rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

trunk: 1 patch from dan.

Browse Source
This commit is contained in:
Chris PeBenito 2009-06-12 15:30:15 +00:00
parent a65fd90a50
commit 30425aa876
4 changed files with 111 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
policy/modules/admin/certwatch.te
View File

@ -1,5 +1,5 @@
policy_module(certwatch, 1.3.0) policy_module(certwatch, 1.3.1)
######################################## ########################################
# #
@ -27,6 +27,9 @@ files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t) fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
auth_var_filetrans_cache(certwatch_t)
logging_send_syslog_msg(certwatch_t) logging_send_syslog_msg(certwatch_t)
miscfiles_read_certs(certwatch_t) miscfiles_read_certs(certwatch_t)
@ -36,6 +39,7 @@ userdom_use_user_terminals(certwatch_t)
optional_policy(` optional_policy(`
apache_exec_modules(certwatch_t) apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
') ')
optional_policy(` optional_policy(`

2
policy/modules/system/authlogin.fc
View File

@ -26,6 +26,8 @@ ifdef(`distro_gentoo', `
/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
') ')
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) /var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)

102
policy/modules/system/authlogin.if
View File

@ -42,7 +42,7 @@ interface(`auth_role',`
# #
interface(`auth_login_pgm_domain',` interface(`auth_login_pgm_domain',`
gen_require(` gen_require(`
type var_auth_t; type var_auth_t, auth_cache_t;
') ')
domain_type($1) domain_type($1)
@ -57,6 +57,11 @@ interface(`auth_login_pgm_domain',`
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1) kernel_rw_afs_state($1)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
manage_files_pattern($1, auth_cache_t, auth_cache_t)
manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
files_var_filetrans($1, auth_cache_t, dir)
# for SSP/ProPolice # for SSP/ProPolice
dev_read_urand($1) dev_read_urand($1)
# for fingerprint readers # for fingerprint readers
@ -184,6 +189,96 @@ interface(`auth_ranged_domtrans_login_program',`
') ')
') ')
########################################
## <summary>
## Search authentication cache
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`auth_search_cache',`
gen_require(`
type auth_cache_t;
')
allow $1 auth_cache_t:dir search_dir_perms;
')
########################################
## <summary>
## Read authentication cache
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`auth_read_cache',`
gen_require(`
type auth_cache_t;
')
read_files_pattern($1, auth_cache_t, auth_cache_t)
')
########################################
## <summary>
## Read/Write authentication cache
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`auth_rw_cache',`
gen_require(`
type auth_cache_t;
')
rw_files_pattern($1, auth_cache_t, auth_cache_t)
')
########################################
## <summary>
## Manage authentication cache
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`auth_manage_cache',`
gen_require(`
type auth_cache_t;
')
manage_files_pattern($1, auth_cache_t, auth_cache_t)
')
#######################################
## <summary>
## Automatic transition from cache_t to cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`auth_var_filetrans_cache',`
gen_require(`
type auth_cache_t;
')
files_var_filetrans($1,auth_cache_t,{ file dir } )
')
######################################## ########################################
## <summary> ## <summary>
## Run unix_chkpwd to check a password. ## Run unix_chkpwd to check a password.
@ -197,8 +292,11 @@ interface(`auth_ranged_domtrans_login_program',`
interface(`auth_domtrans_chk_passwd',` interface(`auth_domtrans_chk_passwd',`
gen_require(` gen_require(`
type chkpwd_t, chkpwd_exec_t, shadow_t; type chkpwd_t, chkpwd_exec_t, shadow_t;
type auth_cache_t;
') ')
allow $1 auth_cache_t:dir search_dir_perms;
corecmd_search_bin($1) corecmd_search_bin($1)
domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
@ -650,7 +748,7 @@ interface(`auth_domtrans_pam',`
######################################## ########################################
## <summary> ## <summary>
## Execute pam programs in the pam domain. ## Send generic signals to pam processes.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>

5
policy/modules/system/authlogin.te
View File

@ -1,5 +1,5 @@
policy_module(authlogin, 2.0.0) policy_module(authlogin, 2.0.1)
######################################## ########################################
# #
@ -10,6 +10,9 @@ attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords; attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords; attribute can_relabelto_shadow_passwords;
type auth_cache_t;
logging_log_file(auth_cache_t)
type chkpwd_t, can_read_shadow_passwords; type chkpwd_t, can_read_shadow_passwords;
type chkpwd_exec_t; type chkpwd_exec_t;
typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };