diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index cc1501b3..6faef797 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -18,7 +18,7 @@ role $1_r types system_chkpwd_t; allow $1_chkpwd_t self:capability setuid; allow $1_chkpwd_t self:process getattr; -# FIXME: read etc_t dir +files_read_general_system_config_directory($1_chkpwd_t) allow $1_chkpwd_t shadow_t:file { getattr read }; # is_selinux_enabled @@ -155,7 +155,7 @@ class file { getattr read write setattr }; # define(`authlogin_read_shadow_passwords',` requires_block_template(`$0'_depend) -# FIXME: read etc_t dir +files_read_general_system_config_directory($1) allow $1 shadow_t:file { getattr read }; typeattribute $1 can_read_shadow_passwords; ') @@ -186,7 +186,7 @@ class file { getattr read }; # define(`authlogin_modify_shadow_passwords',` requires_block_template(`$0'_depend) -# FIXME: read etc_t dir +files_read_general_system_config_directory($1) allow $1 shadow_t:file { getattr read write }; typeattribute $1 can_read_shadow_passwords; typeattribute $1 can_write_shadow_passwords; @@ -224,6 +224,7 @@ class file { create ioctl read getattr lock write setattr append link unlink ren # define(`authlogin_relabel_to_shadow_passwords',` requires_block_template(`$0'_depend) +files_search_general_system_config_directory($1) allow $1 shadow_t:file relabelto; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -240,6 +241,7 @@ class file relabelto; # define(`authlogin_modify_last_login_log',` requires_block_template(`$0'_depend) +logging_search_system_log_directory($1) allow $1 lastlog_t:file { getattr read write setattr }; ') diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index f426e4cb..dacadde5 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -266,8 +266,6 @@ sysnetwork_read_network_config(system_chkpwd_t) ') ifdef(`TODO',` -# FIXME: read etc_t dir - can_ypbind(system_chkpwd_t) can_kerberos(system_chkpwd_t) can_ldap(system_chkpwd_t) diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 3f9f0942..29ad6533 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -6,8 +6,8 @@ # define(`clock_modify_drift_records',` requires_block_template(`$0'_depend) -# FIXME: search etc_t dir allow $1 adjtime_t:file { getattr read write ioctl lock append }; +files_read_general_system_config_directory($1) ') define(`clock_modify_drift_records_depend',` diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index bb4e451d..d002a388 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -251,6 +251,34 @@ type root_t; class filesystem unmount; ') +######################################## +# +# files_search_general_system_config_directory(domain) +# +define(`files_search_general_system_config_directory',` +requires_block_template(`$0'_depend) +allow $1 etc_t:dir search; +') + +define(`files_search_general_system_config_directory_depend',` +type etc_t; +class dir search; +') + +######################################## +# +# files_read_general_system_config_directory(domain) +# +define(`files_read_general_system_config_directory',` +requires_block_template(`$0'_depend) +allow $1 etc_t:dir { getattr search read }; +') + +define(`files_read_general_system_config_directory_depend',` +type etc_t; +class dir { getattr search read }; +') + ######################################## # # files_read_general_system_config(domain) diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 26ab9a5e..bee806e5 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -80,7 +80,7 @@ class dir search; # define(`hotplug_read_config',` requires_block_template(`$0'_depend) -# FIXME: search etc_t +files_search_general_system_config_directory($1) allow $1 hotplug_etc_t:file { read getattr lock ioctl }; allow $1 hotplug_etc_t:dir { read getattr lock search ioctl }; allow $1 hotplug_etc_t:lnk_file { getattr read }; diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 28a35e54..9a93c8ce 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -42,7 +42,7 @@ class process { transition noatsecure siginh rlimitinh }; # define(`sysnetwork_read_network_config',` requires_block_template(`$0'_depend) -# FIXME: allow $1 etc_t:dir search; +files_search_general_system_config_directory($1) allow $1 net_conf_t:file { getattr read }; ')