[selinux-policy: 1041/3172] make common template
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:34:54 UTC 2010
commit 8ba1bd8502a33efb017c4b2d89269346ec59053f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Dec 8 17:42:08 2005 +0000
make common template
refpolicy/policy/modules/system/authlogin.if | 99 +++++++++++++++----------
refpolicy/policy/modules/system/authlogin.te | 53 +-------------
2 files changed, 63 insertions(+), 89 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index f6a54b3..6118ed9 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -2,43 +2,28 @@
#######################################
## <summary>
-## The per user domain template for the authlogin module.
+## Common template to create a domain for authentication.
## </summary>
## <desc>
## <p>
## This template creates a derived domain which is allowed
## to authenticate users by using PAM unix_chkpwd support.
-## This domain will be used by any programs running in the
-## user domain which use PAM to authenticate.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
-## <param name="user_domain">
-## The type of the user domain.
-## </param>
-## <param name="user_role">
-## The role associated with the user domain.
-## </param>
#
-template(`authlogin_per_userdomain_template',`
+template(`authlogin_common_auth_domain_template',`
gen_require(`
attribute can_read_shadow_passwords;
- type chkpwd_exec_t, system_chkpwd_t, shadow_t;
+ type chkpwd_exec_t, shadow_t;
')
type $1_chkpwd_t, can_read_shadow_passwords;
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
- role $3 types $1_chkpwd_t;
- role $3 types system_chkpwd_t;
allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
allow $1_chkpwd_t self:process getattr;
@@ -46,18 +31,6 @@ template(`authlogin_per_userdomain_template',`
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
- allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
- # Transition from the user domain to this domain.
- domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
-
- allow $1_chkpwd_t $2:fd use;
- allow $2 $1_chkpwd_t:fd use;
- allow $1_chkpwd_t $2:fifo_file rw_file_perms;
- allow $1_chkpwd_t $2:process sigchld;
-
- dontaudit $2 shadow_t:file { getattr read };
-
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)
@@ -66,8 +39,6 @@ template(`authlogin_per_userdomain_template',`
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
- domain_use_wide_inherit_fd($1_chkpwd_t)
-
libs_use_ld_so($1_chkpwd_t)
libs_use_shared_libs($1_chkpwd_t)
@@ -85,12 +56,6 @@ template(`authlogin_per_userdomain_template',`
sysnet_dns_name_resolve($1_chkpwd_t)
sysnet_use_ldap($1_chkpwd_t)
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_chkpwd_t)
-
- # Inherit and use descriptors from gnome-pty-helper.
- #ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
-
optional_policy(`kerberos',`
kerberos_use($1_chkpwd_t)
')
@@ -106,10 +71,64 @@ template(`authlogin_per_userdomain_template',`
optional_policy(`samba',`
samba_connect_winbind($1_chkpwd_t)
')
+')
+
+#######################################
+## <summary>
+## The per user domain template for the authlogin module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is allowed
+## to authenticate users by using PAM unix_chkpwd support.
+## This domain will be used by any programs running in the
+## user domain which use PAM to authenticate.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+## The type of the user domain.
+## </param>
+## <param name="user_role">
+## The role associated with the user domain.
+## </param>
+#
+template(`authlogin_per_userdomain_template',`
- optional_policy(`selinuxutil',`
- seutil_use_newrole_fd($1_chkpwd_t)
+ gen_require(`
+ type system_chkpwd_t, shadow_t;
')
+
+ authlogin_common_auth_domain_template($1)
+
+ role $3 types $1_chkpwd_t;
+ role $3 types system_chkpwd_t;
+
+ allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ dontaudit $2 shadow_t:file { getattr read };
+
+ # Transition from the user domain to this domain.
+ domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
+ allow $1_chkpwd_t $2:fd use;
+ allow $2 $1_chkpwd_t:fd use;
+ allow $1_chkpwd_t $2:fifo_file rw_file_perms;
+ allow $1_chkpwd_t $2:process sigchld;
+
+ domain_use_wide_inherit_fd($1_chkpwd_t)
+
+ seutil_use_newrole_fd($1_chkpwd_t)
+
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1,$1_chkpwd_t)
')
########################################
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 157b8d4..fc2dd87 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin,1.0.2)
+policy_module(authlogin,1.0.3)
########################################
#
@@ -53,9 +53,7 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
-type system_chkpwd_t, can_read_shadow_passwords;
-domain_type(system_chkpwd_t)
-domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
+authlogin_common_auth_domain_template(system)
role system_r types system_chkpwd_t;
type utempter_t;
@@ -263,62 +261,19 @@ ifdef(`xdm.te', `
# System check password local policy
#
-allow system_chkpwd_t self:capability setuid;
-allow system_chkpwd_t self:process getattr;
allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow system_chkpwd_t shadow_t:file { getattr read };
-# is_selinux_enabled
-kernel_read_system_state(system_chkpwd_t)
-
-dev_read_rand(system_chkpwd_t)
-dev_read_urand(system_chkpwd_t)
-
-fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
-
-term_dontaudit_use_unallocated_tty(system_chkpwd_t)
-term_dontaudit_use_generic_pty(system_chkpwd_t)
-
corecmd_search_sbin(system_chkpwd_t)
domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)
-files_read_etc_files(system_chkpwd_t)
-# for nscd
-files_dontaudit_search_var(system_chkpwd_t)
-
-libs_use_ld_so(system_chkpwd_t)
-libs_use_shared_libs(system_chkpwd_t)
-
-logging_send_syslog_msg(system_chkpwd_t)
-
-miscfiles_read_localization(system_chkpwd_t)
-miscfiles_read_certs(system_chkpwd_t)
-
-seutil_read_config(system_chkpwd_t)
-
-sysnet_dns_name_resolve(system_chkpwd_t)
-sysnet_use_ldap(system_chkpwd_t)
+term_dontaudit_use_unallocated_tty(system_chkpwd_t)
+term_dontaudit_use_generic_pty(system_chkpwd_t)
userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
-optional_policy(`kerberos',`
- kerberos_use(system_chkpwd_t)
-')
-
-optional_policy(`nis',`
- nis_use_ypbind(system_chkpwd_t)
-')
-
-optional_policy(`nscd',`
- nscd_use_socket(system_chkpwd_t)
-')
-
-optional_policy(`samba',`
- samba_connect_winbind(system_chkpwd_t)
-')
-
########################################
#
# Utempter local policy
More information about the scm-commits
mailing list