[selinux-policy: 1041/3172] make common template

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:34:54 UTC 2010 

commit 8ba1bd8502a33efb017c4b2d89269346ec59053f
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Dec 8 17:42:08 2005 +0000

    make common template

 refpolicy/policy/modules/system/authlogin.if |   99 +++++++++++++++----------
 refpolicy/policy/modules/system/authlogin.te |   53 +-------------
 2 files changed, 63 insertions(+), 89 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index f6a54b3..6118ed9 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -2,43 +2,28 @@
 
 #######################################
 ## <summary>
-##	The per user domain template for the authlogin module.
+##	Common template to create a domain for authentication.
 ## </summary>
 ## <desc>
 ##	<p>
 ##	This template creates a derived domain which is allowed
 ##	to authenticate users by using PAM unix_chkpwd support.
-##	This domain will be used by any programs running in the
-##	user domain which use PAM to authenticate.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
 ##	</p>
 ## </desc>
 ## <param name="userdomain_prefix">
 ##	The prefix of the user domain (e.g., user
 ##	is the prefix for user_t).
 ## </param>
-## <param name="user_domain">
-##	The type of the user domain.
-## </param>
-## <param name="user_role">
-##	The role associated with the user domain.
-## </param>
 #
-template(`authlogin_per_userdomain_template',`
+template(`authlogin_common_auth_domain_template',`
 	gen_require(`
 		attribute can_read_shadow_passwords;
-		type chkpwd_exec_t, system_chkpwd_t, shadow_t;
+		type chkpwd_exec_t, shadow_t;
 	')
 
 	type $1_chkpwd_t, can_read_shadow_passwords;
 	domain_type($1_chkpwd_t)
 	domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
-	role $3 types $1_chkpwd_t;
-	role $3 types system_chkpwd_t;
 
 	allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
 	allow $1_chkpwd_t self:process getattr;
@@ -46,18 +31,6 @@ template(`authlogin_per_userdomain_template',`
 	files_list_etc($1_chkpwd_t)
 	allow $1_chkpwd_t shadow_t:file { getattr read };
 
-	allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-	# Transition from the user domain to this domain.
-	domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
-
-	allow $1_chkpwd_t $2:fd use;
-	allow $2 $1_chkpwd_t:fd use;
-	allow $1_chkpwd_t $2:fifo_file rw_file_perms;
-	allow $1_chkpwd_t $2:process sigchld;
-
-	dontaudit $2 shadow_t:file { getattr read };
-
 	# is_selinux_enabled
 	kernel_read_system_state($1_chkpwd_t)
 
@@ -66,8 +39,6 @@ template(`authlogin_per_userdomain_template',`
 
 	fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
 
-	domain_use_wide_inherit_fd($1_chkpwd_t)
-
 	libs_use_ld_so($1_chkpwd_t)
 	libs_use_shared_libs($1_chkpwd_t)
 
@@ -85,12 +56,6 @@ template(`authlogin_per_userdomain_template',`
 	sysnet_dns_name_resolve($1_chkpwd_t)
 	sysnet_use_ldap($1_chkpwd_t)
 
-	# Write to the user domain tty.
-	userdom_use_user_terminals($1,$1_chkpwd_t)
-
-	# Inherit and use descriptors from gnome-pty-helper.
-	#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
-
 	optional_policy(`kerberos',`
 		kerberos_use($1_chkpwd_t)
 	')
@@ -106,10 +71,64 @@ template(`authlogin_per_userdomain_template',`
 	optional_policy(`samba',`
 		samba_connect_winbind($1_chkpwd_t)
 	')
+')
+
+#######################################
+## <summary>
+##	The per user domain template for the authlogin module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domain which is allowed
+##	to authenticate users by using PAM unix_chkpwd support.
+##	This domain will be used by any programs running in the
+##	user domain which use PAM to authenticate.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
+#
+template(`authlogin_per_userdomain_template',`
 
-	optional_policy(`selinuxutil',`
-		seutil_use_newrole_fd($1_chkpwd_t)
+	gen_require(`
+		type system_chkpwd_t, shadow_t;
 	')
+
+	authlogin_common_auth_domain_template($1)
+
+	role $3 types $1_chkpwd_t;
+	role $3 types system_chkpwd_t;
+
+	allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+	dontaudit $2 shadow_t:file { getattr read };
+
+	# Transition from the user domain to this domain.
+	domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
+	allow $1_chkpwd_t $2:fd use;
+	allow $2 $1_chkpwd_t:fd use;
+	allow $1_chkpwd_t $2:fifo_file rw_file_perms;
+	allow $1_chkpwd_t $2:process sigchld;
+
+	domain_use_wide_inherit_fd($1_chkpwd_t)
+
+	seutil_use_newrole_fd($1_chkpwd_t)
+
+	# Write to the user domain tty.
+	userdom_use_user_terminals($1,$1_chkpwd_t)
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 157b8d4..fc2dd87 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.0.2)
+policy_module(authlogin,1.0.3)
 
 ########################################
 #
@@ -53,9 +53,7 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
-type system_chkpwd_t, can_read_shadow_passwords;
-domain_type(system_chkpwd_t)
-domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
+authlogin_common_auth_domain_template(system)
 role system_r types system_chkpwd_t;
 
 type utempter_t;
@@ -263,62 +261,19 @@ ifdef(`xdm.te', `
 # System check password local policy
 #
 
-allow system_chkpwd_t self:capability setuid;
-allow system_chkpwd_t self:process getattr;
 allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 allow system_chkpwd_t shadow_t:file { getattr read };
 
-# is_selinux_enabled
-kernel_read_system_state(system_chkpwd_t)
-
-dev_read_rand(system_chkpwd_t)
-dev_read_urand(system_chkpwd_t)
-
-fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
-
-term_dontaudit_use_unallocated_tty(system_chkpwd_t)
-term_dontaudit_use_generic_pty(system_chkpwd_t)
-
 corecmd_search_sbin(system_chkpwd_t)
 
 domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)
 
-files_read_etc_files(system_chkpwd_t)
-# for nscd
-files_dontaudit_search_var(system_chkpwd_t)
-
-libs_use_ld_so(system_chkpwd_t)
-libs_use_shared_libs(system_chkpwd_t)
-
-logging_send_syslog_msg(system_chkpwd_t)
-
-miscfiles_read_localization(system_chkpwd_t)
-miscfiles_read_certs(system_chkpwd_t)
-
-seutil_read_config(system_chkpwd_t)
-
-sysnet_dns_name_resolve(system_chkpwd_t)
-sysnet_use_ldap(system_chkpwd_t)
+term_dontaudit_use_unallocated_tty(system_chkpwd_t)
+term_dontaudit_use_generic_pty(system_chkpwd_t)
 
 userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
 
-optional_policy(`kerberos',`
-	kerberos_use(system_chkpwd_t)
-')
-
-optional_policy(`nis',`
-	nis_use_ypbind(system_chkpwd_t)
-')
-
-optional_policy(`nscd',`
-	nscd_use_socket(system_chkpwd_t)
-')
-
-optional_policy(`samba',`
-	samba_connect_winbind(system_chkpwd_t)
-')
-
 ########################################
 #
 # Utempter local policy

More information about the scm-commits mailing list