fixes for targeted policy

2005-07-19 18:40:19 +00:00 · 2005-07-19 18:40:19 +00:00 · 8b0bbdda34
commit 8b0bbdda34
parent 391edeb577
4 changed files with 34 additions and 6 deletions
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -682,3 +682,33 @@ interface(`auth_manage_login_records',`
 	logging_rw_log_dir($1)
 	allow $1 wtmp_t:file create_file_perms;
 ')
+
+########################################
+## <summary>
+##	Unconfined access to the authlogin module.
+## </summary>
+## <desc>
+##	<p>
+##	Unconfined access to the authlogin module.
+##	</p>
+##	<p>
+##	Currently, this only allows assertions for
+##	the shadow passwords file (/etc/shadow) to
+##	be passed.  No access is granted yet.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_unconfined',`
+	gen_require(`
+		attribute can_read_shadow_passwords;
+		attribute can_write_shadow_passwords;
+		attribute can_relabelto_shadow_passwords;
+	')
+
+	typeattribute $1 can_read_shadow_passwords;
+	typeattribute $1 can_write_shadow_passwords;
+	typeattribute $1 can_relabelto_shadow_passwords;
+')
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@ -116,7 +116,7 @@ optional_policy(`portmap.te', `
 ')

 # for kernel package installation
-optional_policy(`mount.te', `
+optional_policy(`rpm.te', `
 	rpm_rw_pipe(mount_t)
 ')

--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@ -37,10 +37,8 @@ template(`unconfined_domain_template',`
 		allow $1 self:process execmem;
 	')

-	# to satisfy assertions:
 	optional_policy(`authlogin.te',`
-		auth_manage_shadow($1)
-		auth_relabelto_shadow($1)
+		auth_unconfined($1)
 	')

 	optional_policy(`bootloader.te',`
@ -136,7 +134,7 @@ interface(`unconfined_shell_domtrans',`
 		type unconfined_t;
 	')

-	corecmd_domtrans_shell($1,unconfined_t)
+	corecmd_shell_domtrans($1,unconfined_t)
 ')

 ########################################
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@ -25,7 +25,7 @@ ifdef(`targeted_policy',`

 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
-#	typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+	typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };

 	init_domtrans_script(unconfined_t)