targeted policy fixes

2005-10-19 19:45:20 +00:00 · 2005-10-19 19:45:20 +00:00 · de764944d8
commit de764944d8
parent af4752bcb9
6 changed files with 36 additions and 20 deletions
--- a/refpolicy/config/appconfig-targeted-mcs/default_contexts
+++ b/refpolicy/config/appconfig-targeted-mcs/default_contexts
@ -4,3 +4,4 @@ system_r:local_login_t:s0 system_r:unconfined_t:s0
 system_r:remote_login_t:s0	system_r:unconfined_t:s0
 system_r:rshd_t:s0		system_r:unconfined_t:s0
 system_r:crond_t:s0		system_r:unconfined_t:s0
+system_r:sshd_t:s0		system_r:unconfined_t:s0
--- a/refpolicy/config/appconfig-targeted-mls/default_contexts
+++ b/refpolicy/config/appconfig-targeted-mls/default_contexts
@ -4,3 +4,4 @@ system_r:local_login_t:s0 system_r:unconfined_t:s0
 system_r:remote_login_t:s0	system_r:unconfined_t:s0
 system_r:rshd_t:s0		system_r:unconfined_t:s0
 system_r:crond_t:s0		system_r:unconfined_t:s0
+system_r:sshd_t:s0		system_r:unconfined_t:s0
--- a/refpolicy/config/appconfig-targeted/default_contexts
+++ b/refpolicy/config/appconfig-targeted/default_contexts
@ -4,3 +4,4 @@ system_r:local_login_t system_r:unconfined_t
 system_r:remote_login_t		system_r:unconfined_t
 system_r:rshd_t			system_r:unconfined_t
 system_r:crond_t		system_r:unconfined_t
+system_r:sshd_t			system_r:unconfined_t
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@ -11,7 +11,6 @@ init_daemon_domain(apmd_t,apmd_exec_t)

 type apm_t;
 domain_type(apm_t)
-role sysadm_r types apm_t;
 role system_r types apm_t;

 type apm_exec_t;
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@ -163,6 +163,8 @@ template(`ssh_per_userdomain_template',`
 	sysnet_dns_name_resolve($1_ssh_t)

 	userdom_use_unpriv_users_fd($1_ssh_t)
+	# Write to the user domain tty.
+	userdom_use_user_terminals($1,$1_ssh_t)

 	tunable_policy(`read_default_t',`
 		files_list_default($1_ssh_t)
@ -220,11 +222,6 @@ template(`ssh_per_userdomain_template',`
 	# Inherit and use descriptors from gnome-pty-helper.
 	ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')

-	# Write to the user domain tty.
-	allow $1_ssh_t $1_tty_device_t:chr_file { read write getattr ioctl };
-	allow $1_ssh_t devpts_t:dir { read search getattr };
-	allow $1_ssh_t $1_devpts_t:chr_file { read write getattr ioctl };
-
 	# allow ps to show ssh
 	can_ps($1_t, $1_ssh_t)

--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -423,6 +423,23 @@ interface(`auth_read_lastlog',`
 	allow $1 lastlog_t:file { getattr read };
 ')

+#######################################
+## <summary>
+##	Append only to the last logins log.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_append_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { getattr lock append };
+')
+
 #######################################
 ## <summary>
 ##	Read and write to the last logins log.