trunk: 3 patches from dan.

policy/modules/kernel/files.if

@@ -4717,8 +4717,7 @@ interface(`files_polyinstantiate_all',`
 		files_search_home($1)
 		corecmd_exec_bin($1)
 		seutil_domtrans_setfiles($1)
-		fs_mount_tmpfs($1)
-		fs_unmount_tmpfs($1)
+		mount_domtrans($1)
 	')
 ')
 

policy/modules/kernel/files.te

@@ -1,5 +1,5 @@
 
-policy_module(files,1.7.3)
+policy_module(files,1.7.4)
 
 ########################################
 #

policy/modules/kernel/kernel.if

@@ -835,6 +835,27 @@ interface(`kernel_dontaudit_read_proc_symlinks',`
 	dontaudit $1 proc_t:lnk_file read;
 ')
 
+#######################################
+## <summary>
+##	Allow caller to read and write state information for AFS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_afs_state',`
+	gen_require(`
+		type proc_t, proc_afs_t;
+	')
+
+	read_files_pattern($1,proc_t,proc_afs_t)
+
+	list_dirs_pattern($1,proc_t,proc_t)
+')
+
 #######################################
 ## <summary>
 ##	Allow caller to read the state information for software raid.

policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.8.2)
+policy_module(kernel,1.8.3)
 
 ########################################
 #
@@ -71,6 +71,9 @@ fs_type(proc_t)
 genfscon proc / gen_context(system_u:object_r:proc_t,s0)
 genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
 
+type proc_afs_t, proc_type;
+genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)
+
 # kernel message interface
 type proc_kmsg_t, proc_type;
 genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)

policy/modules/kernel/storage.fc

@@ -32,6 +32,7 @@
 /dev/pcd[0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/pd[a-d][^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/pg[0-3]		-c	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/ps3d.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/ram.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/rawctl		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/rd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)

policy/modules/kernel/storage.te

@@ -1,5 +1,5 @@
 
-policy_module(storage,1.4.1)
+policy_module(storage,1.4.2)
 
 ########################################
 #

policy/modules/system/application.if

@@ -61,6 +61,26 @@ interface(`application_exec',`
 	can_exec($1, application_exec_type)
 ')
 
+########################################
+## <summary>
+##	Execute all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`application_exec_all',`
+	corecmd_dontaudit_exec_all_executables($1)
+	corecmd_exec_bin($1)
+	corecmd_exec_shell($1)
+	corecmd_exec_chroot($1)
+
+	application_exec($1)
+')
+
 ########################################
 ## <summary>
 ##	Create a domain which can be started by users

policy/modules/system/application.te

@@ -1,5 +1,5 @@
 
-policy_module(application,1.0.0)
+policy_module(application,1.0.1)
 
 # Attribute of user applications
 attribute application_domain_type;

policy/modules/system/authlogin.fc

@@ -13,6 +13,7 @@
 /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
 /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
 /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
 /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ifdef(`distro_suse', `
 /sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)

policy/modules/system/authlogin.if

@@ -26,7 +26,8 @@ template(`authlogin_common_auth_domain_template',`
 	type $1_chkpwd_t, can_read_shadow_passwords;
 	application_domain($1_chkpwd_t,chkpwd_exec_t)
 
-	allow $1_chkpwd_t self:capability { audit_control setuid };
+	allow $1_chkpwd_t self:capability { dac_override setuid };
+	dontaudit $1_chkpwd_t self:capability sys_tty_config;
 	allow $1_chkpwd_t self:process getattr;
 
 	files_list_etc($1_chkpwd_t)
@@ -106,9 +107,6 @@ template(`authlogin_per_role_template',`
 	role $3 types $1_chkpwd_t;
 	role $3 types system_chkpwd_t;
 
-	# cjp: is this really needed?
-	allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
 	dontaudit $2 shadow_t:file { getattr read };
 
 	# Transition from the user domain to this domain.
@@ -169,6 +167,9 @@ template(`auth_domtrans_user_chk_passwd',`
 ## </param>
 #
 interface(`auth_login_pgm_domain',`
+	gen_require(`
+		type var_auth_t;
+	')
 
 	domain_type($1)
 	domain_subj_id_change_exemption($1)
@@ -176,11 +177,22 @@ interface(`auth_login_pgm_domain',`
 	domain_obj_id_change_exemption($1)
 	role system_r types $1;
 
+	files_list_var_lib($1)
+	manage_files_pattern($1, var_auth_t, var_auth_t)
+
+	# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+	kernel_rw_afs_state($1)
+
 	# for SSP/ProPolice
 	dev_read_urand($1)
+	# for fingerprint readers
+	dev_rw_input_dev($1)
+	dev_rw_generic_usb_dev($1)
 
 	files_read_etc_files($1)
 
+	fs_list_auto_mountpoints($1)
+
 	selinux_get_fs_mount($1)
 	selinux_validate_context($1)
 	selinux_compute_access_vector($1)
@@ -196,16 +208,20 @@ interface(`auth_login_pgm_domain',`
 	mls_fd_share_all_levels($1)
 
 	auth_domtrans_chk_passwd($1)
+	auth_domtrans_upd_passwd($1)
 	auth_dontaudit_read_shadow($1)
 	auth_read_login_records($1)
 	auth_append_login_records($1)
 	auth_rw_lastlog($1)
-	auth_append_faillog($1)
+	auth_rw_faillog($1)
 	auth_exec_pam($1)
+	auth_use_nsswitch($1)
 
 	init_rw_utmp($1)
 
+	logging_send_audit_msgs($1)
 	logging_send_syslog_msg($1)
+#	logging_set_loginuid($1)
 
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
@@ -309,11 +325,8 @@ interface(`auth_domtrans_chk_passwd',`
 		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 	')
 
-	# cjp: is this really needed?
-	allow $1 self:capability audit_control;
-
 	corecmd_search_bin($1)
-	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
+	domtrans_pattern($1, chkpwd_exec_t, system_chkpwd_t)
 
 	dontaudit $1 shadow_t:file { getattr read };
 
@@ -345,6 +358,86 @@ interface(`auth_domtrans_chk_passwd',`
 	')
 ')
 
+########################################
+## <summary>
+##	Execute chkpwd programs in the chkpwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the updpwd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the updpwd domain to use.
+##	</summary>
+## </param>
+#
+interface(`auth_run_chk_passwd',`
+	gen_require(`
+		type system_chkpwd_t;
+	')
+
+	auth_domtrans_chk_passwd($1)
+	role $2 types system_chkpwd_t;
+	allow system_chkpwd_t $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run unix_update.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_upd_passwd',`
+	gen_require(`
+		type updpwd_t, updpwd_exec_t;
+	')
+
+	domtrans_pattern($1,updpwd_exec_t,updpwd_t)
+	auth_dontaudit_read_shadow($1)
+
+')
+
+########################################
+## <summary>
+##	Execute updpwd programs in the updpwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the updpwd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the updpwd domain to use.
+##	</summary>
+## </param>
+#
+interface(`auth_run_upd_passwd',`
+	gen_require(`
+		type updpwd_t;
+	')
+
+	auth_domtrans_upd_passwd($1)
+	role $2 types updpwd_t;
+	allow updpwd_t $3:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the shadow passwords file.
@@ -693,6 +786,24 @@ interface(`auth_domtrans_pam',`
 	domtrans_pattern($1,pam_exec_t,pam_t)
 ')
 
+########################################
+## <summary>
+##	Execute pam programs in the pam domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_signal_pam',`
+	gen_require(`
+		type pam_t;
+	')
+
+	allow $1 pam_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Execute pam programs in the PAM domain.
@@ -1318,16 +1429,14 @@ interface(`auth_manage_login_records',`
 ## </param>
 #
 interface(`auth_use_nsswitch',`
-	gen_require(`
-		type var_auth_t;
-	')
 
 	allow $1 self:netlink_route_socket r_netlink_socket_perms;
 
-	allow $1 var_auth_t:dir list_dir_perms;
-	allow $1 var_auth_t:file manage_file_perms;
 	files_list_var_lib($1)
 
+	# read /etc/nsswitch.conf
+	files_read_etc_files($1)
+
 	miscfiles_read_certs($1)
 
 	sysnet_dns_name_resolve($1)
@@ -1347,6 +1456,7 @@ interface(`auth_use_nsswitch',`
 
 	optional_policy(`
 		samba_stream_connect_winbind($1)
+		samba_read_var_files($1)
 	')
 ')
 

policy/modules/system/authlogin.te

@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.8.1)
+policy_module(authlogin,1.8.2)
 
 ########################################
 #
@@ -49,6 +49,12 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
+type updpwd_t;
+type updpwd_exec_t;
+domain_type(updpwd_t)
+domain_entry_file(updpwd_t,updpwd_exec_t)
+role system_r types updpwd_t;
+
 type utempter_t;
 type utempter_exec_t;
 application_domain(utempter_t,utempter_exec_t)
@@ -94,10 +100,14 @@ allow pam_t pam_tmp_t:dir manage_dir_perms;
 allow pam_t pam_tmp_t:file manage_file_perms;
 files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
 
+auth_use_nsswitch(pam_t)
+
 kernel_read_system_state(pam_t)
 
 fs_search_auto_mountpoints(pam_t)
 
+miscfiles_read_localization(pam_t)
+
 term_use_all_user_ttys(pam_t)
 term_use_all_user_ptys(pam_t)
 
@@ -149,6 +159,8 @@ dev_getattr_apm_bios_dev(pam_console_t)
 dev_setattr_apm_bios_dev(pam_console_t)
 dev_getattr_dri_dev(pam_console_t)
 dev_setattr_dri_dev(pam_console_t)
+dev_getattr_input_dev(pam_console_t)
+dev_setattr_input_dev(pam_console_t)
 dev_getattr_framebuffer_dev(pam_console_t)
 dev_setattr_framebuffer_dev(pam_console_t)
 dev_getattr_generic_usb_dev(pam_console_t)
@@ -159,6 +171,8 @@ dev_getattr_mouse_dev(pam_console_t)
 dev_setattr_mouse_dev(pam_console_t)
 dev_getattr_power_mgmt_dev(pam_console_t)
 dev_setattr_power_mgmt_dev(pam_console_t)
+dev_getattr_printer_dev(pam_console_t)
+dev_setattr_printer_dev(pam_console_t)
 dev_getattr_scanner_dev(pam_console_t)
 dev_setattr_scanner_dev(pam_console_t)
 dev_getattr_sound_dev(pam_console_t)
@@ -200,6 +214,7 @@ files_read_etc_runtime_files(pam_console_t)
 
 fs_list_auto_mountpoints(pam_console_t)
 fs_list_noxattr_fs(pam_console_t)
+fs_getattr_all_fs(pam_console_t)
 
 init_use_fds(pam_console_t)
 init_use_script_ptys(pam_console_t)
@@ -236,7 +251,7 @@ optional_policy(`
 
 optional_policy(`
 	xserver_read_xdm_pid(pam_console_t)
-	xserver_use_xdm_fds(pam_t)
+	xserver_dontaudit_write_log(pam_console_t)
 ')
 
 ########################################
@@ -257,6 +272,34 @@ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
 userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
 userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
 
+########################################
+#
+# updpwd local policy
+#
+
+allow updpwd_t self:process setfscreate;
+allow updpwd_t self:fifo_file { read write };
+allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
+allow updpwd_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(updpwd_t)
+
+files_manage_etc_files(updpwd_t)
+
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_unallocated_ttys(updpwd_t)
+
+auth_manage_shadow(updpwd_t)
+auth_use_nsswitch(updpwd_t)
+
+libs_use_ld_so(updpwd_t)
+libs_use_shared_libs(updpwd_t)
+
+logging_send_syslog_msg(updpwd_t)
+
+miscfiles_read_localization(updpwd_t)
+
 ########################################
 #
 # Utempter local policy