Fixes caused by the labeling of /etc/passwd

2011-09-29 13:50:39 -04:00 · 2011-09-29 13:50:39 -04:00 · a004ca8c3a
commit a004ca8c3a
parent 0247247d56
2 changed files with 145 additions and 2 deletions
--- a/passwd.patch
+++ b/passwd.patch
@ -1,3 +1,143 @@
 diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
 index ef8bc09..ea06507 100644
 --- a/policy/modules/admin/mcelog.te
 +++ b/policy/modules/admin/mcelog.te
@@ -45,6 +45,8 @@ files_read_etc_files(mcelog_t)
 # for /dev/mem access
 mls_file_read_all_levels(mcelog_t)
 +auth_read_passwd(mcelog_t)
 +
 logging_send_syslog_msg(mcelog_t)
 miscfiles_read_localization(mcelog_t)
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
 index 4779a8d..c2ee43e 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
@@ -96,11 +96,12 @@ corecmd_check_exec_shell(chfn_t)
 domain_use_interactive_fds(chfn_t)
 -files_manage_etc_files(chfn_t)
 files_read_etc_runtime_files(chfn_t)
 files_dontaudit_search_var(chfn_t)
 files_dontaudit_search_home(chfn_t)
 +auth_manage_passwd(chfn_t)
 +
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(chfn_t)
@@ -310,13 +311,14 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
 domain_use_interactive_fds(passwd_t)
 files_read_etc_runtime_files(passwd_t)
 -files_manage_etc_files(passwd_t)
 files_search_var(passwd_t)
 files_dontaudit_search_pids(passwd_t)
 files_relabel_etc_files(passwd_t)
 term_search_ptys(passwd_t)
 +auth_manage_passwd(passwd_t)
 +
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(passwd_t)
@@ -402,12 +404,13 @@ files_read_usr_files(sysadm_passwd_t)
 domain_use_interactive_fds(sysadm_passwd_t)
 -files_manage_etc_files(sysadm_passwd_t)
 files_relabel_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
 # for nscd lookups
 files_dontaudit_search_pids(sysadm_passwd_t)
 +auth_manage_passwd(sysadm_passwd_t)
 +
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -461,7 +464,6 @@ domain_use_interactive_fds(useradd_t)
 domain_read_all_domains_state(useradd_t)
 domain_dontaudit_read_all_domains_state(useradd_t)
 -files_manage_etc_files(useradd_t)
 files_search_var_lib(useradd_t)
 files_relabel_etc_files(useradd_t)
 files_read_etc_runtime_files(useradd_t)
@@ -488,6 +490,7 @@ auth_rw_faillog(useradd_t)
 auth_use_nsswitch(useradd_t)
 # these may be unnecessary due to the above
 # domtrans_chk_passwd() call.
 +auth_manage_passwd(useradd_t)
 auth_manage_shadow(useradd_t)
 auth_relabel_shadow(useradd_t)
 auth_etc_filetrans_shadow(useradd_t)
 diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
 index 50629a8..09669b6 100644
 --- a/policy/modules/apps/loadkeys.te
 +++ b/policy/modules/apps/loadkeys.te
@@ -31,6 +31,8 @@ files_read_etc_runtime_files(loadkeys_t)
 term_dontaudit_use_console(loadkeys_t)
 term_use_unallocated_ttys(loadkeys_t)
 +auth_read_passwd(loadkeys_t)
 +
 init_dontaudit_use_fds(loadkeys_t)
 init_dontaudit_use_script_ptys(loadkeys_t)
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
 index bd5ff95..c77b9f1 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
@@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file_perms;
 allow abrt_t self:tcp_socket create_stream_socket_perms;
 allow abrt_t self:udp_socket create_socket_perms;
 allow abrt_t self:unix_dgram_socket create_socket_perms;
 -allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
 # abrt etc files
 list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
@@ -186,10 +185,10 @@ fs_read_nfs_files(abrt_t)
 fs_read_nfs_symlinks(abrt_t)
 fs_search_all(abrt_t)
 -sysnet_dns_name_resolve(abrt_t)
 -
 logging_read_generic_logs(abrt_t)
 +auth_use_nsswitch(abrt_t)
 +
 miscfiles_read_generic_certs(abrt_t)
 userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -209,10 +208,6 @@ optional_policy(`
 ')
 optional_policy(`
 -	nis_use_ypbind(abrt_t)
 -')
 -
 -optional_policy(`
 	nsplugin_read_rw_files(abrt_t)
 	nsplugin_read_home(abrt_t)
 ')
 diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
 index 2b348c7..b89658c 100644
 --- a/policy/modules/services/audioentropy.te
 +++ b/policy/modules/services/audioentropy.te
@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t)
 domain_use_interactive_fds(entropyd_t)
 +auth_read_passwd(entropyd_t)
 +
 logging_send_syslog_msg(entropyd_t)
 miscfiles_read_localization(entropyd_t)
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
 index 59742f4..51ca568 100644
 --- a/policy/modules/system/authlogin.fc
@ -11,7 +151,7 @@ index 59742f4..51ca568 100644
 /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
 /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f05a80f..c15deb5 100644
+index f05a80f..c317b16 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 34.3%{?dist}
+Release: 34.5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -470,6 +470,9 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Thu Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.4
 - Fixes caused by the labeling of /etc/passwd
 * Thu Sep 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-34.3
 - Add support for Clustered Samba commands
 - Allow ricci_modrpm_t to send log msgs