[selinux-policy: 972/3172] add patch from dan

Thu Oct 7 20:29:00 UTC 2010

commit 7b062eac78e0baa1f623a531abc702a1faceb38d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Nov 15 16:34:10 2005 +0000

    add patch from dan

 refpolicy/Changelog                          |    1 +
 refpolicy/policy/modules/services/ldap.te    |   15 ++++++++++++++-
 refpolicy/policy/modules/system/authlogin.fc |    2 ++
 refpolicy/policy/modules/system/authlogin.if |    6 ++++++
 refpolicy/policy/modules/system/authlogin.te |    9 ++++++++-
 refpolicy/policy/modules/system/logging.te   |    3 ++-
 6 files changed, 33 insertions(+), 3 deletions(-)
---

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 88501b3..8e0730b 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Fixes from Dan Walsh for ldap and authlogin.
 - Fix corenetwork gen_context()'s to expand during the policy
   build phase instead of during the generation phase.  
 - DISTRO=redhat now implies DIRECT_INITRC=y.
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index 672ef1c..ae0005d 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
 
-policy_module(ldap,1.0)
+policy_module(ldap,1.0.1)
 
 ########################################
 #
@@ -10,12 +10,18 @@ type slapd_t;
 type slapd_exec_t;
 init_daemon_domain(slapd_t,slapd_exec_t)
 
+type slapd_cert_t;
+files_type(slapd_cert_t)
+
 type slapd_db_t;
 files_type(slapd_db_t)
 
 type slapd_etc_t;
 files_config_file(slapd_etc_t)
 
+type slapd_lock_t;
+files_lock_file(slapd_lock_t)
+
 type slapd_replog_t;
 files_type(slapd_replog_t)
 
@@ -41,6 +47,10 @@ allow slapd_t self:udp_socket create_socket_perms;
 #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
 allow slapd_t self:tcp_socket create_stream_socket_perms;
 
+allow slapd_t slapd_cert_t:dir r_dir_perms;
+allow slapd_t slapd_cert_t:file r_file_perms;
+allow slapd_t slapd_cert_t:lnk_file { getattr read };
+
 # Allow access to the slapd databases
 allow slapd_t slapd_db_t:dir create_dir_perms;
 allow slapd_t slapd_db_t:file create_file_perms;
@@ -48,6 +58,9 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
 
 allow slapd_t slapd_etc_t:file { getattr read };
 
+allow slapd_t slapd_lock_t:file create_file_perms;
+files_create_lock(slapd_t,slapd_lock_t)
+
 # Allow access to write the replication log (should tighten this)
 allow slapd_t slapd_replog_t:dir create_dir_perms;
 allow slapd_t slapd_replog_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/system/authlogin.fc b/refpolicy/policy/modules/system/authlogin.fc
index 9f37e2f..898eab6 100644
--- a/refpolicy/policy/modules/system/authlogin.fc
+++ b/refpolicy/policy/modules/system/authlogin.fc
@@ -23,6 +23,8 @@ ifdef(`distro_suse', `
 
 /var/db/shadow.*	--	gen_context(system_u:object_r:shadow_t,s0)
 
+/var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
+
 /var/log/btmp.*		--	gen_context(system_u:object_r:faillog_t,s0)
 /var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
 /var/log/faillog	--	gen_context(system_u:object_r:faillog_t,s0)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 46d3fbf..8fedb48 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -920,6 +920,12 @@ interface(`auth_manage_login_records',`
 ## </param>
 #
 interface(`auth_use_nsswitch',`
+	gen_require(`
+		type var_auth_t;
+	')
+
+	allow $1 var_auth_t:dir r_dir_perms;
+	allow $1 var_auth_t:file create_file_perms;
 
 	sysnet_dns_name_resolve($1)
 	sysnet_use_ldap($1)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index ee6fd72..5178167 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.0)
+policy_module(authlogin,1.0.1)
 
 ########################################
 #
@@ -64,6 +64,13 @@ domain_type(utempter_t)
 type utempter_exec_t;
 domain_entry_file(utempter_t,utempter_exec_t)
 
+#
+# var_auth_t is the type of /var/lib/auth, usually
+# used for auth data in pam_able
+#
+type var_auth_t;
+files_type(var_auth_t)
+
 type wtmp_t;
 logging_log_file(wtmp_t)
 
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index e6f2fac..afffb4f 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.0)
+policy_module(logging,1.0.1)
 
 ########################################
 #
@@ -108,6 +108,7 @@ allow auditd_t self:process { signal_perms setsched };
 allow auditd_t self:file { getattr read write };
 allow auditd_t self:unix_dgram_socket create_socket_perms;
 allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+allow auditd_t self:fifo_file rw_file_perms;
 
 allow auditd_t auditd_etc_t:file r_file_perms;
 
