trunk: 1 patch from dan.
This commit is contained in:
Chris PeBenito
parent
a65fd90a50
commit
30425aa876
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(certwatch, 1.3.0)
|
||||
policy_module(certwatch, 1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -27,6 +27,9 @@ files_list_tmp(certwatch_t)
|
||||
|
||||
fs_list_inotifyfs(certwatch_t)
|
||||
|
||||
auth_manage_cache(certwatch_t)
|
||||
auth_var_filetrans_cache(certwatch_t)
|
||||
|
||||
logging_send_syslog_msg(certwatch_t)
|
||||
|
||||
miscfiles_read_certs(certwatch_t)
|
||||
@ -36,6 +39,7 @@ userdom_use_user_terminals(certwatch_t)
|
||||
|
||||
optional_policy(`
|
||||
apache_exec_modules(certwatch_t)
|
||||
apache_read_config(certwatch_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -26,6 +26,8 @@ ifdef(`distro_gentoo', `
|
||||
/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
|
||||
')
|
||||
|
||||
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
|
||||
|
||||
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
|
||||
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
||||
|
||||
@ -42,7 +42,7 @@ interface(`auth_role',`
|
||||
#
|
||||
interface(`auth_login_pgm_domain',`
|
||||
gen_require(`
|
||||
type var_auth_t;
|
||||
type var_auth_t, auth_cache_t;
|
||||
')
|
||||
|
||||
domain_type($1)
|
||||
@ -57,6 +57,11 @@ interface(`auth_login_pgm_domain',`
|
||||
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
|
||||
kernel_rw_afs_state($1)
|
||||
|
||||
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
|
||||
manage_files_pattern($1, auth_cache_t, auth_cache_t)
|
||||
manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
|
||||
files_var_filetrans($1, auth_cache_t, dir)
|
||||
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand($1)
|
||||
# for fingerprint readers
|
||||
@ -184,6 +189,96 @@ interface(`auth_ranged_domtrans_login_program',`
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search authentication cache
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_search_cache',`
|
||||
gen_require(`
|
||||
type auth_cache_t;
|
||||
')
|
||||
|
||||
allow $1 auth_cache_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read authentication cache
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_read_cache',`
|
||||
gen_require(`
|
||||
type auth_cache_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, auth_cache_t, auth_cache_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read/Write authentication cache
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_rw_cache',`
|
||||
gen_require(`
|
||||
type auth_cache_t;
|
||||
')
|
||||
|
||||
rw_files_pattern($1, auth_cache_t, auth_cache_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage authentication cache
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_manage_cache',`
|
||||
gen_require(`
|
||||
type auth_cache_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, auth_cache_t, auth_cache_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Automatic transition from cache_t to cache.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_var_filetrans_cache',`
|
||||
gen_require(`
|
||||
type auth_cache_t;
|
||||
')
|
||||
|
||||
files_var_filetrans($1,auth_cache_t,{ file dir } )
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Run unix_chkpwd to check a password.
|
||||
@ -197,8 +292,11 @@ interface(`auth_ranged_domtrans_login_program',`
|
||||
interface(`auth_domtrans_chk_passwd',`
|
||||
gen_require(`
|
||||
type chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||
type auth_cache_t;
|
||||
')
|
||||
|
||||
allow $1 auth_cache_t:dir search_dir_perms;
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
|
||||
|
||||
@ -650,7 +748,7 @@ interface(`auth_domtrans_pam',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute pam programs in the pam domain.
|
||||
## Send generic signals to pam processes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(authlogin, 2.0.0)
|
||||
policy_module(authlogin, 2.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,9 @@ attribute can_read_shadow_passwords;
|
||||
attribute can_write_shadow_passwords;
|
||||
attribute can_relabelto_shadow_passwords;
|
||||
|
||||
type auth_cache_t;
|
||||
logging_log_file(auth_cache_t)
|
||||
|
||||
type chkpwd_t, can_read_shadow_passwords;
|
||||
type chkpwd_exec_t;
|
||||
typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
|
||||
|
||||
Loading…
Reference in New Issue
Block a user