From 30425aa876ce0e2a4d8935facbfe97d194f8df27 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 12 Jun 2009 15:30:15 +0000
Subject: [PATCH] trunk: 1 patch from dan.

---
 policy/modules/admin/certwatch.te  |   6 +-
 policy/modules/system/authlogin.fc |   2 +
 policy/modules/system/authlogin.if | 102 ++++++++++++++++++++++++++++-
 policy/modules/system/authlogin.te |   5 +-
 4 files changed, 111 insertions(+), 4 deletions(-)

diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index 9ac14de7..5d2b2aa6 100644
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
@@ -1,5 +1,5 @@
 
-policy_module(certwatch, 1.3.0)
+policy_module(certwatch, 1.3.1)
 
 ########################################
 #
@@ -27,6 +27,9 @@ files_list_tmp(certwatch_t)
 
 fs_list_inotifyfs(certwatch_t)
 
+auth_manage_cache(certwatch_t)
+auth_var_filetrans_cache(certwatch_t)
+
 logging_send_syslog_msg(certwatch_t)
 
 miscfiles_read_certs(certwatch_t)
@@ -36,6 +39,7 @@ userdom_use_user_terminals(certwatch_t)
 
 optional_policy(`
 	apache_exec_modules(certwatch_t)
+	apache_read_config(certwatch_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index fdfd1e5b..e83330ba 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -26,6 +26,8 @@ ifdef(`distro_gentoo', `
 /usr/sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ')
 
+/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
+
 /var/db/shadow.*	--	gen_context(system_u:object_r:shadow_t,s0)
 
 /var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 7fb4cfe7..a18d1f27 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -42,7 +42,7 @@ interface(`auth_role',`
 #
 interface(`auth_login_pgm_domain',`
 	gen_require(`
-		type var_auth_t;
+		type var_auth_t, auth_cache_t;
 	')
 
 	domain_type($1)
@@ -57,6 +57,11 @@ interface(`auth_login_pgm_domain',`
 	# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
 	kernel_rw_afs_state($1)
 
+	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+	manage_files_pattern($1, auth_cache_t, auth_cache_t)
+	manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+	files_var_filetrans($1, auth_cache_t, dir)
+
 	# for SSP/ProPolice
 	dev_read_urand($1)
 	# for fingerprint readers
@@ -184,6 +189,96 @@ interface(`auth_ranged_domtrans_login_program',`
 	')
 ')
 
+########################################
+## <summary>
+##	Search authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_search_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	allow $1  auth_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_read_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	read_files_pattern($1, auth_cache_t,  auth_cache_t)
+')
+
+########################################
+## <summary>
+##	Read/Write authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	rw_files_pattern($1, auth_cache_t,  auth_cache_t)
+')
+
+########################################
+## <summary>
+##	Manage authentication cache
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	manage_files_pattern($1, auth_cache_t,  auth_cache_t)
+')
+
+#######################################
+## <summary>
+##	Automatic transition from cache_t to cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_var_filetrans_cache',`
+	gen_require(`
+		type auth_cache_t;
+	')
+
+	files_var_filetrans($1,auth_cache_t,{ file dir } )
+')
+
 ########################################
 ## <summary>
 ##	Run unix_chkpwd to check a password.
@@ -197,8 +292,11 @@ interface(`auth_ranged_domtrans_login_program',`
 interface(`auth_domtrans_chk_passwd',`
 	gen_require(`
 		type chkpwd_t, chkpwd_exec_t, shadow_t;
+		type auth_cache_t;
 	')
 
+	allow $1 auth_cache_t:dir search_dir_perms;
+
 	corecmd_search_bin($1)
 	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
 
@@ -650,7 +748,7 @@ interface(`auth_domtrans_pam',`
 
 ########################################
 ## <summary>
-##	Execute pam programs in the pam domain.
+##	Send generic signals to pam processes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 0f02b4fb..2f710405 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin, 2.0.0)
+policy_module(authlogin, 2.0.1)
 
 ########################################
 #
@@ -10,6 +10,9 @@ attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
 
+type auth_cache_t;
+logging_log_file(auth_cache_t)
+
 type chkpwd_t, can_read_shadow_passwords;
 type chkpwd_exec_t;
 typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };