Fixes caused by the labeling of /etc/passwd
This commit is contained in:
parent
0247247d56
commit
a004ca8c3a
142
passwd.patch
142
passwd.patch
@ -1,3 +1,143 @@
|
||||
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
|
||||
index ef8bc09..ea06507 100644
|
||||
--- a/policy/modules/admin/mcelog.te
|
||||
+++ b/policy/modules/admin/mcelog.te
|
||||
@@ -45,6 +45,8 @@ files_read_etc_files(mcelog_t)
|
||||
# for /dev/mem access
|
||||
mls_file_read_all_levels(mcelog_t)
|
||||
|
||||
+auth_read_passwd(mcelog_t)
|
||||
+
|
||||
logging_send_syslog_msg(mcelog_t)
|
||||
|
||||
miscfiles_read_localization(mcelog_t)
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 4779a8d..c2ee43e 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -96,11 +96,12 @@ corecmd_check_exec_shell(chfn_t)
|
||||
|
||||
domain_use_interactive_fds(chfn_t)
|
||||
|
||||
-files_manage_etc_files(chfn_t)
|
||||
files_read_etc_runtime_files(chfn_t)
|
||||
files_dontaudit_search_var(chfn_t)
|
||||
files_dontaudit_search_home(chfn_t)
|
||||
|
||||
+auth_manage_passwd(chfn_t)
|
||||
+
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_utmp(chfn_t)
|
||||
@@ -310,13 +311,14 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
|
||||
domain_use_interactive_fds(passwd_t)
|
||||
|
||||
files_read_etc_runtime_files(passwd_t)
|
||||
-files_manage_etc_files(passwd_t)
|
||||
files_search_var(passwd_t)
|
||||
files_dontaudit_search_pids(passwd_t)
|
||||
files_relabel_etc_files(passwd_t)
|
||||
|
||||
term_search_ptys(passwd_t)
|
||||
|
||||
+auth_manage_passwd(passwd_t)
|
||||
+
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_utmp(passwd_t)
|
||||
@@ -402,12 +404,13 @@ files_read_usr_files(sysadm_passwd_t)
|
||||
|
||||
domain_use_interactive_fds(sysadm_passwd_t)
|
||||
|
||||
-files_manage_etc_files(sysadm_passwd_t)
|
||||
files_relabel_etc_files(sysadm_passwd_t)
|
||||
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||
# for nscd lookups
|
||||
files_dontaudit_search_pids(sysadm_passwd_t)
|
||||
|
||||
+auth_manage_passwd(sysadm_passwd_t)
|
||||
+
|
||||
# /usr/bin/passwd asks for w access to utmp, but it will operate
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_utmp(sysadm_passwd_t)
|
||||
@@ -461,7 +464,6 @@ domain_use_interactive_fds(useradd_t)
|
||||
domain_read_all_domains_state(useradd_t)
|
||||
domain_dontaudit_read_all_domains_state(useradd_t)
|
||||
|
||||
-files_manage_etc_files(useradd_t)
|
||||
files_search_var_lib(useradd_t)
|
||||
files_relabel_etc_files(useradd_t)
|
||||
files_read_etc_runtime_files(useradd_t)
|
||||
@@ -488,6 +490,7 @@ auth_rw_faillog(useradd_t)
|
||||
auth_use_nsswitch(useradd_t)
|
||||
# these may be unnecessary due to the above
|
||||
# domtrans_chk_passwd() call.
|
||||
+auth_manage_passwd(useradd_t)
|
||||
auth_manage_shadow(useradd_t)
|
||||
auth_relabel_shadow(useradd_t)
|
||||
auth_etc_filetrans_shadow(useradd_t)
|
||||
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
|
||||
index 50629a8..09669b6 100644
|
||||
--- a/policy/modules/apps/loadkeys.te
|
||||
+++ b/policy/modules/apps/loadkeys.te
|
||||
@@ -31,6 +31,8 @@ files_read_etc_runtime_files(loadkeys_t)
|
||||
term_dontaudit_use_console(loadkeys_t)
|
||||
term_use_unallocated_ttys(loadkeys_t)
|
||||
|
||||
+auth_read_passwd(loadkeys_t)
|
||||
+
|
||||
init_dontaudit_use_fds(loadkeys_t)
|
||||
init_dontaudit_use_script_ptys(loadkeys_t)
|
||||
|
||||
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
|
||||
index bd5ff95..c77b9f1 100644
|
||||
--- a/policy/modules/services/abrt.te
|
||||
+++ b/policy/modules/services/abrt.te
|
||||
@@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file_perms;
|
||||
allow abrt_t self:tcp_socket create_stream_socket_perms;
|
||||
allow abrt_t self:udp_socket create_socket_perms;
|
||||
allow abrt_t self:unix_dgram_socket create_socket_perms;
|
||||
-allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# abrt etc files
|
||||
list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
|
||||
@@ -186,10 +185,10 @@ fs_read_nfs_files(abrt_t)
|
||||
fs_read_nfs_symlinks(abrt_t)
|
||||
fs_search_all(abrt_t)
|
||||
|
||||
-sysnet_dns_name_resolve(abrt_t)
|
||||
-
|
||||
logging_read_generic_logs(abrt_t)
|
||||
|
||||
+auth_use_nsswitch(abrt_t)
|
||||
+
|
||||
miscfiles_read_generic_certs(abrt_t)
|
||||
|
||||
userdom_dontaudit_read_user_home_content_files(abrt_t)
|
||||
@@ -209,10 +208,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- nis_use_ypbind(abrt_t)
|
||||
-')
|
||||
-
|
||||
-optional_policy(`
|
||||
nsplugin_read_rw_files(abrt_t)
|
||||
nsplugin_read_home(abrt_t)
|
||||
')
|
||||
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
|
||||
index 2b348c7..b89658c 100644
|
||||
--- a/policy/modules/services/audioentropy.te
|
||||
+++ b/policy/modules/services/audioentropy.te
|
||||
@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t)
|
||||
|
||||
domain_use_interactive_fds(entropyd_t)
|
||||
|
||||
+auth_read_passwd(entropyd_t)
|
||||
+
|
||||
logging_send_syslog_msg(entropyd_t)
|
||||
|
||||
miscfiles_read_localization(entropyd_t)
|
||||
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
|
||||
index 59742f4..51ca568 100644
|
||||
--- a/policy/modules/system/authlogin.fc
|
||||
@ -11,7 +151,7 @@ index 59742f4..51ca568 100644
|
||||
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
|
||||
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
|
||||
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
||||
index f05a80f..c15deb5 100644
|
||||
index f05a80f..c317b16 100644
|
||||
--- a/policy/modules/system/authlogin.if
|
||||
+++ b/policy/modules/system/authlogin.if
|
||||
@@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',`
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 34.3%{?dist}
|
||||
Release: 34.5%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -470,6 +470,9 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.4
|
||||
- Fixes caused by the labeling of /etc/passwd
|
||||
|
||||
* Thu Sep 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-34.3
|
||||
- Add support for Clustered Samba commands
|
||||
- Allow ricci_modrpm_t to send log msgs
|
||||
|
Loading…
Reference in New Issue
Block a user