fixes for targeted policy
This commit is contained in:
Chris PeBenito
parent
391edeb577
commit
8b0bbdda34
@ -682,3 +682,33 @@ interface(`auth_manage_login_records',`
|
|||||||
logging_rw_log_dir($1)
|
logging_rw_log_dir($1)
|
||||||
allow $1 wtmp_t:file create_file_perms;
|
allow $1 wtmp_t:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Unconfined access to the authlogin module.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Unconfined access to the authlogin module.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## Currently, this only allows assertions for
|
||||||
|
## the shadow passwords file (/etc/shadow) to
|
||||||
|
## be passed. No access is granted yet.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`auth_unconfined',`
|
||||||
|
gen_require(`
|
||||||
|
attribute can_read_shadow_passwords;
|
||||||
|
attribute can_write_shadow_passwords;
|
||||||
|
attribute can_relabelto_shadow_passwords;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 can_read_shadow_passwords;
|
||||||
|
typeattribute $1 can_write_shadow_passwords;
|
||||||
|
typeattribute $1 can_relabelto_shadow_passwords;
|
||||||
|
')
|
||||||
|
|||||||
@ -116,7 +116,7 @@ optional_policy(`portmap.te', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
# for kernel package installation
|
# for kernel package installation
|
||||||
optional_policy(`mount.te', `
|
optional_policy(`rpm.te', `
|
||||||
rpm_rw_pipe(mount_t)
|
rpm_rw_pipe(mount_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|||||||
@ -37,10 +37,8 @@ template(`unconfined_domain_template',`
|
|||||||
allow $1 self:process execmem;
|
allow $1 self:process execmem;
|
||||||
')
|
')
|
||||||
|
|
||||||
# to satisfy assertions:
|
|
||||||
optional_policy(`authlogin.te',`
|
optional_policy(`authlogin.te',`
|
||||||
auth_manage_shadow($1)
|
auth_unconfined($1)
|
||||||
auth_relabelto_shadow($1)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`bootloader.te',`
|
optional_policy(`bootloader.te',`
|
||||||
@ -136,7 +134,7 @@ interface(`unconfined_shell_domtrans',`
|
|||||||
type unconfined_t;
|
type unconfined_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
corecmd_domtrans_shell($1,unconfined_t)
|
corecmd_shell_domtrans($1,unconfined_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -25,7 +25,7 @@ ifdef(`targeted_policy',`
|
|||||||
|
|
||||||
# Define some type aliases to help with compatibility with
|
# Define some type aliases to help with compatibility with
|
||||||
# macros and domains from the "strict" policy.
|
# macros and domains from the "strict" policy.
|
||||||
# typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
|
typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
|
||||||
|
|
||||||
init_domtrans_script(unconfined_t)
|
init_domtrans_script(unconfined_t)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user