Authlogin patch from Dan Walsh.

This commit is contained in:
Chris PeBenito 2010-03-18 08:59:25 -04:00
parent 4fbcd778de
commit 153ed8751a
3 changed files with 159 additions and 29 deletions

View File

@ -7,9 +7,6 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@ -42,6 +39,7 @@ ifdef(`distro_gentoo', `
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)

View File

@ -30,6 +30,54 @@ interface(`auth_role',`
dontaudit $2 shadow_t:file read_file_perms; dontaudit $2 shadow_t:file read_file_perms;
') ')
########################################
## <summary>
## Use PAM for authentication.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`auth_use_pam',`
# for SSP/ProPolice
dev_read_urand($1)
# for encrypted homedir
dev_read_sysfs($1)
auth_domtrans_chk_passwd($1)
auth_domtrans_upd_passwd($1)
auth_dontaudit_read_shadow($1)
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
auth_rw_faillog($1)
auth_exec_pam($1)
auth_use_nsswitch($1)
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
optional_policy(`
dbus_system_bus_client($1)
optional_policy(`
consolekit_dbus_chat($1)
')
')
optional_policy(`
kerberos_manage_host_rcache($1)
kerberos_read_config($1)
')
optional_policy(`
nis_authenticate($1)
')
')
######################################## ########################################
## <summary> ## <summary>
## Make the specified domain used for a login program. ## Make the specified domain used for a login program.
@ -51,19 +99,26 @@ interface(`auth_login_pgm_domain',`
domain_obj_id_change_exemption($1) domain_obj_id_change_exemption($1)
role system_r types $1; role system_r types $1;
# Needed for pam_selinux_permit to cleanup properly
domain_read_all_domains_state($1)
domain_kill_all_domains($1)
# pam_keyring
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
files_list_var_lib($1) files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t) manage_files_pattern($1, var_auth_t, var_auth_t)
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
manage_files_pattern($1, auth_cache_t, auth_cache_t) manage_files_pattern($1, auth_cache_t, auth_cache_t)
manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
files_var_filetrans($1, auth_cache_t, dir) files_var_filetrans($1, auth_cache_t, dir)
# for SSP/ProPolice # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
dev_read_urand($1) kernel_rw_afs_state($1)
# for fingerprint readers # for fingerprint readers
dev_rw_input_dev($1) dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1) dev_rw_generic_usb_dev($1)
@ -86,21 +141,12 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1) mls_process_set_level($1)
mls_fd_share_all_levels($1) mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1) auth_use_pam($1)
auth_domtrans_upd_passwd($1)
auth_dontaudit_read_shadow($1)
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
auth_rw_faillog($1)
auth_exec_pam($1)
auth_use_nsswitch($1)
init_rw_utmp($1) init_rw_utmp($1)
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
logging_set_loginuid($1) logging_set_loginuid($1)
logging_set_tty_audit($1)
seutil_read_config($1) seutil_read_config($1)
seutil_read_default_contexts($1) seutil_read_default_contexts($1)
@ -258,6 +304,7 @@ interface(`auth_manage_cache',`
type auth_cache_t; type auth_cache_t;
') ')
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
manage_files_pattern($1, auth_cache_t, auth_cache_t) manage_files_pattern($1, auth_cache_t, auth_cache_t)
') ')
@ -305,19 +352,16 @@ interface(`auth_domtrans_chk_passwd',`
dev_read_rand($1) dev_read_rand($1)
dev_read_urand($1) dev_read_urand($1)
auth_use_nsswitch($1)
auth_rw_faillog($1)
logging_send_audit_msgs($1) logging_send_audit_msgs($1)
miscfiles_read_certs($1) miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
sysnet_use_ldap($1)
optional_policy(` optional_policy(`
kerberos_use($1) kerberos_read_keytab($1)
') kerberos_connect_524($1)
optional_policy(`
nis_use_ypbind($1)
') ')
optional_policy(` optional_policy(`
@ -330,6 +374,28 @@ interface(`auth_domtrans_chk_passwd',`
') ')
') ')
########################################
## <summary>
## Run unix_chkpwd to check a password.
## Stripped down version to be called within boolean
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`auth_domtrans_chkpwd',`
gen_require(`
type chkpwd_t, chkpwd_exec_t, shadow_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
dontaudit $1 shadow_t:file { getattr read };
auth_domtrans_upd_passwd($1)
')
######################################## ########################################
## <summary> ## <summary>
## Execute chkpwd programs in the chkpwd domain. ## Execute chkpwd programs in the chkpwd domain.
@ -1127,6 +1193,32 @@ interface(`auth_relabel_all_files_except_shadow',`
files_relabel_all_files($1,$2 -shadow_t) files_relabel_all_files($1,$2 -shadow_t)
') ')
########################################
## <summary>
## Read and write all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
## <param name="domain">
## <summary>
## The type of the domain perfoming this action.
## </summary>
## </param>
## <param name="exception_types" optional="true">
## <summary>
## The types to be excluded. Each type or attribute
## must be negated by the caller.
## </summary>
## </param>
#
interface(`auth_rw_all_files_except_shadow',`
gen_require(`
type shadow_t;
')
files_rw_all_files($1,$2 -shadow_t)
')
######################################## ########################################
## <summary> ## <summary>
## Manage all files on the filesystem, except ## Manage all files on the filesystem, except
@ -1252,6 +1344,26 @@ interface(`auth_read_login_records',`
allow $1 wtmp_t:file read_file_perms; allow $1 wtmp_t:file read_file_perms;
') ')
########################################
## <summary>
## Do not audit attempts to read login records
## files (/var/log/wtmp).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`auth_dontaudit_read_login_records',`
gen_require(`
type wtmp_t;
')
dontaudit $1 wtmp_t:file read_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to write to ## Do not audit attempts to write to
@ -1402,10 +1514,18 @@ interface(`auth_use_nsswitch',`
avahi_stream_connect($1) avahi_stream_connect($1)
') ')
optional_policy(`
ldap_stream_connect($1)
')
optional_policy(` optional_policy(`
likewise_stream_connect_lsassd($1) likewise_stream_connect_lsassd($1)
') ')
optional_policy(`
kerberos_use($1)
')
optional_policy(` optional_policy(`
nis_use_ypbind($1) nis_use_ypbind($1)
') ')
@ -1417,6 +1537,7 @@ interface(`auth_use_nsswitch',`
optional_policy(` optional_policy(`
samba_stream_connect_winbind($1) samba_stream_connect_winbind($1)
samba_read_var_files($1) samba_read_var_files($1)
samba_dontaudit_write_var_files($1)
') ')
') ')

View File

@ -1,5 +1,5 @@
policy_module(authlogin, 2.1.3) policy_module(authlogin, 2.1.4)
######################################## ########################################
# #
@ -103,8 +103,10 @@ files_dontaudit_search_var(chkpwd_t)
fs_dontaudit_getattr_xattr_fs(chkpwd_t) fs_dontaudit_getattr_xattr_fs(chkpwd_t)
term_dontaudit_use_console(chkpwd_t)
term_dontaudit_use_unallocated_ttys(chkpwd_t) term_dontaudit_use_unallocated_ttys(chkpwd_t)
term_dontaudit_use_generic_ptys(chkpwd_t) term_dontaudit_use_generic_ptys(chkpwd_t)
term_dontaudit_use_all_ptys(chkpwd_t)
auth_use_nsswitch(chkpwd_t) auth_use_nsswitch(chkpwd_t)
@ -124,10 +126,19 @@ ifdef(`distro_ubuntu',`
') ')
') ')
optional_policy(`
# apache leaks file descriptors
apache_dontaudit_rw_tcp_sockets(chkpwd_t)
')
optional_policy(` optional_policy(`
kerberos_use(chkpwd_t) kerberos_use(chkpwd_t)
') ')
optional_policy(`
nis_authenticate(chkpwd_t)
')
######################################## ########################################
# #
# PAM local policy # PAM local policy