[selinux-policy: 132/3172] more authlogin handling
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:16:29 UTC 2010
commit 13e94c09e437d40f2531dd7d96dcba0419f4d922
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon May 9 21:07:53 2005 +0000
more authlogin handling
refpolicy/policy/modules/admin/usermanage.te | 14 ++------------
refpolicy/policy/modules/system/hostname.te | 7 +++++--
refpolicy/policy/modules/system/hotplug.if | 14 ++++++++++++++
refpolicy/policy/modules/system/hotplug.te | 17 ++++++++---------
refpolicy/policy/modules/system/logging.te | 2 --
5 files changed, 29 insertions(+), 25 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 95206f3..33b8504 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -241,13 +241,12 @@ logging_send_system_log_message(groupadd_t)
miscfiles_read_localization(groupadd_t)
+authlogin_manage_shadow_passwords(groupadd_t)
authlogin_modify_last_login_log(groupadd_t)
selinux_read_config(groupadd_t)
ifdef(`TODO',`
-domain_auto_trans(initrc_t, groupadd_exec_t, groupadd_t)
-
role sysadm_r types groupadd_t;
domain_auto_trans(sysadm_t, groupadd_exec_t, groupadd_t)
@@ -258,14 +257,8 @@ allow groupadd_t autofs_t:dir { search getattr };
')
# Update /etc/shadow and /etc/passwd
-file_type_auto_trans(groupadd_t, etc_t, shadow_t, file)
-
allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
-# but will operate without them.
-dontaudit groupadd_t device_t:dir search;
-
# Access terminals.
ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
@@ -518,12 +511,11 @@ selinux_read_config(useradd_t)
logging_send_system_log_message(useradd_t)
+authlogin_manage_shadow_passwords(useradd_t)
authlogin_modify_last_login_log(useradd_t)
ifdef(`TODO',`
-domain_auto_trans(initrc_t, useradd_exec_t, useradd_t)
-
role sysadm_r types useradd_t;
domain_auto_trans(sysadm_t, useradd_exec_t, useradd_t)
@@ -534,8 +526,6 @@ allow useradd_t autofs_t:dir { search getattr };
')
# Update /etc/shadow and /etc/passwd
-file_type_auto_trans(useradd_t, etc_t, shadow_t, file)
-
allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
# Access terminals.
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index e51e5a3..bb73eb2 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -55,14 +55,17 @@ terminal_ignore_use_general_pseudoterminal(hostname_t)
files_ignore_read_rootfs_file(hostname_t)
')dnl end targeted_policy tunable
-optional_policy(`udev.te', `
-udev_read_database(hostname_t)
+optional_policy(`hostname.te',`
+hotplug_ignore_use_file_descriptors(hostname_t)
')
optional_policy(`selinux.te',`
selinux_newrole_sigchld(hostname_t)
')
+optional_policy(`udev.te', `
+udev_read_database(hostname_t)
+')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index d152359..26ab9a5 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -46,6 +46,20 @@ type hotplug_t;
class fd use;
')
+#######################################
+#
+# hotplug_ignore_use_file_descriptors(domain)
+#
+define(`hotplug_ignore_use_file_descriptors',`
+requires_block_template(`$0'_depend)
+dontaudit $1 hotplug_t:fd use;
+')
+
+define(`hotplug_ignore_use_file_descriptors_depend',`
+type hotplug_t;
+class fd use;
+')
+
########################################
#
# hotplug_ignore_search_config_directory(domain)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index fd60c4f..5abaaec 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -100,6 +100,10 @@ optional_policy(`consoletype.te',`
consoletype_transition(hotplug_t)
')
+optional_policy(`hostname.te',`
+hostname_execute(hotplug_t)
+')
+
optional_policy(`iptables.te',`
iptables_transition(hotplug_t)
')
@@ -108,6 +112,10 @@ optional_policy(`selinux.te',`
selinux_newrole_sigchld(hotplug_t)
')
+optional_policy(`sysnetwork.te',`
+sysnetwork_ifconfig_transition(hotplug_t)
+')
+
optional_policy(`udev.te', `
udev_transition(hotplug_t)
udev_read_database(hotplug_t)
@@ -158,15 +166,6 @@ allow hotplug_t var_log_t:dir search;
dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
-optional_policy(`hostname.te',`
-hostname_execute(hotplug_t)
-dontaudit hostname_t hotplug_t:fd use;
-')
-
-optional_policy(`sysnetwork.te',`
-ifconfig_transition(hotplug_t)
-')
-
tunable_policy(`distro_redhat', `
optional_policy(`netutils.te', `
# for arping used for static IP addresses on PCMCIA ethernet
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 0e24740..a15471d 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -164,8 +164,6 @@ files_ignore_read_rootfs_file(syslogd_t)
')
ifdef(`TODO',`
-
-allow syslogd_t proc_t:dir r_dir_perms;
allow syslogd_t proc_t:lnk_file read;
dontaudit syslogd_t unpriv_userdomain:fd use;
allow syslogd_t autofs_t:dir { search getattr };
More information about the scm-commits
mailing list