Authlogin patch from Dan Walsh.

policy/modules/system/authlogin.fc

@@ -7,9 +7,6 @@
 /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 
-/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
-/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
-
 /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
 /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
 /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -42,6 +39,7 @@ ifdef(`distro_gentoo', `
 /var/log/wtmp.*		--	gen_context(system_u:object_r:wtmp_t,s0)
 
 /var/run/console(/.*)?	 	gen_context(system_u:object_r:pam_var_console_t,s0)
-
 /var/run/pam_mount(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
+/var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)

policy/modules/system/authlogin.if

@@ -30,6 +30,54 @@ interface(`auth_role',`
 	dontaudit $2 shadow_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Use PAM for authentication.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_use_pam',`
+
+	# for SSP/ProPolice
+	dev_read_urand($1)
+	# for encrypted homedir
+	dev_read_sysfs($1)
+
+	auth_domtrans_chk_passwd($1)
+	auth_domtrans_upd_passwd($1)
+	auth_dontaudit_read_shadow($1)
+	auth_read_login_records($1)
+	auth_append_login_records($1)
+	auth_rw_lastlog($1)
+	auth_rw_faillog($1)
+	auth_exec_pam($1)
+	auth_use_nsswitch($1)
+
+	logging_send_audit_msgs($1)
+	logging_send_syslog_msg($1)
+
+	optional_policy(`
+		dbus_system_bus_client($1)
+
+		optional_policy(`
+			consolekit_dbus_chat($1)
+		')
+	')
+
+	optional_policy(`
+		kerberos_manage_host_rcache($1)
+		kerberos_read_config($1)
+	')
+
+	optional_policy(`
+		nis_authenticate($1)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Make the specified domain used for a login program.
@@ -51,19 +99,26 @@ interface(`auth_login_pgm_domain',`
 	domain_obj_id_change_exemption($1)
 	role system_r types $1;
 
+	# Needed for pam_selinux_permit to cleanup properly
+	domain_read_all_domains_state($1)
+	domain_kill_all_domains($1)
+
+	# pam_keyring
+	allow $1 self:capability ipc_lock;
+	allow $1 self:process setkeycreate;
+	allow $1 self:key manage_key_perms;
+
 	files_list_var_lib($1)
 	manage_files_pattern($1, var_auth_t, var_auth_t)
 
-	# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
-	kernel_rw_afs_state($1)
-
 	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
 	manage_files_pattern($1, auth_cache_t, auth_cache_t)
 	manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
 	files_var_filetrans($1, auth_cache_t, dir)
 
-	# for SSP/ProPolice
+	# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
-	dev_read_urand($1)
+	kernel_rw_afs_state($1)
+
 	# for fingerprint readers
 	dev_rw_input_dev($1)
 	dev_rw_generic_usb_dev($1)
@@ -86,21 +141,12 @@ interface(`auth_login_pgm_domain',`
 	mls_process_set_level($1)
 	mls_fd_share_all_levels($1)
 
-	auth_domtrans_chk_passwd($1)
+	auth_use_pam($1)
-	auth_domtrans_upd_passwd($1)
-	auth_dontaudit_read_shadow($1)
-	auth_read_login_records($1)
-	auth_append_login_records($1)
-	auth_rw_lastlog($1)
-	auth_rw_faillog($1)
-	auth_exec_pam($1)
-	auth_use_nsswitch($1)
 
 	init_rw_utmp($1)
 
-	logging_send_audit_msgs($1)
-	logging_send_syslog_msg($1)
 	logging_set_loginuid($1)
+	logging_set_tty_audit($1)
 
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
@@ -258,6 +304,7 @@ interface(`auth_manage_cache',`
 		type auth_cache_t;
 	')
 
+	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
 	manage_files_pattern($1, auth_cache_t, auth_cache_t)
 ')
 
@@ -305,19 +352,16 @@ interface(`auth_domtrans_chk_passwd',`
 	dev_read_rand($1)
 	dev_read_urand($1)
 
+	auth_use_nsswitch($1)
+	auth_rw_faillog($1)
+
 	logging_send_audit_msgs($1)
 
 	miscfiles_read_certs($1)
 
-	sysnet_dns_name_resolve($1)
-	sysnet_use_ldap($1)
-
 	optional_policy(`
-		kerberos_use($1)
+		kerberos_read_keytab($1)
-	')
+		kerberos_connect_524($1)
-
-	optional_policy(`
-		nis_use_ypbind($1)
 	')
 
 	optional_policy(`
@@ -330,6 +374,28 @@ interface(`auth_domtrans_chk_passwd',`
 	')
 ')
 
+########################################
+## <summary>
+##	Run unix_chkpwd to check a password.
+## 	Stripped down version to be called within boolean
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_domtrans_chkpwd',`
+	gen_require(`
+		type chkpwd_t, chkpwd_exec_t, shadow_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
+	dontaudit $1 shadow_t:file { getattr read };
+	auth_domtrans_upd_passwd($1)
+')
+
 ########################################
 ## <summary>
 ##	Execute chkpwd programs in the chkpwd domain.
@@ -1127,6 +1193,32 @@ interface(`auth_relabel_all_files_except_shadow',`
 	files_relabel_all_files($1,$2 -shadow_t)
 ')
 
+########################################
+## <summary>
+##	Read and write all files on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the domain perfoming this action.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+
+interface(`auth_rw_all_files_except_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	files_rw_all_files($1,$2 -shadow_t)
+')
+
 ########################################
 ## <summary>
 ##	Manage all files on the filesystem, except
@@ -1252,6 +1344,26 @@ interface(`auth_read_login_records',`
 	allow $1 wtmp_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read login records
+##	files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_dontaudit_read_login_records',`
+	gen_require(`
+		type wtmp_t;
+	')
+
+	dontaudit $1 wtmp_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to write to
@@ -1402,10 +1514,18 @@ interface(`auth_use_nsswitch',`
 		avahi_stream_connect($1)
 	')
 
+	optional_policy(`
+		ldap_stream_connect($1)
+	')
+
  	optional_policy(`
 		likewise_stream_connect_lsassd($1)
 	')
 
+	optional_policy(`
+		kerberos_use($1)
+	')
+
 	optional_policy(`
 		nis_use_ypbind($1)
 	')
@@ -1417,6 +1537,7 @@ interface(`auth_use_nsswitch',`
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 		samba_read_var_files($1)
+		samba_dontaudit_write_var_files($1)
 	')
 ')
 

policy/modules/system/authlogin.te

@@ -1,5 +1,5 @@
 
-policy_module(authlogin, 2.1.3)
+policy_module(authlogin, 2.1.4)
 
 ########################################
 #
@@ -103,8 +103,10 @@ files_dontaudit_search_var(chkpwd_t)
 
 fs_dontaudit_getattr_xattr_fs(chkpwd_t)
 
+term_dontaudit_use_console(chkpwd_t)
 term_dontaudit_use_unallocated_ttys(chkpwd_t)
 term_dontaudit_use_generic_ptys(chkpwd_t)
+term_dontaudit_use_all_ptys(chkpwd_t)
 
 auth_use_nsswitch(chkpwd_t)
 
@@ -124,10 +126,19 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+optional_policy(`
+	# apache leaks file descriptors
+	apache_dontaudit_rw_tcp_sockets(chkpwd_t)
+')
+
 optional_policy(`
 	kerberos_use(chkpwd_t)
 ')
 
+optional_policy(`
+	nis_authenticate(chkpwd_t)
+')
+
 ########################################
 #
 # PAM local policy