From 13e94c09e437d40f2531dd7d96dcba0419f4d922 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 9 May 2005 21:07:53 +0000 Subject: [PATCH] more authlogin handling --- refpolicy/policy/modules/admin/usermanage.te | 14 ++------------ refpolicy/policy/modules/system/hostname.te | 7 +++++-- refpolicy/policy/modules/system/hotplug.if | 14 ++++++++++++++ refpolicy/policy/modules/system/hotplug.te | 17 ++++++++--------- refpolicy/policy/modules/system/logging.te | 2 -- 5 files changed, 29 insertions(+), 25 deletions(-) diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 95206f3b..33b85043 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -241,13 +241,12 @@ logging_send_system_log_message(groupadd_t) miscfiles_read_localization(groupadd_t) +authlogin_manage_shadow_passwords(groupadd_t) authlogin_modify_last_login_log(groupadd_t) selinux_read_config(groupadd_t) ifdef(`TODO',` -domain_auto_trans(initrc_t, groupadd_exec_t, groupadd_t) - role sysadm_r types groupadd_t; domain_auto_trans(sysadm_t, groupadd_exec_t, groupadd_t) @@ -258,14 +257,8 @@ allow groupadd_t autofs_t:dir { search getattr }; ') # Update /etc/shadow and /etc/passwd -file_type_auto_trans(groupadd_t, etc_t, shadow_t, file) - allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto }; -# useradd/userdel request read/write for /var/log/lastlog, and read of /dev, -# but will operate without them. -dontaudit groupadd_t device_t:dir search; - # Access terminals. ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;') @@ -518,12 +511,11 @@ selinux_read_config(useradd_t) logging_send_system_log_message(useradd_t) +authlogin_manage_shadow_passwords(useradd_t) authlogin_modify_last_login_log(useradd_t) ifdef(`TODO',` -domain_auto_trans(initrc_t, useradd_exec_t, useradd_t) - role sysadm_r types useradd_t; domain_auto_trans(sysadm_t, useradd_exec_t, useradd_t) @@ -534,8 +526,6 @@ allow useradd_t autofs_t:dir { search getattr }; ') # Update /etc/shadow and /etc/passwd -file_type_auto_trans(useradd_t, etc_t, shadow_t, file) - allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto }; # Access terminals. diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index e51e5a37..bb73eb27 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -55,14 +55,17 @@ terminal_ignore_use_general_pseudoterminal(hostname_t) files_ignore_read_rootfs_file(hostname_t) ')dnl end targeted_policy tunable -optional_policy(`udev.te', ` -udev_read_database(hostname_t) +optional_policy(`hostname.te',` +hotplug_ignore_use_file_descriptors(hostname_t) ') optional_policy(`selinux.te',` selinux_newrole_sigchld(hostname_t) ') +optional_policy(`udev.te', ` +udev_read_database(hostname_t) +') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index d1523598..26ab9a5e 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -46,6 +46,20 @@ type hotplug_t; class fd use; ') +####################################### +# +# hotplug_ignore_use_file_descriptors(domain) +# +define(`hotplug_ignore_use_file_descriptors',` +requires_block_template(`$0'_depend) +dontaudit $1 hotplug_t:fd use; +') + +define(`hotplug_ignore_use_file_descriptors_depend',` +type hotplug_t; +class fd use; +') + ######################################## # # hotplug_ignore_search_config_directory(domain) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index fd60c4fa..5abaaec2 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -100,6 +100,10 @@ optional_policy(`consoletype.te',` consoletype_transition(hotplug_t) ') +optional_policy(`hostname.te',` +hostname_execute(hotplug_t) +') + optional_policy(`iptables.te',` iptables_transition(hotplug_t) ') @@ -108,6 +112,10 @@ optional_policy(`selinux.te',` selinux_newrole_sigchld(hotplug_t) ') +optional_policy(`sysnetwork.te',` +sysnetwork_ifconfig_transition(hotplug_t) +') + optional_policy(`udev.te', ` udev_transition(hotplug_t) udev_read_database(hotplug_t) @@ -158,15 +166,6 @@ allow hotplug_t var_log_t:dir search; dontaudit hotplug_t domain:dir { getattr search }; dontaudit hotplug_t { init_t kernel_t }:file read; -optional_policy(`hostname.te',` -hostname_execute(hotplug_t) -dontaudit hostname_t hotplug_t:fd use; -') - -optional_policy(`sysnetwork.te',` -ifconfig_transition(hotplug_t) -') - tunable_policy(`distro_redhat', ` optional_policy(`netutils.te', ` # for arping used for static IP addresses on PCMCIA ethernet diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 0e247404..a15471d5 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -164,8 +164,6 @@ files_ignore_read_rootfs_file(syslogd_t) ') ifdef(`TODO',` - -allow syslogd_t proc_t:dir r_dir_perms; allow syslogd_t proc_t:lnk_file read; dontaudit syslogd_t unpriv_userdomain:fd use; allow syslogd_t autofs_t:dir { search getattr };