Add passwd_file_t for /etc/ptmptmp
This commit is contained in:
parent
e29441a5cc
commit
9bf3aa2c96
50
passwd.patch
50
passwd.patch
@ -12,10 +12,10 @@ index ef8bc09..ea06507 100644
|
||||
|
||||
miscfiles_read_localization(mcelog_t)
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 4779a8d..b8eac3e 100644
|
||||
index 772a68e..e01c9c2 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -89,6 +89,7 @@ fs_search_auto_mountpoints(chfn_t)
|
||||
@@ -90,6 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
|
||||
dev_read_urand(chfn_t)
|
||||
dev_dontaudit_getattr_all(chfn_t)
|
||||
|
||||
@ -23,7 +23,7 @@ index 4779a8d..b8eac3e 100644
|
||||
auth_use_pam(chfn_t)
|
||||
|
||||
# allow checking if a shell is executable
|
||||
@@ -96,7 +97,6 @@ corecmd_check_exec_shell(chfn_t)
|
||||
@@ -97,7 +98,6 @@ corecmd_check_exec_shell(chfn_t)
|
||||
|
||||
domain_use_interactive_fds(chfn_t)
|
||||
|
||||
@ -31,7 +31,7 @@ index 4779a8d..b8eac3e 100644
|
||||
files_read_etc_runtime_files(chfn_t)
|
||||
files_dontaudit_search_var(chfn_t)
|
||||
files_dontaudit_search_home(chfn_t)
|
||||
@@ -205,8 +205,8 @@ init_dontaudit_write_utmp(groupadd_t)
|
||||
@@ -207,8 +207,8 @@ init_dontaudit_write_utmp(groupadd_t)
|
||||
|
||||
domain_use_interactive_fds(groupadd_t)
|
||||
|
||||
@ -41,7 +41,7 @@ index 4779a8d..b8eac3e 100644
|
||||
files_read_etc_runtime_files(groupadd_t)
|
||||
files_read_usr_symlinks(groupadd_t)
|
||||
|
||||
@@ -221,9 +221,10 @@ miscfiles_read_localization(groupadd_t)
|
||||
@@ -223,9 +223,10 @@ miscfiles_read_localization(groupadd_t)
|
||||
auth_domtrans_chk_passwd(groupadd_t)
|
||||
auth_rw_lastlog(groupadd_t)
|
||||
auth_use_nsswitch(groupadd_t)
|
||||
@ -53,7 +53,7 @@ index 4779a8d..b8eac3e 100644
|
||||
auth_relabel_shadow(groupadd_t)
|
||||
auth_etc_filetrans_shadow(groupadd_t)
|
||||
|
||||
@@ -296,6 +297,7 @@ selinux_compute_user_contexts(passwd_t)
|
||||
@@ -298,6 +299,7 @@ selinux_compute_user_contexts(passwd_t)
|
||||
|
||||
term_use_all_inherited_terms(passwd_t)
|
||||
|
||||
@ -61,7 +61,7 @@ index 4779a8d..b8eac3e 100644
|
||||
auth_manage_shadow(passwd_t)
|
||||
auth_relabel_shadow(passwd_t)
|
||||
auth_etc_filetrans_shadow(passwd_t)
|
||||
@@ -310,7 +312,6 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
|
||||
@@ -312,7 +314,6 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
|
||||
domain_use_interactive_fds(passwd_t)
|
||||
|
||||
files_read_etc_runtime_files(passwd_t)
|
||||
@ -69,7 +69,7 @@ index 4779a8d..b8eac3e 100644
|
||||
files_search_var(passwd_t)
|
||||
files_dontaudit_search_pids(passwd_t)
|
||||
files_relabel_etc_files(passwd_t)
|
||||
@@ -390,6 +391,7 @@ fs_search_auto_mountpoints(sysadm_passwd_t)
|
||||
@@ -392,6 +393,7 @@ fs_search_auto_mountpoints(sysadm_passwd_t)
|
||||
|
||||
term_use_all_inherited_terms(sysadm_passwd_t)
|
||||
|
||||
@ -77,7 +77,7 @@ index 4779a8d..b8eac3e 100644
|
||||
auth_manage_shadow(sysadm_passwd_t)
|
||||
auth_relabel_shadow(sysadm_passwd_t)
|
||||
auth_etc_filetrans_shadow(sysadm_passwd_t)
|
||||
@@ -402,7 +404,6 @@ files_read_usr_files(sysadm_passwd_t)
|
||||
@@ -404,7 +406,6 @@ files_read_usr_files(sysadm_passwd_t)
|
||||
|
||||
domain_use_interactive_fds(sysadm_passwd_t)
|
||||
|
||||
@ -85,7 +85,7 @@ index 4779a8d..b8eac3e 100644
|
||||
files_relabel_etc_files(sysadm_passwd_t)
|
||||
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||
# for nscd lookups
|
||||
@@ -461,7 +462,6 @@ domain_use_interactive_fds(useradd_t)
|
||||
@@ -463,7 +464,6 @@ domain_use_interactive_fds(useradd_t)
|
||||
domain_read_all_domains_state(useradd_t)
|
||||
domain_dontaudit_read_all_domains_state(useradd_t)
|
||||
|
||||
@ -93,7 +93,7 @@ index 4779a8d..b8eac3e 100644
|
||||
files_search_var_lib(useradd_t)
|
||||
files_relabel_etc_files(useradd_t)
|
||||
files_read_etc_runtime_files(useradd_t)
|
||||
@@ -488,6 +488,7 @@ auth_rw_faillog(useradd_t)
|
||||
@@ -490,6 +490,7 @@ auth_rw_faillog(useradd_t)
|
||||
auth_use_nsswitch(useradd_t)
|
||||
# these may be unnecessary due to the above
|
||||
# domtrans_chk_passwd() call.
|
||||
@ -115,7 +115,7 @@ index 50629a8..09669b6 100644
|
||||
init_dontaudit_use_script_ptys(loadkeys_t)
|
||||
|
||||
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
|
||||
index bd5ff95..c77b9f1 100644
|
||||
index b11c27f..5a452ae 100644
|
||||
--- a/policy/modules/services/abrt.te
|
||||
+++ b/policy/modules/services/abrt.te
|
||||
@@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -177,10 +177,10 @@ index 4f9a575..5fc3a55 100644
|
||||
miscfiles_read_fonts(plymouthd_t)
|
||||
miscfiles_manage_fonts_cache(plymouthd_t)
|
||||
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
|
||||
index 52df08a..7790f7e 100644
|
||||
index ea9593c..0e641fa 100644
|
||||
--- a/policy/modules/services/virt.te
|
||||
+++ b/policy/modules/services/virt.te
|
||||
@@ -882,6 +882,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
|
||||
@@ -888,6 +888,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
|
||||
fs_list_inotifyfs(svirt_lxc_domain)
|
||||
fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
|
||||
|
||||
@ -189,23 +189,24 @@ index 52df08a..7790f7e 100644
|
||||
auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||
auth_search_pam_console_data(svirt_lxc_domain)
|
||||
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
|
||||
index 59742f4..904e39c 100644
|
||||
index 59742f4..02a592a 100644
|
||||
--- a/policy/modules/system/authlogin.fc
|
||||
+++ b/policy/modules/system/authlogin.fc
|
||||
@@ -7,6 +7,8 @@
|
||||
@@ -7,6 +7,9 @@
|
||||
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
+/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
+/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
+/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0)
|
||||
|
||||
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
|
||||
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
|
||||
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
||||
index f05a80f..4372e5d 100644
|
||||
index e3720d4..8b30edb 100644
|
||||
--- a/policy/modules/system/authlogin.if
|
||||
+++ b/policy/modules/system/authlogin.if
|
||||
@@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',`
|
||||
@@ -557,7 +557,6 @@ interface(`auth_domtrans_upd_passwd',`
|
||||
|
||||
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
|
||||
auth_dontaudit_read_shadow($1)
|
||||
@ -213,7 +214,7 @@ index f05a80f..4372e5d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -755,6 +754,10 @@ interface(`auth_manage_shadow',`
|
||||
@@ -754,6 +753,10 @@ interface(`auth_manage_shadow',`
|
||||
|
||||
allow $1 shadow_t:file manage_file_perms;
|
||||
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||
@ -224,7 +225,7 @@ index f05a80f..4372e5d 100644
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -895,6 +898,9 @@ interface(`auth_manage_faillog',`
|
||||
@@ -894,6 +897,9 @@ interface(`auth_manage_faillog',`
|
||||
files_search_pids($1)
|
||||
allow $1 faillog_t:dir manage_dir_perms;
|
||||
allow $1 faillog_t:file manage_file_perms;
|
||||
@ -234,7 +235,7 @@ index f05a80f..4372e5d 100644
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -1735,6 +1741,7 @@ interface(`auth_manage_login_records',`
|
||||
@@ -1734,6 +1740,7 @@ interface(`auth_manage_login_records',`
|
||||
|
||||
logging_rw_generic_log_dirs($1)
|
||||
allow $1 wtmp_t:file manage_file_perms;
|
||||
@ -242,7 +243,7 @@ index f05a80f..4372e5d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1810,19 +1817,118 @@ interface(`auth_unconfined',`
|
||||
@@ -1809,19 +1816,123 @@ interface(`auth_unconfined',`
|
||||
interface(`authlogin_filetrans_named_content',`
|
||||
gen_require(`
|
||||
type shadow_t;
|
||||
@ -251,7 +252,11 @@ index f05a80f..4372e5d 100644
|
||||
type wtmp_t;
|
||||
')
|
||||
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "group")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
|
||||
files_etc_filetrans($1, shadow_t, file, "shadow")
|
||||
files_etc_filetrans($1, shadow_t, file, "shadow-")
|
||||
files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
|
||||
@ -360,6 +365,7 @@ index f05a80f..4372e5d 100644
|
||||
+ allow $1 passwd_file_t:file manage_file_perms;
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "group")
|
||||
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
|
||||
+')
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 40%{?dist}
|
||||
Release: 40.2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -29,6 +29,7 @@ patch4: execmem.patch
|
||||
patch5: userdomain.patch
|
||||
patch6: apache.patch
|
||||
patch7: ptrace.patch
|
||||
patch8: default_trans.patch
|
||||
Source1: modules-targeted.conf
|
||||
Source2: booleans-targeted.conf
|
||||
Source3: Makefile.devel
|
||||
@ -243,12 +244,13 @@ Based off of reference policy: Checked out revision 2.20091117
|
||||
%setup -n serefpolicy-%{version} -q
|
||||
%patch -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch2 -p1 -b .passwd
|
||||
%patch3 -p1
|
||||
%patch4 -p1 -b .execmem
|
||||
%patch5 -p1 -b .userdomain
|
||||
%patch6 -p1 -b .apache
|
||||
%patch7 -p1 -b .ptrace
|
||||
%patch8 -p1 -b .default_trans
|
||||
|
||||
%install
|
||||
mkdir selinux_config
|
||||
@ -480,6 +482,9 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Oct 17 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-40.2
|
||||
- Add passwd_file_t for /etc/ptmptmp
|
||||
|
||||
* Fri Oct 14 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-40
|
||||
- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
|
||||
- Make corosync to be able to relabelto cluster lib fies
|
||||
|
Loading…
Reference in New Issue
Block a user