[selinux-policy: 126/3172] clean up authentication attributes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:15:58 UTC 2010
commit a1f94a344167f0886bb6b0291aa0e079e0d64887
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon May 9 18:50:20 2005 +0000
clean up authentication attributes
refpolicy/policy/modules/admin/usermanage.te | 13 +++--
refpolicy/policy/modules/services/remotelogin.te | 5 ++-
refpolicy/policy/modules/system/authlogin.if | 35 ++++++++++++++
refpolicy/policy/modules/system/authlogin.te | 4 +-
refpolicy/policy/modules/system/locallogin.te | 3 +-
refpolicy/policy/modules/system/selinux.te | 53 ++++++++++------------
refpolicy/policy/modules/system/selinuxutil.te | 53 ++++++++++------------
7 files changed, 100 insertions(+), 66 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 16d9bc0..9bb704b 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -10,7 +10,7 @@ policy_module(usermanage,1.0)
type admin_passwd_exec_t;
files_make_file(admin_passwd_exec_t)
-type chfn_t; #, auth_chkpwd
+type chfn_t;
kernel_make_object_identity_change_constraint_exception(chfn_t)
domain_make_domain(chfn_t)
role system_r types chfn_t;
@@ -36,7 +36,7 @@ kernel_make_object_identity_change_constraint_exception(groupadd_t)
domain_make_system_domain(groupadd_t,groupadd_exec_t)
role system_r types groupadd_t;
-type passwd_t; #,auth_write;
+type passwd_t;
kernel_make_object_identity_change_constraint_exception(passwd_t)
domain_make_domain(passwd_t)
role system_r types passwd_t;
@@ -44,7 +44,7 @@ role system_r types passwd_t;
type passwd_exec_t;
domain_make_entrypoint_file(passwd_t,passwd_exec_t)
-type sysadm_passwd_t; #, auth_write
+type sysadm_passwd_t;
kernel_make_object_identity_change_constraint_exception(sysadm_passwd_t)
domain_make_domain(sysadm_passwd_t)
domain_make_entrypoint_file(sysadm_passwd_t,admin_passwd_exec_t)
@@ -110,6 +110,7 @@ miscfiles_read_localization(chfn_t)
logging_send_system_log_message(chfn_t)
+authlogin_check_password_transition(chfn_t)
authlogin_ignore_read_shadow_passwords(chfn_t)
ifdef(`TODO',`
@@ -327,11 +328,12 @@ logging_send_system_log_message(passwd_t)
miscfiles_read_localization(passwd_t)
+authlogin_manage_shadow_passwords(passwd_t)
+
ifdef(`TODO',`
role sysadm_r types passwd_t;
# Update /etc/shadow and /etc/passwd
-file_type_auto_trans(passwd_t, etc_t, shadow_t, file)
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
allow passwd_t unpriv_userdomain:fd use;
@@ -432,6 +434,8 @@ miscfiles_read_localization(sysadm_passwd_t)
logging_send_system_log_message(sysadm_passwd_t)
+authlogin_manage_shadow_passwords(sysadm_passwd_t)
+
ifdef(`TODO',`
role sysadm_r types sysadm_passwd_t;
domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
@@ -453,7 +457,6 @@ allow sysadm_passwd_t shell_exec_t:file execute;
dontaudit sysadm_passwd_t { user_home_dir_type user_home_type }:dir search;
# Update /etc/shadow and /etc/passwd
-file_type_auto_trans(sysadm_passwd_t, etc_t, shadow_t, file)
allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
# for vipw - vi looks in the root home directory for config
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index b686794..cd0054f 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -7,7 +7,7 @@ policy_module(authlogin,1.0)
# Declarations
#
-type remote_login_t; #, privlog, auth_chkpwd, nscd_client_domain;
+type remote_login_t; #, nscd_client_domain;
kernel_make_object_identity_change_constraint_exception(remote_login_t)
kernel_make_process_identity_change_constraint_exception(remote_login_t)
kernel_make_role_change_constraint_exception(remote_login_t)
@@ -68,9 +68,12 @@ files_read_general_application_resources(remote_login_t)
libraries_use_dynamic_loader(remote_login_t)
libraries_read_shared_libraries(remote_login_t)
+logging_send_system_log_message(remote_login_t)
+
selinux_read_config(remote_login_t)
selinux_read_default_contexts(remote_login_t)
+authlogin_check_password_transition(remote_login_t)
authlogin_ignore_read_shadow_passwords(remote_login_t)
authlogin_modify_login_records(remote_login_t)
authlogin_modify_last_login_log(remote_login_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 02d31b0..f92ae16 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -177,6 +177,41 @@ class file { getattr read write };
#######################################
#
+# authlogin_manage_shadow_passwords(domain)
+#
+define(`authlogin_manage_shadow_passwords',`
+requires_block_template(`$0'_depend)
+files_create_private_config($1,shadow_t,file)
+allow $1 shadow_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+typeattribute $1 can_read_shadow_passwords;
+typeattribute $1 can_write_shadow_passwords;
+')
+
+define(`authlogin_manage_shadow_passwords_depend',`
+attribute can_read_shadow_passwords;
+attribute can_write_shadow_passwords;
+type shadow_t;
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+#######################################
+#
+# authlogin_relabel_to_shadow_passwords(domain)
+#
+define(`authlogin_relabel_to_shadow_passwords',`
+requires_block_template(`$0'_depend)
+allow $1 shadow_t:file relabelto;
+typeattribute $1 can_relabelto_shadow_passwords;
+')
+
+define(`authlogin_relabel_to_shadow_passwords_depend',`
+attribute can_relabelto_shadow_passwords;
+type shadow_t;
+class file relabelto;
+')
+
+#######################################
+#
# authlogin_modify_last_login_log(domain)
#
define(`authlogin_modify_last_login_log',`
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index fc9b540..2ed9474 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -45,8 +45,10 @@ type shadow_t;
files_make_file(shadow_t)
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
+attribute can_relabelto_shadow_passwords;
neverallow ~can_read_shadow_passwords shadow_t:file read;
-neverallow ~can_write_shadow_passwords shadow_t:file write;
+neverallow ~can_write_shadow_passwords shadow_t:file { create write };
+neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
type utempter_t; #, nscd_client_domain;
domain_make_domain(utempter_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 153ecc9..704134c 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -7,7 +7,7 @@ policy_module(locallogin,1.0)
# Declarations
#
-type local_login_t; #, auth_chkpwd, nscd_client_domain;
+type local_login_t; #, nscd_client_domain;
kernel_make_object_identity_change_constraint_exception(local_login_t)
kernel_make_process_identity_change_constraint_exception(local_login_t)
kernel_make_role_change_constraint_exception(local_login_t)
@@ -83,6 +83,7 @@ logging_send_system_log_message(local_login_t)
selinux_read_config(local_login_t)
selinux_read_default_contexts(local_login_t)
+authlogin_check_password_transition(local_login_t)
authlogin_ignore_read_shadow_passwords(local_login_t)
authlogin_modify_login_records(local_login_t)
authlogin_modify_last_login_log(local_login_t)
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 1a7c008..3bc1093 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -38,10 +38,11 @@ role system_r types load_policy_t;
type load_policy_exec_t;
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
-type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
kernel_make_role_change_constraint_exception(newrole_t)
kernel_make_object_identity_change_constraint_exception(newrole_t)
domain_make_domain(newrole_t)
+domain_make_file_descriptors_widely_inheritable(newrole_t)
type newrole_exec_t;
domain_make_entrypoint_file(newrole_t,newrole_exec_t)
@@ -63,14 +64,12 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
type policy_src_t;
files_make_file(policy_src_t)
-type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context;
+type restorecon_t, can_relabelto_binary_policy;
+type restorecon_exec_t;
kernel_make_object_identity_change_constraint_exception(restorecon_t)
-domain_make_domain(restorecon_t)
+domain_make_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t;
-type restorecon_exec_t;
-domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
-
#
# selinux_config_t is the type applied to
# /etc/selinux/config
@@ -78,7 +77,7 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
type selinux_config_t;
files_make_file(selinux_config_t)
-type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context;
+type setfiles_t, can_relabelto_binary_policy;
kernel_make_object_identity_change_constraint_exception(setfiles_t)
domain_make_domain(setfiles_t)
role system_r types setfiles_t;
@@ -97,6 +96,10 @@ allow checkpolicy_t self:capability dac_override;
allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+# allow test policies to be created in src directories
+allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
+type_transition checkpolicy_t policy_src_t:file policy_config_t;
+
# only allow read of policy source files
allow checkpolicy_t policy_src_t:dir { getattr search read };
allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
@@ -118,9 +121,8 @@ libraries_read_shared_libraries(checkpolicy_t)
ifdef(`TODO',`
role sysadm_r types checkpolicy_t;
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
-
-# allow test policies to be created in src directories
-file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
+allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
+allow checkpolicy_t sysadm_tmp_t:file { getattr write };
# directory search permissions for path to source and binary policy files
allow checkpolicy_t etc_t:dir search;
@@ -128,11 +130,6 @@ allow checkpolicy_t etc_t:dir search;
# Read the devpts root directory.
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
-# Other access
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
-
-allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
-
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
can_exec(unpriv_userdomain, checkpolicy_exec_t)
@@ -180,16 +177,13 @@ miscfiles_read_localization(load_policy_t)
ifdef(`TODO',`
role sysadm_r types load_policy_t;
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
+allow load_policy_t sysadm_tmp_t:file { getattr write };
+allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
# directory search permissions for path to binary policy files
allow load_policy_t etc_t:dir search;
-# Other access
-allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
-
allow load_policy_t userdomain:fd use;
-
-allow load_policy_t sysadm_tmp_t:file { getattr write } ;
') dnl endif TODO
########################################
@@ -227,7 +221,8 @@ devices_get_pseudorandom_data(newrole_t)
filesystem_get_persistent_filesystem_attributes(newrole_t)
-terminal_list_pseudoterminals(newrole_t)
+terminal_use_all_users_physical_terminals(newrole_t)
+terminal_use_all_users_pseudoterminals(newrole_t)
terminal_use_controlling_terminal(newrole_t)
# Write to utmp.
@@ -240,8 +235,12 @@ files_read_general_system_config(newrole_t)
libraries_use_dynamic_loader(newrole_t)
libraries_read_shared_libraries(newrole_t)
+logging_send_system_log_message(newrole_t)
+
miscfiles_read_localization(newrole_t)
+authlogin_check_password_transition(newrole_t)
+
ifdef(`TODO',`
in_user_role(newrole_t)
role sysadm_r types newrole_t;
@@ -261,7 +260,6 @@ allow newrole_t sbin_t:dir r_dir_perms;
# Execute shells
allow newrole_t bin_t:dir r_dir_perms;
allow newrole_t bin_t:lnk_file read;
-allow newrole_t shell_exec_t:file r_file_perms;
# Allow newrole_t to transition to user domains.
bool secure_mode false;
@@ -276,14 +274,9 @@ if(!secure_mode)
allow newrole_t var_t:dir r_dir_perms;
allow newrole_t var_t:notdevfile_class_set r_file_perms;
-# Read /dev directories and any symbolic links.
-allow newrole_t device_t:dir r_dir_perms;
-
# Relabel terminals.
allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-# Access terminals.
-allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
# for some PAM modules and for cwd
@@ -340,11 +333,11 @@ files_read_all_directories(restorecon_t)
kernel_relabel_unlabeled_object(restorecon_t)
devices_manage_all_devices_labels(restorecon_t)
files_manage_all_files_labels(restorecon_t)
+# this is to satisfy the assertion:
+authlogin_relabel_to_shadow_passwords(restorecon_t)
ifdef(`TODO',`
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
-
-domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t)
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
role sysadm_r types restorecon_t;
allow restorecon_t userdomain:fd use;
@@ -410,6 +403,8 @@ files_read_all_directories(setfiles_t)
kernel_relabel_unlabeled_object(setfiles_t)
devices_manage_all_devices_labels(setfiles_t)
files_manage_all_files_labels(setfiles_t)
+# this is to satisfy the assertion:
+authlogin_relabel_to_shadow_passwords(setfiles_t)
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 1a7c008..3bc1093 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -38,10 +38,11 @@ role system_r types load_policy_t;
type load_policy_exec_t;
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
-type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
kernel_make_role_change_constraint_exception(newrole_t)
kernel_make_object_identity_change_constraint_exception(newrole_t)
domain_make_domain(newrole_t)
+domain_make_file_descriptors_widely_inheritable(newrole_t)
type newrole_exec_t;
domain_make_entrypoint_file(newrole_t,newrole_exec_t)
@@ -63,14 +64,12 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
type policy_src_t;
files_make_file(policy_src_t)
-type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context;
+type restorecon_t, can_relabelto_binary_policy;
+type restorecon_exec_t;
kernel_make_object_identity_change_constraint_exception(restorecon_t)
-domain_make_domain(restorecon_t)
+domain_make_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t;
-type restorecon_exec_t;
-domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
-
#
# selinux_config_t is the type applied to
# /etc/selinux/config
@@ -78,7 +77,7 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
type selinux_config_t;
files_make_file(selinux_config_t)
-type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context;
+type setfiles_t, can_relabelto_binary_policy;
kernel_make_object_identity_change_constraint_exception(setfiles_t)
domain_make_domain(setfiles_t)
role system_r types setfiles_t;
@@ -97,6 +96,10 @@ allow checkpolicy_t self:capability dac_override;
allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+# allow test policies to be created in src directories
+allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
+type_transition checkpolicy_t policy_src_t:file policy_config_t;
+
# only allow read of policy source files
allow checkpolicy_t policy_src_t:dir { getattr search read };
allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
@@ -118,9 +121,8 @@ libraries_read_shared_libraries(checkpolicy_t)
ifdef(`TODO',`
role sysadm_r types checkpolicy_t;
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
-
-# allow test policies to be created in src directories
-file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
+allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
+allow checkpolicy_t sysadm_tmp_t:file { getattr write };
# directory search permissions for path to source and binary policy files
allow checkpolicy_t etc_t:dir search;
@@ -128,11 +130,6 @@ allow checkpolicy_t etc_t:dir search;
# Read the devpts root directory.
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
-# Other access
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
-
-allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
-
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
can_exec(unpriv_userdomain, checkpolicy_exec_t)
@@ -180,16 +177,13 @@ miscfiles_read_localization(load_policy_t)
ifdef(`TODO',`
role sysadm_r types load_policy_t;
domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
+allow load_policy_t sysadm_tmp_t:file { getattr write };
+allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
# directory search permissions for path to binary policy files
allow load_policy_t etc_t:dir search;
-# Other access
-allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
-
allow load_policy_t userdomain:fd use;
-
-allow load_policy_t sysadm_tmp_t:file { getattr write } ;
') dnl endif TODO
########################################
@@ -227,7 +221,8 @@ devices_get_pseudorandom_data(newrole_t)
filesystem_get_persistent_filesystem_attributes(newrole_t)
-terminal_list_pseudoterminals(newrole_t)
+terminal_use_all_users_physical_terminals(newrole_t)
+terminal_use_all_users_pseudoterminals(newrole_t)
terminal_use_controlling_terminal(newrole_t)
# Write to utmp.
@@ -240,8 +235,12 @@ files_read_general_system_config(newrole_t)
libraries_use_dynamic_loader(newrole_t)
libraries_read_shared_libraries(newrole_t)
+logging_send_system_log_message(newrole_t)
+
miscfiles_read_localization(newrole_t)
+authlogin_check_password_transition(newrole_t)
+
ifdef(`TODO',`
in_user_role(newrole_t)
role sysadm_r types newrole_t;
@@ -261,7 +260,6 @@ allow newrole_t sbin_t:dir r_dir_perms;
# Execute shells
allow newrole_t bin_t:dir r_dir_perms;
allow newrole_t bin_t:lnk_file read;
-allow newrole_t shell_exec_t:file r_file_perms;
# Allow newrole_t to transition to user domains.
bool secure_mode false;
@@ -276,14 +274,9 @@ if(!secure_mode)
allow newrole_t var_t:dir r_dir_perms;
allow newrole_t var_t:notdevfile_class_set r_file_perms;
-# Read /dev directories and any symbolic links.
-allow newrole_t device_t:dir r_dir_perms;
-
# Relabel terminals.
allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-# Access terminals.
-allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
# for some PAM modules and for cwd
@@ -340,11 +333,11 @@ files_read_all_directories(restorecon_t)
kernel_relabel_unlabeled_object(restorecon_t)
devices_manage_all_devices_labels(restorecon_t)
files_manage_all_files_labels(restorecon_t)
+# this is to satisfy the assertion:
+authlogin_relabel_to_shadow_passwords(restorecon_t)
ifdef(`TODO',`
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
-
-domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t)
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
role sysadm_r types restorecon_t;
allow restorecon_t userdomain:fd use;
@@ -410,6 +403,8 @@ files_read_all_directories(setfiles_t)
kernel_relabel_unlabeled_object(setfiles_t)
devices_manage_all_devices_labels(setfiles_t)
files_manage_all_files_labels(setfiles_t)
+# this is to satisfy the assertion:
+authlogin_relabel_to_shadow_passwords(setfiles_t)
ifdef(`TODO',`
More information about the scm-commits
mailing list