[selinux-policy: 132/3172] more authlogin handling

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:16:29 UTC 2010 

commit 13e94c09e437d40f2531dd7d96dcba0419f4d922
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon May 9 21:07:53 2005 +0000

    more authlogin handling

 refpolicy/policy/modules/admin/usermanage.te |   14 ++------------
 refpolicy/policy/modules/system/hostname.te  |    7 +++++--
 refpolicy/policy/modules/system/hotplug.if   |   14 ++++++++++++++
 refpolicy/policy/modules/system/hotplug.te   |   17 ++++++++---------
 refpolicy/policy/modules/system/logging.te   |    2 --
 5 files changed, 29 insertions(+), 25 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 95206f3..33b8504 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -241,13 +241,12 @@ logging_send_system_log_message(groupadd_t)
 
 miscfiles_read_localization(groupadd_t)
 
+authlogin_manage_shadow_passwords(groupadd_t)
 authlogin_modify_last_login_log(groupadd_t)
 
 selinux_read_config(groupadd_t)
 
 ifdef(`TODO',`
-domain_auto_trans(initrc_t, groupadd_exec_t, groupadd_t)
-
 role sysadm_r types groupadd_t;
 domain_auto_trans(sysadm_t, groupadd_exec_t, groupadd_t)
 
@@ -258,14 +257,8 @@ allow groupadd_t autofs_t:dir { search getattr };
 ')
 
 # Update /etc/shadow and /etc/passwd
-file_type_auto_trans(groupadd_t, etc_t, shadow_t, file)
-
 allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
-# useradd/userdel request read/write for /var/log/lastlog, and read of /dev, 
-# but will operate without them.
-dontaudit groupadd_t device_t:dir search;
-
 # Access terminals.
 ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
 
@@ -518,12 +511,11 @@ selinux_read_config(useradd_t)
 
 logging_send_system_log_message(useradd_t)
 
+authlogin_manage_shadow_passwords(useradd_t)
 authlogin_modify_last_login_log(useradd_t)
 
 ifdef(`TODO',`
 
-domain_auto_trans(initrc_t, useradd_exec_t, useradd_t)
-
 role sysadm_r types useradd_t;
 domain_auto_trans(sysadm_t, useradd_exec_t, useradd_t)
 
@@ -534,8 +526,6 @@ allow useradd_t autofs_t:dir { search getattr };
 ')
 
 # Update /etc/shadow and /etc/passwd
-file_type_auto_trans(useradd_t, etc_t, shadow_t, file)
-
 allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
 # Access terminals.
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index e51e5a3..bb73eb2 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -55,14 +55,17 @@ terminal_ignore_use_general_pseudoterminal(hostname_t)
 files_ignore_read_rootfs_file(hostname_t)
 ')dnl end targeted_policy tunable
 
-optional_policy(`udev.te', `
-udev_read_database(hostname_t)
+optional_policy(`hostname.te',`
+hotplug_ignore_use_file_descriptors(hostname_t)
 ')
 
 optional_policy(`selinux.te',`
 selinux_newrole_sigchld(hostname_t)
 ')
 
+optional_policy(`udev.te', `
+udev_read_database(hostname_t)
+')
 
 ifdef(`TODO',`
 
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index d152359..26ab9a5 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -46,6 +46,20 @@ type hotplug_t;
 class fd use;
 ')
 
+#######################################
+#
+# hotplug_ignore_use_file_descriptors(domain)
+#
+define(`hotplug_ignore_use_file_descriptors',`
+requires_block_template(`$0'_depend)
+dontaudit $1 hotplug_t:fd use;
+')
+
+define(`hotplug_ignore_use_file_descriptors_depend',`
+type hotplug_t;
+class fd use;
+')
+
 ########################################
 #
 # hotplug_ignore_search_config_directory(domain)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index fd60c4f..5abaaec 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -100,6 +100,10 @@ optional_policy(`consoletype.te',`
 consoletype_transition(hotplug_t)
 ')
 
+optional_policy(`hostname.te',`
+hostname_execute(hotplug_t)
+')
+
 optional_policy(`iptables.te',`
 iptables_transition(hotplug_t)
 ')
@@ -108,6 +112,10 @@ optional_policy(`selinux.te',`
 selinux_newrole_sigchld(hotplug_t)
 ')
 
+optional_policy(`sysnetwork.te',`
+sysnetwork_ifconfig_transition(hotplug_t)
+')
+
 optional_policy(`udev.te', `
 udev_transition(hotplug_t)
 udev_read_database(hotplug_t)
@@ -158,15 +166,6 @@ allow hotplug_t var_log_t:dir search;
 dontaudit hotplug_t domain:dir { getattr search };
 dontaudit hotplug_t { init_t kernel_t }:file read;
 
-optional_policy(`hostname.te',`
-hostname_execute(hotplug_t)
-dontaudit hostname_t hotplug_t:fd use;
-')
-
-optional_policy(`sysnetwork.te',`
-ifconfig_transition(hotplug_t)
-')
-
 tunable_policy(`distro_redhat', `
 optional_policy(`netutils.te', `
 # for arping used for static IP addresses on PCMCIA ethernet
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 0e24740..a15471d 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -164,8 +164,6 @@ files_ignore_read_rootfs_file(syslogd_t)
 ')
 
 ifdef(`TODO',`
-
-allow syslogd_t proc_t:dir r_dir_perms;
 allow syslogd_t proc_t:lnk_file read;
 dontaudit syslogd_t unpriv_userdomain:fd use;
 allow syslogd_t autofs_t:dir { search getattr };

More information about the scm-commits mailing list