fixes for targeted policy
This commit is contained in:
parent
391edeb577
commit
8b0bbdda34
@ -682,3 +682,33 @@ interface(`auth_manage_login_records',`
|
||||
logging_rw_log_dir($1)
|
||||
allow $1 wtmp_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to the authlogin module.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Unconfined access to the authlogin module.
|
||||
## </p>
|
||||
## <p>
|
||||
## Currently, this only allows assertions for
|
||||
## the shadow passwords file (/etc/shadow) to
|
||||
## be passed. No access is granted yet.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_unconfined',`
|
||||
gen_require(`
|
||||
attribute can_read_shadow_passwords;
|
||||
attribute can_write_shadow_passwords;
|
||||
attribute can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
||||
typeattribute $1 can_read_shadow_passwords;
|
||||
typeattribute $1 can_write_shadow_passwords;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
@ -116,7 +116,7 @@ optional_policy(`portmap.te', `
|
||||
')
|
||||
|
||||
# for kernel package installation
|
||||
optional_policy(`mount.te', `
|
||||
optional_policy(`rpm.te', `
|
||||
rpm_rw_pipe(mount_t)
|
||||
')
|
||||
|
||||
|
@ -37,10 +37,8 @@ template(`unconfined_domain_template',`
|
||||
allow $1 self:process execmem;
|
||||
')
|
||||
|
||||
# to satisfy assertions:
|
||||
optional_policy(`authlogin.te',`
|
||||
auth_manage_shadow($1)
|
||||
auth_relabelto_shadow($1)
|
||||
auth_unconfined($1)
|
||||
')
|
||||
|
||||
optional_policy(`bootloader.te',`
|
||||
@ -136,7 +134,7 @@ interface(`unconfined_shell_domtrans',`
|
||||
type unconfined_t;
|
||||
')
|
||||
|
||||
corecmd_domtrans_shell($1,unconfined_t)
|
||||
corecmd_shell_domtrans($1,unconfined_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -25,7 +25,7 @@ ifdef(`targeted_policy',`
|
||||
|
||||
# Define some type aliases to help with compatibility with
|
||||
# macros and domains from the "strict" policy.
|
||||
# typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
|
||||
typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
|
||||
|
||||
init_domtrans_script(unconfined_t)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user