Add passwd_file_t for /etc/ptmptmp

2011-10-17 15:51:24 -04:00 · 2011-10-17 15:51:24 -04:00 · 9bf3aa2c96
commit 9bf3aa2c96
parent e29441a5cc
2 changed files with 35 additions and 24 deletions
--- a/passwd.patch
+++ b/passwd.patch
@ -12,10 +12,10 @@ index ef8bc09..ea06507 100644
 
 miscfiles_read_localization(mcelog_t)
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 4779a8d..b8eac3e 100644
+index 772a68e..e01c9c2 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
-@@ -89,6 +89,7 @@ fs_search_auto_mountpoints(chfn_t)
+@@ -90,6 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
 dev_read_urand(chfn_t)
 dev_dontaudit_getattr_all(chfn_t)
 
@ -23,7 +23,7 @@ index 4779a8d..b8eac3e 100644
 auth_use_pam(chfn_t)
 
 # allow checking if a shell is executable
-@@ -96,7 +97,6 @@ corecmd_check_exec_shell(chfn_t)
+@@ -97,7 +98,6 @@ corecmd_check_exec_shell(chfn_t)
 
 domain_use_interactive_fds(chfn_t)
 
@ -31,7 +31,7 @@ index 4779a8d..b8eac3e 100644
 files_read_etc_runtime_files(chfn_t)
 files_dontaudit_search_var(chfn_t)
 files_dontaudit_search_home(chfn_t)
-@@ -205,8 +205,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -207,8 +207,8 @@ init_dontaudit_write_utmp(groupadd_t)
 
 domain_use_interactive_fds(groupadd_t)
 
@ -41,7 +41,7 @@ index 4779a8d..b8eac3e 100644
 files_read_etc_runtime_files(groupadd_t)
 files_read_usr_symlinks(groupadd_t)
 
-@@ -221,9 +221,10 @@ miscfiles_read_localization(groupadd_t)
+@@ -223,9 +223,10 @@ miscfiles_read_localization(groupadd_t)
 auth_domtrans_chk_passwd(groupadd_t)
 auth_rw_lastlog(groupadd_t)
 auth_use_nsswitch(groupadd_t)
@ -53,7 +53,7 @@ index 4779a8d..b8eac3e 100644
 auth_relabel_shadow(groupadd_t)
 auth_etc_filetrans_shadow(groupadd_t)
 
-@@ -296,6 +297,7 @@ selinux_compute_user_contexts(passwd_t)
+@@ -298,6 +299,7 @@ selinux_compute_user_contexts(passwd_t)
 
 term_use_all_inherited_terms(passwd_t)
 
@ -61,7 +61,7 @@ index 4779a8d..b8eac3e 100644
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
-@@ -310,7 +312,6 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
+@@ -312,7 +314,6 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
 domain_use_interactive_fds(passwd_t)
 
 files_read_etc_runtime_files(passwd_t)
@ -69,7 +69,7 @@ index 4779a8d..b8eac3e 100644
 files_search_var(passwd_t)
 files_dontaudit_search_pids(passwd_t)
 files_relabel_etc_files(passwd_t)
-@@ -390,6 +391,7 @@ fs_search_auto_mountpoints(sysadm_passwd_t)
+@@ -392,6 +393,7 @@ fs_search_auto_mountpoints(sysadm_passwd_t)
 
 term_use_all_inherited_terms(sysadm_passwd_t)
 
@ -77,7 +77,7 @@ index 4779a8d..b8eac3e 100644
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
 auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -402,7 +404,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -404,7 +406,6 @@ files_read_usr_files(sysadm_passwd_t)
 
 domain_use_interactive_fds(sysadm_passwd_t)
 
@ -85,7 +85,7 @@ index 4779a8d..b8eac3e 100644
 files_relabel_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
 # for nscd lookups
-@@ -461,7 +462,6 @@ domain_use_interactive_fds(useradd_t)
+@@ -463,7 +464,6 @@ domain_use_interactive_fds(useradd_t)
 domain_read_all_domains_state(useradd_t)
 domain_dontaudit_read_all_domains_state(useradd_t)
 
@ -93,7 +93,7 @@ index 4779a8d..b8eac3e 100644
 files_search_var_lib(useradd_t)
 files_relabel_etc_files(useradd_t)
 files_read_etc_runtime_files(useradd_t)
-@@ -488,6 +488,7 @@ auth_rw_faillog(useradd_t)
+@@ -490,6 +490,7 @@ auth_rw_faillog(useradd_t)
 auth_use_nsswitch(useradd_t)
 # these may be unnecessary due to the above
 # domtrans_chk_passwd() call.
@ -115,7 +115,7 @@ index 50629a8..09669b6 100644
 init_dontaudit_use_script_ptys(loadkeys_t)
 
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index bd5ff95..c77b9f1 100644
+index b11c27f..5a452ae 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
@@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file_perms;
@ -177,10 +177,10 @@ index 4f9a575..5fc3a55 100644
 miscfiles_read_fonts(plymouthd_t)
 miscfiles_manage_fonts_cache(plymouthd_t)
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 52df08a..7790f7e 100644
+index ea9593c..0e641fa 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
-@@ -882,6 +882,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
+@@ -888,6 +888,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
 fs_list_inotifyfs(svirt_lxc_domain)
 fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
 
@ -189,23 +189,24 @@ index 52df08a..7790f7e 100644
 auth_dontaudit_write_login_records(svirt_lxc_domain)
 auth_search_pam_console_data(svirt_lxc_domain)
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 59742f4..904e39c 100644
+index 59742f4..02a592a 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -7,6 +7,8 @@
+@@ -7,6 +7,9 @@
 /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/passwd\.adjunct.*	--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 +/etc/passwd-?		--	gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/ptmptmp		--	gen_context(system_u:object_r:passwd_file_t,s0)
 +/etc/group-?		--	gen_context(system_u:object_r:passwd_file_t,s0)
 
 /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
 /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f05a80f..4372e5d 100644
+index e3720d4..8b30edb 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
-@@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -557,7 +557,6 @@ interface(`auth_domtrans_upd_passwd',`
 
 	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
 	auth_dontaudit_read_shadow($1)
@ -213,7 +214,7 @@ index f05a80f..4372e5d 100644
 ')
 
 ########################################
-@@ -755,6 +754,10 @@ interface(`auth_manage_shadow',`
+@@ -754,6 +753,10 @@ interface(`auth_manage_shadow',`
 
 	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@ -224,7 +225,7 @@ index f05a80f..4372e5d 100644
 ')
 
 #######################################
-@@ -895,6 +898,9 @@ interface(`auth_manage_faillog',`
+@@ -894,6 +897,9 @@ interface(`auth_manage_faillog',`
 	files_search_pids($1)
 	allow $1 faillog_t:dir manage_dir_perms;
 	allow $1 faillog_t:file manage_file_perms;
@ -234,7 +235,7 @@ index f05a80f..4372e5d 100644
 ')
 
 #######################################
-@@ -1735,6 +1741,7 @@ interface(`auth_manage_login_records',`
+@@ -1734,6 +1740,7 @@ interface(`auth_manage_login_records',`
 
 	logging_rw_generic_log_dirs($1)
 	allow $1 wtmp_t:file manage_file_perms;
@ -242,7 +243,7 @@ index f05a80f..4372e5d 100644
 ')
 
 ########################################
-@@ -1810,19 +1817,118 @@ interface(`auth_unconfined',`
+@@ -1809,19 +1816,123 @@ interface(`auth_unconfined',`
 interface(`authlogin_filetrans_named_content',`
 	gen_require(`
 		type shadow_t;
@ -251,7 +252,11 @@ index f05a80f..4372e5d 100644
 		type wtmp_t;
 	')
 
+	files_etc_filetrans($1, passwd_file_t, file, "group")
+	files_etc_filetrans($1, passwd_file_t, file, "group-")
 +	files_etc_filetrans($1, passwd_file_t, file, "passwd")
+	files_etc_filetrans($1, passwd_file_t, file, "passwd-")
+	files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
 	files_etc_filetrans($1, shadow_t, file, "shadow")
 	files_etc_filetrans($1, shadow_t, file, "shadow-")
 	files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
@ -360,6 +365,7 @@ index f05a80f..4372e5d 100644
 +	allow $1 passwd_file_t:file manage_file_perms;
 +	files_etc_filetrans($1, passwd_file_t, file, "passwd")
 +	files_etc_filetrans($1, passwd_file_t, file, "passwd-")
+	files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
 +	files_etc_filetrans($1, passwd_file_t, file, "group")
 +	files_etc_filetrans($1, passwd_file_t, file, "group-")
 +')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 40%{?dist}
+Release: 40.2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -29,6 +29,7 @@ patch4: execmem.patch
 patch5: userdomain.patch
 patch6: apache.patch
 patch7: ptrace.patch
+patch8: default_trans.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@ -243,12 +244,13 @@ Based off of reference policy: Checked out revision  2.20091117
 %setup -n serefpolicy-%{version} -q
 %patch -p1
 %patch1 -p1
-%patch2 -p1
+%patch2 -p1 -b .passwd
 %patch3 -p1
 %patch4 -p1 -b .execmem
 %patch5 -p1 -b .userdomain
 %patch6 -p1 -b .apache
 %patch7 -p1 -b .ptrace
+%patch8 -p1 -b .default_trans

 %install
 mkdir selinux_config
@ -480,6 +482,9 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Oct 17 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-40.2
+- Add passwd_file_t for /etc/ptmptmp
+
 * Fri Oct 14 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-40
 - Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
 - Make corosync to be able to relabelto cluster lib fies