Fixes caused by the labeling of /etc/passwd

passwd.patch

@@ -1,3 +1,143 @@
+diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
+index ef8bc09..ea06507 100644
+--- a/policy/modules/admin/mcelog.te
++++ b/policy/modules/admin/mcelog.te
+@@ -45,6 +45,8 @@ files_read_etc_files(mcelog_t)
+ # for /dev/mem access
+ mls_file_read_all_levels(mcelog_t)
+ 
++auth_read_passwd(mcelog_t)
++
+ logging_send_syslog_msg(mcelog_t)
+ 
+ miscfiles_read_localization(mcelog_t)
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 4779a8d..c2ee43e 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -96,11 +96,12 @@ corecmd_check_exec_shell(chfn_t)
+ 
+ domain_use_interactive_fds(chfn_t)
+ 
+-files_manage_etc_files(chfn_t)
+ files_read_etc_runtime_files(chfn_t)
+ files_dontaudit_search_var(chfn_t)
+ files_dontaudit_search_home(chfn_t)
+ 
++auth_manage_passwd(chfn_t)
++
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it.  Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(chfn_t)
+@@ -310,13 +311,14 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
+ domain_use_interactive_fds(passwd_t)
+ 
+ files_read_etc_runtime_files(passwd_t)
+-files_manage_etc_files(passwd_t)
+ files_search_var(passwd_t)
+ files_dontaudit_search_pids(passwd_t)
+ files_relabel_etc_files(passwd_t)
+ 
+ term_search_ptys(passwd_t)
+ 
++auth_manage_passwd(passwd_t)
++
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it.  Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(passwd_t)
+@@ -402,12 +404,13 @@ files_read_usr_files(sysadm_passwd_t)
+ 
+ domain_use_interactive_fds(sysadm_passwd_t)
+ 
+-files_manage_etc_files(sysadm_passwd_t)
+ files_relabel_etc_files(sysadm_passwd_t)
+ files_read_etc_runtime_files(sysadm_passwd_t)
+ # for nscd lookups
+ files_dontaudit_search_pids(sysadm_passwd_t)
+ 
++auth_manage_passwd(sysadm_passwd_t)
++
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it.  Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(sysadm_passwd_t)
+@@ -461,7 +464,6 @@ domain_use_interactive_fds(useradd_t)
+ domain_read_all_domains_state(useradd_t)
+ domain_dontaudit_read_all_domains_state(useradd_t)
+ 
+-files_manage_etc_files(useradd_t)
+ files_search_var_lib(useradd_t)
+ files_relabel_etc_files(useradd_t)
+ files_read_etc_runtime_files(useradd_t)
+@@ -488,6 +490,7 @@ auth_rw_faillog(useradd_t)
+ auth_use_nsswitch(useradd_t)
+ # these may be unnecessary due to the above
+ # domtrans_chk_passwd() call.
++auth_manage_passwd(useradd_t)
+ auth_manage_shadow(useradd_t)
+ auth_relabel_shadow(useradd_t)
+ auth_etc_filetrans_shadow(useradd_t)
+diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
+index 50629a8..09669b6 100644
+--- a/policy/modules/apps/loadkeys.te
++++ b/policy/modules/apps/loadkeys.te
+@@ -31,6 +31,8 @@ files_read_etc_runtime_files(loadkeys_t)
+ term_dontaudit_use_console(loadkeys_t)
+ term_use_unallocated_ttys(loadkeys_t)
+ 
++auth_read_passwd(loadkeys_t)
++
+ init_dontaudit_use_fds(loadkeys_t)
+ init_dontaudit_use_script_ptys(loadkeys_t)
+ 
+diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
+index bd5ff95..c77b9f1 100644
+--- a/policy/modules/services/abrt.te
++++ b/policy/modules/services/abrt.te
+@@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file_perms;
+ allow abrt_t self:tcp_socket create_stream_socket_perms;
+ allow abrt_t self:udp_socket create_socket_perms;
+ allow abrt_t self:unix_dgram_socket create_socket_perms;
+-allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ # abrt etc files
+ list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+@@ -186,10 +185,10 @@ fs_read_nfs_files(abrt_t)
+ fs_read_nfs_symlinks(abrt_t)
+ fs_search_all(abrt_t)
+ 
+-sysnet_dns_name_resolve(abrt_t)
+-
+ logging_read_generic_logs(abrt_t)
+ 
++auth_use_nsswitch(abrt_t)
++
+ miscfiles_read_generic_certs(abrt_t)
+ 
+ userdom_dontaudit_read_user_home_content_files(abrt_t)
+@@ -209,10 +208,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(abrt_t)
+-')
+-
+-optional_policy(`
+ 	nsplugin_read_rw_files(abrt_t)
+ 	nsplugin_read_home(abrt_t)
+ ')
+diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
+index 2b348c7..b89658c 100644
+--- a/policy/modules/services/audioentropy.te
++++ b/policy/modules/services/audioentropy.te
+@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t)
+ 
+ domain_use_interactive_fds(entropyd_t)
+ 
++auth_read_passwd(entropyd_t)
++
+ logging_send_syslog_msg(entropyd_t)
+ 
+ miscfiles_read_localization(entropyd_t)
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
 index 59742f4..51ca568 100644
 --- a/policy/modules/system/authlogin.fc
@@ -11,7 +151,7 @@ index 59742f4..51ca568 100644
  /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
  /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f05a80f..c15deb5 100644
+index f05a80f..c317b16 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',`

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 34.3%{?dist}
+Release: 34.5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.4
+- Fixes caused by the labeling of /etc/passwd
+
 * Thu Sep 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-34.3
 - Add support for Clustered Samba commands
 - Allow ricci_modrpm_t to send log msgs