_t, groupadd_t)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit groupadd_t $1:socket_class_set { read write };
+ ')
')
########################################
@@ -113,6 +121,10 @@ interface(`usermanage_domtrans_passwd',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, passwd_exec_t, passwd_t)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit passwd_t $1:socket_class_set { read write };
+ ')
')
########################################
@@ -247,6 +259,10 @@ interface(`usermanage_domtrans_useradd',`
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, useradd_exec_t, useradd_t)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit useradd_t $1:socket_class_set { read write };
+ ')
')
########################################
@@ -274,6 +290,8 @@ interface(`usermanage_run_useradd',`
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
+ seutil_run_semanage(useradd_t, $2)
+
optional_policy(`
nscd_run(useradd_t, $2)
')
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index e0b50c5..c35d801 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,4 +1,4 @@
-policy_module(usermanage, 1.15.0)
+policy_module(usermanage, 1.15.1)
########################################
#
@@ -208,6 +208,7 @@ domain_use_interactive_fds(groupadd_t)
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
+files_read_usr_symlinks(groupadd_t)
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
corecmd_exec_bin(groupadd_t)
@@ -255,7 +256,8 @@ optional_policy(`
# Passwd local policy
#
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
@@ -449,6 +451,7 @@ corecmd_exec_shell(useradd_t)
corecmd_exec_bin(useradd_t)
domain_use_interactive_fds(useradd_t)
+domain_read_all_domains_state(useradd_t)
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
@@ -530,6 +533,12 @@ optional_policy(`
')
optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(useradd_t)
+ ')
+')
+
+optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
More information about the scm-commits
mailing list