clean up authentication attributes

refpolicy/policy/modules/admin/usermanage.te

@@ -10,7 +10,7 @@ policy_module(usermanage,1.0)
 type admin_passwd_exec_t;
 files_make_file(admin_passwd_exec_t)
 
-type chfn_t; #, auth_chkpwd
+type chfn_t;
 kernel_make_object_identity_change_constraint_exception(chfn_t)
 domain_make_domain(chfn_t)
 role system_r types chfn_t;
@@ -36,7 +36,7 @@ kernel_make_object_identity_change_constraint_exception(groupadd_t)
 domain_make_system_domain(groupadd_t,groupadd_exec_t)
 role system_r types groupadd_t;
 
-type passwd_t; #,auth_write;
+type passwd_t;
 kernel_make_object_identity_change_constraint_exception(passwd_t)
 domain_make_domain(passwd_t)
 role system_r types passwd_t;
@@ -44,7 +44,7 @@ role system_r types passwd_t;
 type passwd_exec_t;
 domain_make_entrypoint_file(passwd_t,passwd_exec_t)
 
-type sysadm_passwd_t; #, auth_write
+type sysadm_passwd_t;
 kernel_make_object_identity_change_constraint_exception(sysadm_passwd_t)
 domain_make_domain(sysadm_passwd_t)
 domain_make_entrypoint_file(sysadm_passwd_t,admin_passwd_exec_t)
@@ -110,6 +110,7 @@ miscfiles_read_localization(chfn_t)
 
 logging_send_system_log_message(chfn_t)
 
+authlogin_check_password_transition(chfn_t)
 authlogin_ignore_read_shadow_passwords(chfn_t)
 
 ifdef(`TODO',`
@@ -327,11 +328,12 @@ logging_send_system_log_message(passwd_t)
 
 miscfiles_read_localization(passwd_t)
 
+authlogin_manage_shadow_passwords(passwd_t)
+
 ifdef(`TODO',`
 role sysadm_r types passwd_t;
 
 # Update /etc/shadow and /etc/passwd
-file_type_auto_trans(passwd_t, etc_t, shadow_t, file)
 allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
 allow passwd_t unpriv_userdomain:fd use;
@@ -432,6 +434,8 @@ miscfiles_read_localization(sysadm_passwd_t)
 
 logging_send_system_log_message(sysadm_passwd_t)
 
+authlogin_manage_shadow_passwords(sysadm_passwd_t)
+
 ifdef(`TODO',`
 role sysadm_r types sysadm_passwd_t;
 domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
@@ -453,7 +457,6 @@ allow sysadm_passwd_t shell_exec_t:file execute;
 dontaudit sysadm_passwd_t { user_home_dir_type user_home_type }:dir search;
 
 # Update /etc/shadow and /etc/passwd
-file_type_auto_trans(sysadm_passwd_t, etc_t, shadow_t, file)
 allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
 # for vipw - vi looks in the root home directory for config

refpolicy/policy/modules/services/remotelogin.te

@@ -7,7 +7,7 @@ policy_module(authlogin,1.0)
 # Declarations
 #
 
-type remote_login_t; #, privlog, auth_chkpwd, nscd_client_domain;
+type remote_login_t; #, nscd_client_domain;
 kernel_make_object_identity_change_constraint_exception(remote_login_t)
 kernel_make_process_identity_change_constraint_exception(remote_login_t)
 kernel_make_role_change_constraint_exception(remote_login_t)
@@ -68,9 +68,12 @@ files_read_general_application_resources(remote_login_t)
 libraries_use_dynamic_loader(remote_login_t)
 libraries_read_shared_libraries(remote_login_t)
 
+logging_send_system_log_message(remote_login_t)
+
 selinux_read_config(remote_login_t)
 selinux_read_default_contexts(remote_login_t)
 
+authlogin_check_password_transition(remote_login_t)
 authlogin_ignore_read_shadow_passwords(remote_login_t)
 authlogin_modify_login_records(remote_login_t)
 authlogin_modify_last_login_log(remote_login_t)

refpolicy/policy/modules/system/authlogin.if

@@ -175,6 +175,41 @@ type shadow_t;
 class file { getattr read write };
 ')
 
+#######################################
+#
+# authlogin_manage_shadow_passwords(domain)
+#
+define(`authlogin_manage_shadow_passwords',`
+requires_block_template(`$0'_depend)
+files_create_private_config($1,shadow_t,file)
+allow $1 shadow_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+typeattribute $1 can_read_shadow_passwords;
+typeattribute $1 can_write_shadow_passwords;
+')
+
+define(`authlogin_manage_shadow_passwords_depend',`
+attribute can_read_shadow_passwords;
+attribute can_write_shadow_passwords;
+type shadow_t;
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+#######################################
+#
+# authlogin_relabel_to_shadow_passwords(domain)
+#
+define(`authlogin_relabel_to_shadow_passwords',`
+requires_block_template(`$0'_depend)
+allow $1 shadow_t:file relabelto;
+typeattribute $1 can_relabelto_shadow_passwords;
+')
+
+define(`authlogin_relabel_to_shadow_passwords_depend',`
+attribute can_relabelto_shadow_passwords;
+type shadow_t;
+class file relabelto;
+')
+
 #######################################
 #
 # authlogin_modify_last_login_log(domain)

refpolicy/policy/modules/system/authlogin.te

@@ -45,8 +45,10 @@ type shadow_t;
 files_make_file(shadow_t)
 attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
+attribute can_relabelto_shadow_passwords;
 neverallow ~can_read_shadow_passwords shadow_t:file read;
-neverallow ~can_write_shadow_passwords shadow_t:file write;
+neverallow ~can_write_shadow_passwords shadow_t:file { create write };
+neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
 type utempter_t; #, nscd_client_domain;
 domain_make_domain(utempter_t)

refpolicy/policy/modules/system/locallogin.te

@@ -7,7 +7,7 @@ policy_module(locallogin,1.0)
 # Declarations
 #
 
-type local_login_t; #, auth_chkpwd, nscd_client_domain;
+type local_login_t; #, nscd_client_domain;
 kernel_make_object_identity_change_constraint_exception(local_login_t)
 kernel_make_process_identity_change_constraint_exception(local_login_t)
 kernel_make_role_change_constraint_exception(local_login_t)
@@ -83,6 +83,7 @@ logging_send_system_log_message(local_login_t)
 selinux_read_config(local_login_t)
 selinux_read_default_contexts(local_login_t)
 
+authlogin_check_password_transition(local_login_t)
 authlogin_ignore_read_shadow_passwords(local_login_t)
 authlogin_modify_login_records(local_login_t)
 authlogin_modify_last_login_log(local_login_t)

refpolicy/policy/modules/system/selinux.te

@@ -38,10 +38,11 @@ role system_r types load_policy_t;
 type load_policy_exec_t;
 domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
 
-type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
 kernel_make_role_change_constraint_exception(newrole_t)
 kernel_make_object_identity_change_constraint_exception(newrole_t)
 domain_make_domain(newrole_t)
+domain_make_file_descriptors_widely_inheritable(newrole_t)
 
 type newrole_exec_t;
 domain_make_entrypoint_file(newrole_t,newrole_exec_t)
@@ -63,13 +64,11 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
 type policy_src_t;
 files_make_file(policy_src_t)
 
-type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context;
-kernel_make_object_identity_change_constraint_exception(restorecon_t)
-domain_make_domain(restorecon_t)
-role system_r types restorecon_t;
-
+type restorecon_t, can_relabelto_binary_policy;
 type restorecon_exec_t;
-domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
+kernel_make_object_identity_change_constraint_exception(restorecon_t)
+domain_make_system_domain(restorecon_t,restorecon_exec_t)
+role system_r types restorecon_t;
 
 #
 # selinux_config_t is the type applied to
@@ -78,7 +77,7 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
 type selinux_config_t;
 files_make_file(selinux_config_t)
 
-type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context;
+type setfiles_t, can_relabelto_binary_policy;
 kernel_make_object_identity_change_constraint_exception(setfiles_t)
 domain_make_domain(setfiles_t)
 role system_r types setfiles_t;
@@ -97,6 +96,10 @@ allow checkpolicy_t self:capability dac_override;
 allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
 allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 
+# allow test policies to be created in src directories
+allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
+type_transition checkpolicy_t policy_src_t:file policy_config_t;
+
 # only allow read of policy source files
 allow checkpolicy_t policy_src_t:dir { getattr search read };
 allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
@@ -118,9 +121,8 @@ libraries_read_shared_libraries(checkpolicy_t)
 ifdef(`TODO',`
 role sysadm_r types checkpolicy_t;
 domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
-
-# allow test policies to be created in src directories
-file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
+allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
+allow checkpolicy_t sysadm_tmp_t:file { getattr write };
 
 # directory search permissions for path to source and binary policy files
 allow checkpolicy_t etc_t:dir search;
@@ -128,11 +130,6 @@ allow checkpolicy_t etc_t:dir search;
 # Read the devpts root directory.  
 ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
 
-# Other access
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
-
-allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
-
 # Allow users to execute checkpolicy without a domain transition
 # so it can be used without privilege to write real binary policy file
 can_exec(unpriv_userdomain, checkpolicy_exec_t)
@@ -180,16 +177,13 @@ miscfiles_read_localization(load_policy_t)
 ifdef(`TODO',`
 role sysadm_r types load_policy_t;
 domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
+allow load_policy_t sysadm_tmp_t:file { getattr write };
+allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
 
 # directory search permissions for path to binary policy files
 allow load_policy_t etc_t:dir search;
 
-# Other access
-allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
-
 allow load_policy_t userdomain:fd use;
-
-allow load_policy_t sysadm_tmp_t:file { getattr write } ;
 ') dnl endif TODO
 
 ########################################
@@ -227,7 +221,8 @@ devices_get_pseudorandom_data(newrole_t)
 
 filesystem_get_persistent_filesystem_attributes(newrole_t)
 
-terminal_list_pseudoterminals(newrole_t)
+terminal_use_all_users_physical_terminals(newrole_t)
+terminal_use_all_users_pseudoterminals(newrole_t)
 terminal_use_controlling_terminal(newrole_t)
 
 # Write to utmp.
@@ -240,8 +235,12 @@ files_read_general_system_config(newrole_t)
 libraries_use_dynamic_loader(newrole_t)
 libraries_read_shared_libraries(newrole_t)
 
+logging_send_system_log_message(newrole_t)
+
 miscfiles_read_localization(newrole_t)
 
+authlogin_check_password_transition(newrole_t)
+
 ifdef(`TODO',`
 in_user_role(newrole_t)
 role sysadm_r types newrole_t;
@@ -261,7 +260,6 @@ allow newrole_t sbin_t:dir r_dir_perms;
 # Execute shells
 allow newrole_t bin_t:dir r_dir_perms;
 allow newrole_t bin_t:lnk_file read;
-allow newrole_t shell_exec_t:file r_file_perms;
 
 # Allow newrole_t to transition to user domains.
 bool secure_mode false;
@@ -276,14 +274,9 @@ if(!secure_mode)
 allow newrole_t var_t:dir r_dir_perms;
 allow newrole_t var_t:notdevfile_class_set r_file_perms;
 
-# Read /dev directories and any symbolic links.
-allow newrole_t device_t:dir r_dir_perms;
-
 # Relabel terminals.
 allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
 
-# Access terminals.
-allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
 
 # for some PAM modules and for cwd
@@ -340,11 +333,11 @@ files_read_all_directories(restorecon_t)
 kernel_relabel_unlabeled_object(restorecon_t)
 devices_manage_all_devices_labels(restorecon_t)
 files_manage_all_files_labels(restorecon_t)
+# this is to satisfy the assertion:
+authlogin_relabel_to_shadow_passwords(restorecon_t)
 
 ifdef(`TODO',`
 allow restorecon_t admin_tty_type:chr_file { read write ioctl };
-
-domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t) 
 domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
 role sysadm_r types restorecon_t;
 allow restorecon_t userdomain:fd use;
@@ -410,6 +403,8 @@ files_read_all_directories(setfiles_t)
 kernel_relabel_unlabeled_object(setfiles_t)
 devices_manage_all_devices_labels(setfiles_t)
 files_manage_all_files_labels(setfiles_t)
+# this is to satisfy the assertion:
+authlogin_relabel_to_shadow_passwords(setfiles_t)
 
 ifdef(`TODO',`
 

refpolicy/policy/modules/system/selinuxutil.te

@@ -38,10 +38,11 @@ role system_r types load_policy_t;
 type load_policy_exec_t;
 domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
 
-type newrole_t; # , privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
 kernel_make_role_change_constraint_exception(newrole_t)
 kernel_make_object_identity_change_constraint_exception(newrole_t)
 domain_make_domain(newrole_t)
+domain_make_file_descriptors_widely_inheritable(newrole_t)
 
 type newrole_exec_t;
 domain_make_entrypoint_file(newrole_t,newrole_exec_t)
@@ -63,13 +64,11 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
 type policy_src_t;
 files_make_file(policy_src_t)
 
-type restorecon_t, can_relabelto_binary_policy; #, auth_write, change_context;
-kernel_make_object_identity_change_constraint_exception(restorecon_t)
-domain_make_domain(restorecon_t)
-role system_r types restorecon_t;
-
+type restorecon_t, can_relabelto_binary_policy;
 type restorecon_exec_t;
-domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
+kernel_make_object_identity_change_constraint_exception(restorecon_t)
+domain_make_system_domain(restorecon_t,restorecon_exec_t)
+role system_r types restorecon_t;
 
 #
 # selinux_config_t is the type applied to
@@ -78,7 +77,7 @@ domain_make_entrypoint_file(restorecon_t,restorecon_exec_t)
 type selinux_config_t;
 files_make_file(selinux_config_t)
 
-type setfiles_t, can_relabelto_binary_policy; # privlog, auth_write, change_context;
+type setfiles_t, can_relabelto_binary_policy;
 kernel_make_object_identity_change_constraint_exception(setfiles_t)
 domain_make_domain(setfiles_t)
 role system_r types setfiles_t;
@@ -97,6 +96,10 @@ allow checkpolicy_t self:capability dac_override;
 allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
 allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 
+# allow test policies to be created in src directories
+allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
+type_transition checkpolicy_t policy_src_t:file policy_config_t;
+
 # only allow read of policy source files
 allow checkpolicy_t policy_src_t:dir { getattr search read };
 allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
@@ -118,9 +121,8 @@ libraries_read_shared_libraries(checkpolicy_t)
 ifdef(`TODO',`
 role sysadm_r types checkpolicy_t;
 domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
-
-# allow test policies to be created in src directories
-file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
+allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
+allow checkpolicy_t sysadm_tmp_t:file { getattr write };
 
 # directory search permissions for path to source and binary policy files
 allow checkpolicy_t etc_t:dir search;
@@ -128,11 +130,6 @@ allow checkpolicy_t etc_t:dir search;
 # Read the devpts root directory.  
 ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
 
-# Other access
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
-
-allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
-
 # Allow users to execute checkpolicy without a domain transition
 # so it can be used without privilege to write real binary policy file
 can_exec(unpriv_userdomain, checkpolicy_exec_t)
@@ -180,16 +177,13 @@ miscfiles_read_localization(load_policy_t)
 ifdef(`TODO',`
 role sysadm_r types load_policy_t;
 domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
+allow load_policy_t sysadm_tmp_t:file { getattr write };
+allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
 
 # directory search permissions for path to binary policy files
 allow load_policy_t etc_t:dir search;
 
-# Other access
-allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
-
 allow load_policy_t userdomain:fd use;
-
-allow load_policy_t sysadm_tmp_t:file { getattr write } ;
 ') dnl endif TODO
 
 ########################################
@@ -227,7 +221,8 @@ devices_get_pseudorandom_data(newrole_t)
 
 filesystem_get_persistent_filesystem_attributes(newrole_t)
 
-terminal_list_pseudoterminals(newrole_t)
+terminal_use_all_users_physical_terminals(newrole_t)
+terminal_use_all_users_pseudoterminals(newrole_t)
 terminal_use_controlling_terminal(newrole_t)
 
 # Write to utmp.
@@ -240,8 +235,12 @@ files_read_general_system_config(newrole_t)
 libraries_use_dynamic_loader(newrole_t)
 libraries_read_shared_libraries(newrole_t)
 
+logging_send_system_log_message(newrole_t)
+
 miscfiles_read_localization(newrole_t)
 
+authlogin_check_password_transition(newrole_t)
+
 ifdef(`TODO',`
 in_user_role(newrole_t)
 role sysadm_r types newrole_t;
@@ -261,7 +260,6 @@ allow newrole_t sbin_t:dir r_dir_perms;
 # Execute shells
 allow newrole_t bin_t:dir r_dir_perms;
 allow newrole_t bin_t:lnk_file read;
-allow newrole_t shell_exec_t:file r_file_perms;
 
 # Allow newrole_t to transition to user domains.
 bool secure_mode false;
@@ -276,14 +274,9 @@ if(!secure_mode)
 allow newrole_t var_t:dir r_dir_perms;
 allow newrole_t var_t:notdevfile_class_set r_file_perms;
 
-# Read /dev directories and any symbolic links.
-allow newrole_t device_t:dir r_dir_perms;
-
 # Relabel terminals.
 allow newrole_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
 
-# Access terminals.
-allow newrole_t { ttyfile ptyfile }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
 
 # for some PAM modules and for cwd
@@ -340,11 +333,11 @@ files_read_all_directories(restorecon_t)
 kernel_relabel_unlabeled_object(restorecon_t)
 devices_manage_all_devices_labels(restorecon_t)
 files_manage_all_files_labels(restorecon_t)
+# this is to satisfy the assertion:
+authlogin_relabel_to_shadow_passwords(restorecon_t)
 
 ifdef(`TODO',`
 allow restorecon_t admin_tty_type:chr_file { read write ioctl };
-
-domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t) 
 domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
 role sysadm_r types restorecon_t;
 allow restorecon_t userdomain:fd use;
@@ -410,6 +403,8 @@ files_read_all_directories(setfiles_t)
 kernel_relabel_unlabeled_object(setfiles_t)
 devices_manage_all_devices_labels(setfiles_t)
 files_manage_all_files_labels(setfiles_t)
+# this is to satisfy the assertion:
+authlogin_relabel_to_shadow_passwords(setfiles_t)
 
 ifdef(`TODO',`