Usermanage patch from Dan Walsh.
Broken leaks of sockets useradd runs semanage for -Z. passwd_t needs sys_nice useradd run within a samba_controler needs to append to the samba log.
This commit is contained in:
parent
cad4224e8e
commit
3bcfe5beb7
@ -18,6 +18,10 @@ interface(`usermanage_domtrans_chfn',`
|
|||||||
files_search_usr($1)
|
files_search_usr($1)
|
||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
domtrans_pattern($1, chfn_exec_t, chfn_t)
|
domtrans_pattern($1, chfn_exec_t, chfn_t)
|
||||||
|
|
||||||
|
ifdef(`hide_broken_symptoms',`
|
||||||
|
dontaudit chfn_t $1:socket_class_set { read write };
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -63,6 +67,10 @@ interface(`usermanage_domtrans_groupadd',`
|
|||||||
files_search_usr($1)
|
files_search_usr($1)
|
||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
domtrans_pattern($1, groupadd_exec_t, groupadd_t)
|
domtrans_pattern($1, groupadd_exec_t, groupadd_t)
|
||||||
|
|
||||||
|
ifdef(`hide_broken_symptoms',`
|
||||||
|
dontaudit groupadd_t $1:socket_class_set { read write };
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -113,6 +121,10 @@ interface(`usermanage_domtrans_passwd',`
|
|||||||
files_search_usr($1)
|
files_search_usr($1)
|
||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
domtrans_pattern($1, passwd_exec_t, passwd_t)
|
domtrans_pattern($1, passwd_exec_t, passwd_t)
|
||||||
|
|
||||||
|
ifdef(`hide_broken_symptoms',`
|
||||||
|
dontaudit passwd_t $1:socket_class_set { read write };
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -247,6 +259,10 @@ interface(`usermanage_domtrans_useradd',`
|
|||||||
files_search_usr($1)
|
files_search_usr($1)
|
||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
domtrans_pattern($1, useradd_exec_t, useradd_t)
|
domtrans_pattern($1, useradd_exec_t, useradd_t)
|
||||||
|
|
||||||
|
ifdef(`hide_broken_symptoms',`
|
||||||
|
dontaudit useradd_t $1:socket_class_set { read write };
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -274,6 +290,8 @@ interface(`usermanage_run_useradd',`
|
|||||||
usermanage_domtrans_useradd($1)
|
usermanage_domtrans_useradd($1)
|
||||||
role $2 types useradd_t;
|
role $2 types useradd_t;
|
||||||
|
|
||||||
|
seutil_run_semanage(useradd_t, $2)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
nscd_run(useradd_t, $2)
|
nscd_run(useradd_t, $2)
|
||||||
')
|
')
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
policy_module(usermanage, 1.15.0)
|
policy_module(usermanage, 1.15.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -208,6 +208,7 @@ domain_use_interactive_fds(groupadd_t)
|
|||||||
files_manage_etc_files(groupadd_t)
|
files_manage_etc_files(groupadd_t)
|
||||||
files_relabel_etc_files(groupadd_t)
|
files_relabel_etc_files(groupadd_t)
|
||||||
files_read_etc_runtime_files(groupadd_t)
|
files_read_etc_runtime_files(groupadd_t)
|
||||||
|
files_read_usr_symlinks(groupadd_t)
|
||||||
|
|
||||||
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
|
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
|
||||||
corecmd_exec_bin(groupadd_t)
|
corecmd_exec_bin(groupadd_t)
|
||||||
@ -255,7 +256,8 @@ optional_policy(`
|
|||||||
# Passwd local policy
|
# Passwd local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
|
allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
|
||||||
|
dontaudit passwd_t self:capability sys_tty_config;
|
||||||
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow passwd_t self:process { setrlimit setfscreate };
|
allow passwd_t self:process { setrlimit setfscreate };
|
||||||
allow passwd_t self:fd use;
|
allow passwd_t self:fd use;
|
||||||
@ -449,6 +451,7 @@ corecmd_exec_shell(useradd_t)
|
|||||||
corecmd_exec_bin(useradd_t)
|
corecmd_exec_bin(useradd_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(useradd_t)
|
domain_use_interactive_fds(useradd_t)
|
||||||
|
domain_read_all_domains_state(useradd_t)
|
||||||
|
|
||||||
files_manage_etc_files(useradd_t)
|
files_manage_etc_files(useradd_t)
|
||||||
files_search_var_lib(useradd_t)
|
files_search_var_lib(useradd_t)
|
||||||
@ -529,6 +532,12 @@ optional_policy(`
|
|||||||
puppet_rw_tmp(useradd_t)
|
puppet_rw_tmp(useradd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tunable_policy(`samba_domain_controller',`
|
||||||
|
samba_append_log(useradd_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_use_fds(useradd_t)
|
rpm_use_fds(useradd_t)
|
||||||
rpm_rw_pipes(useradd_t)
|
rpm_rw_pipes(useradd_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user