cleanup in authlogin
This commit is contained in:
Chris PeBenito
parent
3573908f1c
commit
ba1a545fb3
@ -128,7 +128,6 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
# Transition from the user domain to this domain.
|
# Transition from the user domain to this domain.
|
||||||
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
|
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
|
||||||
allow $1_chkpwd_t $2:fd use;
|
allow $1_chkpwd_t $2:fd use;
|
||||||
allow $2 $1_chkpwd_t:fd use;
|
|
||||||
allow $1_chkpwd_t $2:fifo_file rw_file_perms;
|
allow $1_chkpwd_t $2:fifo_file rw_file_perms;
|
||||||
allow $1_chkpwd_t $2:process sigchld;
|
allow $1_chkpwd_t $2:process sigchld;
|
||||||
|
|
||||||
@ -289,8 +288,6 @@ interface(`auth_domtrans_login_program',`
|
|||||||
|
|
||||||
corecmd_search_bin($1)
|
corecmd_search_bin($1)
|
||||||
domain_auto_trans($1,login_exec_t,$2)
|
domain_auto_trans($1,login_exec_t,$2)
|
||||||
|
|
||||||
allow $1 $2:fd use;
|
|
||||||
allow $2 $1:fd use;
|
allow $2 $1:fd use;
|
||||||
allow $2 $1:fifo_file rw_file_perms;
|
allow $2 $1:fifo_file rw_file_perms;
|
||||||
allow $2 $1:process sigchld;
|
allow $2 $1:process sigchld;
|
||||||
@ -311,13 +308,12 @@ interface(`auth_domtrans_chk_passwd',`
|
|||||||
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
corecmd_search_sbin($1)
|
|
||||||
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
|
|
||||||
|
|
||||||
allow $1 self:capability { audit_write audit_control };
|
allow $1 self:capability { audit_write audit_control };
|
||||||
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||||
|
|
||||||
allow $1 system_chkpwd_t:fd use;
|
corecmd_search_sbin($1)
|
||||||
|
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
|
||||||
allow system_chkpwd_t $1:fd use;
|
allow system_chkpwd_t $1:fd use;
|
||||||
allow system_chkpwd_t $1:fifo_file rw_file_perms;
|
allow system_chkpwd_t $1:fifo_file rw_file_perms;
|
||||||
allow system_chkpwd_t $1:process sigchld;
|
allow system_chkpwd_t $1:process sigchld;
|
||||||
@ -513,7 +509,7 @@ interface(`auth_manage_shadow',`
|
|||||||
type shadow_t;
|
type shadow_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 shadow_t:file create_file_perms;
|
allow $1 shadow_t:file manage_file_perms;
|
||||||
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -690,8 +686,6 @@ interface(`auth_domtrans_pam',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
domain_auto_trans($1,pam_exec_t,pam_t)
|
domain_auto_trans($1,pam_exec_t,pam_t)
|
||||||
|
|
||||||
allow $1 pam_t:fd use;
|
|
||||||
allow pam_t $1:fd use;
|
allow pam_t $1:fd use;
|
||||||
allow pam_t $1:fifo_file rw_file_perms;
|
allow pam_t $1:fifo_file rw_file_perms;
|
||||||
allow pam_t $1:process sigchld;
|
allow pam_t $1:process sigchld;
|
||||||
@ -762,7 +756,7 @@ interface(`auth_manage_var_auth',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
allow $1 var_auth_t:dir create_dir_perms;
|
allow $1 var_auth_t:dir manage_dir_perms;
|
||||||
allow $1 var_auth_t:file rw_file_perms;
|
allow $1 var_auth_t:file rw_file_perms;
|
||||||
allow $1 var_auth_t:lnk_file rw_file_perms;
|
allow $1 var_auth_t:lnk_file rw_file_perms;
|
||||||
')
|
')
|
||||||
@ -782,9 +776,8 @@ interface(`auth_read_pam_pid',`
|
|||||||
type pam_var_run_t;
|
type pam_var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_run_t:dir r_dir_perms;
|
allow $1 pam_var_run_t:dir list_dir_perms;
|
||||||
allow $1 pam_var_run_t:file r_file_perms;
|
allow $1 pam_var_run_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -821,7 +814,6 @@ interface(`auth_delete_pam_pid',`
|
|||||||
type pam_var_run_t;
|
type pam_var_run_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_run_t:dir { getattr search read write remove_name };
|
allow $1 pam_var_run_t:dir { getattr search read write remove_name };
|
||||||
allow $1 pam_var_run_t:file { getattr unlink };
|
allow $1 pam_var_run_t:file { getattr unlink };
|
||||||
@ -843,8 +835,8 @@ interface(`auth_manage_pam_pid',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_run_t:dir create_dir_perms;
|
allow $1 pam_var_run_t:dir manage_dir_perms;
|
||||||
allow $1 pam_var_run_t:file create_file_perms;
|
allow $1 pam_var_run_t:file manage_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -863,8 +855,6 @@ interface(`auth_domtrans_pam_console',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
domain_auto_trans($1,pam_console_exec_t,pam_console_t)
|
domain_auto_trans($1,pam_console_exec_t,pam_console_t)
|
||||||
|
|
||||||
allow $1 pam_console_t:fd use;
|
|
||||||
allow pam_console_t $1:fd use;
|
allow pam_console_t $1:fd use;
|
||||||
allow pam_console_t $1:fifo_file rw_file_perms;
|
allow pam_console_t $1:fifo_file rw_file_perms;
|
||||||
allow pam_console_t $1:process sigchld;
|
allow pam_console_t $1:process sigchld;
|
||||||
@ -886,7 +876,6 @@ interface(`auth_search_pam_console_data',`
|
|||||||
type pam_var_console_t;
|
type pam_var_console_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_console_t:dir search_dir_perms;
|
allow $1 pam_var_console_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
@ -907,9 +896,8 @@ interface(`auth_list_pam_console_data',`
|
|||||||
type pam_var_console_t;
|
type pam_var_console_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_console_t:dir r_dir_perms;
|
allow $1 pam_var_console_t:dir list_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -927,9 +915,8 @@ interface(`auth_read_pam_console_data',`
|
|||||||
type pam_var_console_t;
|
type pam_var_console_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_console_t:dir r_dir_perms;
|
allow $1 pam_var_console_t:dir list_dir_perms;
|
||||||
allow $1 pam_var_console_t:file r_file_perms;
|
allow $1 pam_var_console_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -949,10 +936,9 @@ interface(`auth_manage_pam_console_data',`
|
|||||||
type pam_var_console_t;
|
type pam_var_console_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_var($1)
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
allow $1 pam_var_console_t:dir rw_dir_perms;
|
allow $1 pam_var_console_t:dir rw_dir_perms;
|
||||||
allow $1 pam_var_console_t:file create_file_perms;
|
allow $1 pam_var_console_t:file manage_file_perms;
|
||||||
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
|
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -1120,8 +1106,6 @@ interface(`auth_domtrans_utempter',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
domain_auto_trans($1,utempter_exec_t,utempter_t)
|
domain_auto_trans($1,utempter_exec_t,utempter_t)
|
||||||
|
|
||||||
allow $1 utempter_t:fd use;
|
|
||||||
allow utempter_t $1:fd use;
|
allow utempter_t $1:fd use;
|
||||||
allow utempter_t $1:fifo_file rw_file_perms;
|
allow utempter_t $1:fifo_file rw_file_perms;
|
||||||
allow utempter_t $1:process sigchld;
|
allow utempter_t $1:process sigchld;
|
||||||
@ -1323,7 +1307,7 @@ interface(`auth_manage_login_records',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
logging_rw_generic_log_dirs($1)
|
logging_rw_generic_log_dirs($1)
|
||||||
allow $1 wtmp_t:file create_file_perms;
|
allow $1 wtmp_t:file manage_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -1343,8 +1327,8 @@ interface(`auth_use_nsswitch',`
|
|||||||
|
|
||||||
allow $1 self:netlink_route_socket r_netlink_socket_perms;
|
allow $1 self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
|
||||||
allow $1 var_auth_t:dir r_dir_perms;
|
allow $1 var_auth_t:dir list_dir_perms;
|
||||||
allow $1 var_auth_t:file create_file_perms;
|
allow $1 var_auth_t:file manage_file_perms;
|
||||||
files_list_var_lib($1)
|
files_list_var_lib($1)
|
||||||
|
|
||||||
miscfiles_read_certs($1)
|
miscfiles_read_certs($1)
|
||||||
|
|||||||
@ -93,9 +93,10 @@ allow pam_t self:msg { send receive };
|
|||||||
|
|
||||||
allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
|
allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
|
||||||
allow pam_t pam_var_run_t:file { getattr read unlink };
|
allow pam_t pam_var_run_t:file { getattr read unlink };
|
||||||
|
files_list_pids(pam_t)
|
||||||
|
|
||||||
allow pam_t pam_tmp_t:dir create_dir_perms;
|
allow pam_t pam_tmp_t:dir manage_dir_perms;
|
||||||
allow pam_t pam_tmp_t:file create_file_perms;
|
allow pam_t pam_tmp_t:file manage_file_perms;
|
||||||
files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
|
files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
|
||||||
|
|
||||||
kernel_read_system_state(pam_t)
|
kernel_read_system_state(pam_t)
|
||||||
@ -108,7 +109,6 @@ term_use_all_user_ptys(pam_t)
|
|||||||
init_dontaudit_rw_utmp(pam_t)
|
init_dontaudit_rw_utmp(pam_t)
|
||||||
|
|
||||||
files_read_etc_files(pam_t)
|
files_read_etc_files(pam_t)
|
||||||
files_list_pids(pam_t)
|
|
||||||
|
|
||||||
libs_use_ld_so(pam_t)
|
libs_use_ld_so(pam_t)
|
||||||
libs_use_shared_libs(pam_t)
|
libs_use_shared_libs(pam_t)
|
||||||
@ -140,10 +140,10 @@ dontaudit pam_console_t self:capability sys_tty_config;
|
|||||||
allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
|
allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
|
||||||
|
|
||||||
# for /var/run/console.lock checking
|
# for /var/run/console.lock checking
|
||||||
allow pam_console_t pam_var_console_t:dir r_dir_perms;;
|
allow pam_console_t pam_var_console_t:dir list_dir_perms;
|
||||||
|
allow pam_console_t pam_var_console_t:lnk_file { getattr read };
|
||||||
allow pam_console_t pam_var_console_t:file r_file_perms;
|
allow pam_console_t pam_var_console_t:file r_file_perms;
|
||||||
dontaudit pam_console_t pam_var_console_t:file write;
|
dontaudit pam_console_t pam_var_console_t:file write;
|
||||||
allow pam_console_t pam_var_console_t:lnk_file { getattr read };
|
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(pam_console_t)
|
kernel_read_kernel_sysctls(pam_console_t)
|
||||||
kernel_use_fds(pam_console_t)
|
kernel_use_fds(pam_console_t)
|
||||||
@ -220,13 +220,7 @@ seutil_read_file_contexts(pam_console_t)
|
|||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
|
userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
|
||||||
|
|
||||||
# cjp: with the old daemon_(base_)domain being broken up into
|
ifdef(`targeted_policy',`
|
||||||
# a daemon and system interface, this probably is not needed:
|
|
||||||
ifdef(`direct_sysadm_daemon', `
|
|
||||||
userdom_dontaudit_use_sysadm_terms(pam_console_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`targeted_policy', `
|
|
||||||
term_dontaudit_use_unallocated_ttys(pam_console_t)
|
term_dontaudit_use_unallocated_ttys(pam_console_t)
|
||||||
term_dontaudit_use_generic_ptys(pam_console_t)
|
term_dontaudit_use_generic_ptys(pam_console_t)
|
||||||
files_dontaudit_read_root_files(pam_console_t)
|
files_dontaudit_read_root_files(pam_console_t)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user