[selinux-policy] Add passwd_file_t for /etc/ptmptmp

Daniel J Walsh dwalsh at fedoraproject.org
Mon Oct 17 19:51:27 UTC 2011 

commit 9bf3aa2c960d916f0138b6f3a5374d2c28b38da0
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Mon Oct 17 15:51:24 2011 -0400

    Add passwd_file_t for /etc/ptmptmp

 passwd.patch        |   50 ++++++++++++++++++++++++++++----------------------
 selinux-policy.spec |    9 +++++++--
 2 files changed, 35 insertions(+), 24 deletions(-)
---
diff --git a/passwd.patch b/passwd.patch
index 7674222..e927f4b 100644
--- a/passwd.patch
+++ b/passwd.patch
@@ -12,10 +12,10 @@ index ef8bc09..ea06507 100644
  
  miscfiles_read_localization(mcelog_t)
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 4779a8d..b8eac3e 100644
+index 772a68e..e01c9c2 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
-@@ -89,6 +89,7 @@ fs_search_auto_mountpoints(chfn_t)
+@@ -90,6 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
  dev_read_urand(chfn_t)
  dev_dontaudit_getattr_all(chfn_t)
  
@@ -23,7 +23,7 @@ index 4779a8d..b8eac3e 100644
  auth_use_pam(chfn_t)
  
  # allow checking if a shell is executable
-@@ -96,7 +97,6 @@ corecmd_check_exec_shell(chfn_t)
+@@ -97,7 +98,6 @@ corecmd_check_exec_shell(chfn_t)
  
  domain_use_interactive_fds(chfn_t)
  
@@ -31,7 +31,7 @@ index 4779a8d..b8eac3e 100644
  files_read_etc_runtime_files(chfn_t)
  files_dontaudit_search_var(chfn_t)
  files_dontaudit_search_home(chfn_t)
-@@ -205,8 +205,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -207,8 +207,8 @@ init_dontaudit_write_utmp(groupadd_t)
  
  domain_use_interactive_fds(groupadd_t)
  
@@ -41,7 +41,7 @@ index 4779a8d..b8eac3e 100644
  files_read_etc_runtime_files(groupadd_t)
  files_read_usr_symlinks(groupadd_t)
  
-@@ -221,9 +221,10 @@ miscfiles_read_localization(groupadd_t)
+@@ -223,9 +223,10 @@ miscfiles_read_localization(groupadd_t)
  auth_domtrans_chk_passwd(groupadd_t)
  auth_rw_lastlog(groupadd_t)
  auth_use_nsswitch(groupadd_t)
@@ -53,7 +53,7 @@ index 4779a8d..b8eac3e 100644
  auth_relabel_shadow(groupadd_t)
  auth_etc_filetrans_shadow(groupadd_t)
  
-@@ -296,6 +297,7 @@ selinux_compute_user_contexts(passwd_t)
+@@ -298,6 +299,7 @@ selinux_compute_user_contexts(passwd_t)
  
  term_use_all_inherited_terms(passwd_t)
  
@@ -61,7 +61,7 @@ index 4779a8d..b8eac3e 100644
  auth_manage_shadow(passwd_t)
  auth_relabel_shadow(passwd_t)
  auth_etc_filetrans_shadow(passwd_t)
-@@ -310,7 +312,6 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
+@@ -312,7 +314,6 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
  domain_use_interactive_fds(passwd_t)
  
  files_read_etc_runtime_files(passwd_t)
@@ -69,7 +69,7 @@ index 4779a8d..b8eac3e 100644
  files_search_var(passwd_t)
  files_dontaudit_search_pids(passwd_t)
  files_relabel_etc_files(passwd_t)
-@@ -390,6 +391,7 @@ fs_search_auto_mountpoints(sysadm_passwd_t)
+@@ -392,6 +393,7 @@ fs_search_auto_mountpoints(sysadm_passwd_t)
  
  term_use_all_inherited_terms(sysadm_passwd_t)
  
@@ -77,7 +77,7 @@ index 4779a8d..b8eac3e 100644
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -402,7 +404,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -404,7 +406,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -85,7 +85,7 @@ index 4779a8d..b8eac3e 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
-@@ -461,7 +462,6 @@ domain_use_interactive_fds(useradd_t)
+@@ -463,7 +464,6 @@ domain_use_interactive_fds(useradd_t)
  domain_read_all_domains_state(useradd_t)
  domain_dontaudit_read_all_domains_state(useradd_t)
  
@@ -93,7 +93,7 @@ index 4779a8d..b8eac3e 100644
  files_search_var_lib(useradd_t)
  files_relabel_etc_files(useradd_t)
  files_read_etc_runtime_files(useradd_t)
-@@ -488,6 +488,7 @@ auth_rw_faillog(useradd_t)
+@@ -490,6 +490,7 @@ auth_rw_faillog(useradd_t)
  auth_use_nsswitch(useradd_t)
  # these may be unnecessary due to the above
  # domtrans_chk_passwd() call.
@@ -115,7 +115,7 @@ index 50629a8..09669b6 100644
  init_dontaudit_use_script_ptys(loadkeys_t)
  
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index bd5ff95..c77b9f1 100644
+index b11c27f..5a452ae 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
 @@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file_perms;
@@ -177,10 +177,10 @@ index 4f9a575..5fc3a55 100644
  miscfiles_read_fonts(plymouthd_t)
  miscfiles_manage_fonts_cache(plymouthd_t)
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 52df08a..7790f7e 100644
+index ea9593c..0e641fa 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
-@@ -882,6 +882,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
+@@ -888,6 +888,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
  fs_list_inotifyfs(svirt_lxc_domain)
  fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
  
@@ -189,23 +189,24 @@ index 52df08a..7790f7e 100644
  auth_dontaudit_write_login_records(svirt_lxc_domain)
  auth_search_pam_console_data(svirt_lxc_domain)
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 59742f4..904e39c 100644
+index 59742f4..02a592a 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -7,6 +7,8 @@
+@@ -7,6 +7,9 @@
  /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
  /etc/passwd\.adjunct.*	--	gen_context(system_u:object_r:shadow_t,s0)
  /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 +/etc/passwd-?		--	gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/ptmptmp		--	gen_context(system_u:object_r:passwd_file_t,s0)
 +/etc/group-?		--	gen_context(system_u:object_r:passwd_file_t,s0)
  
  /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
  /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f05a80f..4372e5d 100644
+index e3720d4..8b30edb 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
-@@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -557,7 +557,6 @@ interface(`auth_domtrans_upd_passwd',`
  
  	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
  	auth_dontaudit_read_shadow($1)
@@ -213,7 +214,7 @@ index f05a80f..4372e5d 100644
  ')
  
  ########################################
-@@ -755,6 +754,10 @@ interface(`auth_manage_shadow',`
+@@ -754,6 +753,10 @@ interface(`auth_manage_shadow',`
  
  	allow $1 shadow_t:file manage_file_perms;
  	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -224,7 +225,7 @@ index f05a80f..4372e5d 100644
  ')
  
  #######################################
-@@ -895,6 +898,9 @@ interface(`auth_manage_faillog',`
+@@ -894,6 +897,9 @@ interface(`auth_manage_faillog',`
  	files_search_pids($1)
  	allow $1 faillog_t:dir manage_dir_perms;
  	allow $1 faillog_t:file manage_file_perms;
@@ -234,7 +235,7 @@ index f05a80f..4372e5d 100644
  ')
  
  #######################################
-@@ -1735,6 +1741,7 @@ interface(`auth_manage_login_records',`
+@@ -1734,6 +1740,7 @@ interface(`auth_manage_login_records',`
  
  	logging_rw_generic_log_dirs($1)
  	allow $1 wtmp_t:file manage_file_perms;
@@ -242,7 +243,7 @@ index f05a80f..4372e5d 100644
  ')
  
  ########################################
-@@ -1810,19 +1817,118 @@ interface(`auth_unconfined',`
+@@ -1809,19 +1816,123 @@ interface(`auth_unconfined',`
  interface(`authlogin_filetrans_named_content',`
  	gen_require(`
  		type shadow_t;
@@ -251,7 +252,11 @@ index f05a80f..4372e5d 100644
  		type wtmp_t;
  	')
  
++	files_etc_filetrans($1, passwd_file_t, file, "group")
++	files_etc_filetrans($1, passwd_file_t, file, "group-")
 +	files_etc_filetrans($1, passwd_file_t, file, "passwd")
++	files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++	files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
  	files_etc_filetrans($1, shadow_t, file, "shadow")
  	files_etc_filetrans($1, shadow_t, file, "shadow-")
  	files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
@@ -360,6 +365,7 @@ index f05a80f..4372e5d 100644
 +	allow $1 passwd_file_t:file manage_file_perms;
 +	files_etc_filetrans($1, passwd_file_t, file, "passwd")
 +	files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++	files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
 +	files_etc_filetrans($1, passwd_file_t, file, "group")
 +	files_etc_filetrans($1, passwd_file_t, file, "group-")
 +')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e67752e..78a0520 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 40%{?dist}
+Release: 40.2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -29,6 +29,7 @@ patch4: execmem.patch
 patch5: userdomain.patch
 patch6: apache.patch
 patch7: ptrace.patch
+patch8: default_trans.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -243,12 +244,13 @@ Based off of reference policy: Checked out revision  2.20091117
 %setup -n serefpolicy-%{version} -q
 %patch -p1
 %patch1 -p1
-%patch2 -p1
+%patch2 -p1 -b .passwd
 %patch3 -p1
 %patch4 -p1 -b .execmem
 %patch5 -p1 -b .userdomain
 %patch6 -p1 -b .apache
 %patch7 -p1 -b .ptrace
+%patch8 -p1 -b .default_trans
 
 %install
 mkdir selinux_config
@@ -480,6 +482,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Oct 17 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-40.2
+- Add passwd_file_t for /etc/ptmptmp
+
 * Fri Oct 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-40
 - Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
 - Make corosync to be able to relabelto cluster lib fies

More information about the scm-commits mailing list