Fixes caused by the labeling of /etc/passwd

This commit is contained in:
Dan Walsh 2011-09-29 13:50:39 -04:00
parent 0247247d56
commit a004ca8c3a
2 changed files with 145 additions and 2 deletions

View File

@ -1,3 +1,143 @@
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
index ef8bc09..ea06507 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -45,6 +45,8 @@ files_read_etc_files(mcelog_t)
# for /dev/mem access
mls_file_read_all_levels(mcelog_t)
+auth_read_passwd(mcelog_t)
+
logging_send_syslog_msg(mcelog_t)
miscfiles_read_localization(mcelog_t)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 4779a8d..c2ee43e 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -96,11 +96,12 @@ corecmd_check_exec_shell(chfn_t)
domain_use_interactive_fds(chfn_t)
-files_manage_etc_files(chfn_t)
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
files_dontaudit_search_home(chfn_t)
+auth_manage_passwd(chfn_t)
+
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)
@@ -310,13 +311,14 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
domain_use_interactive_fds(passwd_t)
files_read_etc_runtime_files(passwd_t)
-files_manage_etc_files(passwd_t)
files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
files_relabel_etc_files(passwd_t)
term_search_ptys(passwd_t)
+auth_manage_passwd(passwd_t)
+
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
@@ -402,12 +404,13 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
-files_manage_etc_files(sysadm_passwd_t)
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
files_dontaudit_search_pids(sysadm_passwd_t)
+auth_manage_passwd(sysadm_passwd_t)
+
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -461,7 +464,6 @@ domain_use_interactive_fds(useradd_t)
domain_read_all_domains_state(useradd_t)
domain_dontaudit_read_all_domains_state(useradd_t)
-files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)
@@ -488,6 +490,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
+auth_manage_passwd(useradd_t)
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 50629a8..09669b6 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -31,6 +31,8 @@ files_read_etc_runtime_files(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
+auth_read_passwd(loadkeys_t)
+
init_dontaudit_use_fds(loadkeys_t)
init_dontaudit_use_script_ptys(loadkeys_t)
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index bd5ff95..c77b9f1 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
allow abrt_t self:udp_socket create_socket_perms;
allow abrt_t self:unix_dgram_socket create_socket_perms;
-allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
@@ -186,10 +185,10 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
-sysnet_dns_name_resolve(abrt_t)
-
logging_read_generic_logs(abrt_t)
+auth_use_nsswitch(abrt_t)
+
miscfiles_read_generic_certs(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -209,10 +208,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(abrt_t)
-')
-
-optional_policy(`
nsplugin_read_rw_files(abrt_t)
nsplugin_read_home(abrt_t)
')
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 2b348c7..b89658c 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t)
domain_use_interactive_fds(entropyd_t)
+auth_read_passwd(entropyd_t)
+
logging_send_syslog_msg(entropyd_t)
miscfiles_read_localization(entropyd_t)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 59742f4..51ca568 100644
--- a/policy/modules/system/authlogin.fc
@ -11,7 +151,7 @@ index 59742f4..51ca568 100644
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index f05a80f..c15deb5 100644
index f05a80f..c317b16 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',`

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
Release: 34.3%{?dist}
Release: 34.5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -470,6 +470,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Thu Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.4
- Fixes caused by the labeling of /etc/passwd
* Thu Sep 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-34.3
- Add support for Clustered Samba commands
- Allow ricci_modrpm_t to send log msgs