From 8ba1bd8502a33efb017c4b2d89269346ec59053f Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 8 Dec 2005 17:42:08 +0000 Subject: [PATCH] make common template --- refpolicy/policy/modules/system/authlogin.if | 141 +++++++++++-------- refpolicy/policy/modules/system/authlogin.te | 53 +------ 2 files changed, 84 insertions(+), 110 deletions(-) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index f6a54b3d..6118ed91 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -1,5 +1,78 @@ ## Common policy for authentication and user login. +####################################### +## +## Common template to create a domain for authentication. +## +## +##

+## This template creates a derived domain which is allowed +## to authenticate users by using PAM unix_chkpwd support. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +# +template(`authlogin_common_auth_domain_template',` + gen_require(` + attribute can_read_shadow_passwords; + type chkpwd_exec_t, shadow_t; + ') + + type $1_chkpwd_t, can_read_shadow_passwords; + domain_type($1_chkpwd_t) + domain_entry_file($1_chkpwd_t,chkpwd_exec_t) + + allow $1_chkpwd_t self:capability { audit_write audit_control setuid }; + allow $1_chkpwd_t self:process getattr; + + files_list_etc($1_chkpwd_t) + allow $1_chkpwd_t shadow_t:file { getattr read }; + + # is_selinux_enabled + kernel_read_system_state($1_chkpwd_t) + + dev_read_rand($1_chkpwd_t) + dev_read_urand($1_chkpwd_t) + + fs_dontaudit_getattr_xattr_fs($1_chkpwd_t) + + libs_use_ld_so($1_chkpwd_t) + libs_use_shared_libs($1_chkpwd_t) + + files_read_etc_files($1_chkpwd_t) + # for nscd + files_dontaudit_search_var($1_chkpwd_t) + + logging_send_syslog_msg($1_chkpwd_t) + + miscfiles_read_certs($1_chkpwd_t) + miscfiles_read_localization($1_chkpwd_t) + + seutil_read_config($1_chkpwd_t) + + sysnet_dns_name_resolve($1_chkpwd_t) + sysnet_use_ldap($1_chkpwd_t) + + optional_policy(`kerberos',` + kerberos_use($1_chkpwd_t) + ') + + optional_policy(`nis',` + nis_use_ypbind($1_chkpwd_t) + ') + + optional_policy(`nscd',` + nscd_use_socket($1_chkpwd_t) + ') + + optional_policy(`samba',` + samba_connect_winbind($1_chkpwd_t) + ') +') + ####################################### ## ## The per user domain template for the authlogin module. @@ -29,87 +102,33 @@ ## # template(`authlogin_per_userdomain_template',` + gen_require(` - attribute can_read_shadow_passwords; - type chkpwd_exec_t, system_chkpwd_t, shadow_t; + type system_chkpwd_t, shadow_t; ') - type $1_chkpwd_t, can_read_shadow_passwords; - domain_type($1_chkpwd_t) - domain_entry_file($1_chkpwd_t,chkpwd_exec_t) + authlogin_common_auth_domain_template($1) + role $3 types $1_chkpwd_t; role $3 types system_chkpwd_t; - allow $1_chkpwd_t self:capability { audit_write audit_control setuid }; - allow $1_chkpwd_t self:process getattr; - - files_list_etc($1_chkpwd_t) - allow $1_chkpwd_t shadow_t:file { getattr read }; - allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + dontaudit $2 shadow_t:file { getattr read }; + # Transition from the user domain to this domain. domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t) - allow $1_chkpwd_t $2:fd use; allow $2 $1_chkpwd_t:fd use; allow $1_chkpwd_t $2:fifo_file rw_file_perms; allow $1_chkpwd_t $2:process sigchld; - dontaudit $2 shadow_t:file { getattr read }; - - # is_selinux_enabled - kernel_read_system_state($1_chkpwd_t) - - dev_read_rand($1_chkpwd_t) - dev_read_urand($1_chkpwd_t) - - fs_dontaudit_getattr_xattr_fs($1_chkpwd_t) - domain_use_wide_inherit_fd($1_chkpwd_t) - libs_use_ld_so($1_chkpwd_t) - libs_use_shared_libs($1_chkpwd_t) - - files_read_etc_files($1_chkpwd_t) - # for nscd - files_dontaudit_search_var($1_chkpwd_t) - - logging_send_syslog_msg($1_chkpwd_t) - - miscfiles_read_certs($1_chkpwd_t) - miscfiles_read_localization($1_chkpwd_t) - - seutil_read_config($1_chkpwd_t) - - sysnet_dns_name_resolve($1_chkpwd_t) - sysnet_use_ldap($1_chkpwd_t) + seutil_use_newrole_fd($1_chkpwd_t) # Write to the user domain tty. userdom_use_user_terminals($1,$1_chkpwd_t) - - # Inherit and use descriptors from gnome-pty-helper. - #ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;') - - optional_policy(`kerberos',` - kerberos_use($1_chkpwd_t) - ') - - optional_policy(`nis',` - nis_use_ypbind($1_chkpwd_t) - ') - - optional_policy(`nscd',` - nscd_use_socket($1_chkpwd_t) - ') - - optional_policy(`samba',` - samba_connect_winbind($1_chkpwd_t) - ') - - optional_policy(`selinuxutil',` - seutil_use_newrole_fd($1_chkpwd_t) - ') ') ######################################## diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 157b8d4a..fc2dd877 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.0.2) +policy_module(authlogin,1.0.3) ######################################## # @@ -53,9 +53,7 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; -type system_chkpwd_t, can_read_shadow_passwords; -domain_type(system_chkpwd_t) -domain_entry_file(system_chkpwd_t,chkpwd_exec_t) +authlogin_common_auth_domain_template(system) role system_r types system_chkpwd_t; type utempter_t; @@ -263,62 +261,19 @@ ifdef(`xdm.te', ` # System check password local policy # -allow system_chkpwd_t self:capability setuid; -allow system_chkpwd_t self:process getattr; allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow system_chkpwd_t shadow_t:file { getattr read }; -# is_selinux_enabled -kernel_read_system_state(system_chkpwd_t) - -dev_read_rand(system_chkpwd_t) -dev_read_urand(system_chkpwd_t) - -fs_dontaudit_getattr_xattr_fs(system_chkpwd_t) - -term_dontaudit_use_unallocated_tty(system_chkpwd_t) -term_dontaudit_use_generic_pty(system_chkpwd_t) - corecmd_search_sbin(system_chkpwd_t) domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t) -files_read_etc_files(system_chkpwd_t) -# for nscd -files_dontaudit_search_var(system_chkpwd_t) - -libs_use_ld_so(system_chkpwd_t) -libs_use_shared_libs(system_chkpwd_t) - -logging_send_syslog_msg(system_chkpwd_t) - -miscfiles_read_localization(system_chkpwd_t) -miscfiles_read_certs(system_chkpwd_t) - -seutil_read_config(system_chkpwd_t) - -sysnet_dns_name_resolve(system_chkpwd_t) -sysnet_use_ldap(system_chkpwd_t) +term_dontaudit_use_unallocated_tty(system_chkpwd_t) +term_dontaudit_use_generic_pty(system_chkpwd_t) userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t) -optional_policy(`kerberos',` - kerberos_use(system_chkpwd_t) -') - -optional_policy(`nis',` - nis_use_ypbind(system_chkpwd_t) -') - -optional_policy(`nscd',` - nscd_use_socket(system_chkpwd_t) -') - -optional_policy(`samba',` - samba_connect_winbind(system_chkpwd_t) -') - ######################################## # # Utempter local policy