diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 10fafa57..dd151da7 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -80,7 +80,7 @@ POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contex ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc)) -POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf +POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf override M4PARAM += -D monolithic_policy @@ -176,11 +176,12 @@ tmp/post_te_files.conf: $(POST_TE_FILES) # extract attributes and put them first. extract post te stuff # like genfscon and put last. portcon, nodecon, and netifcon # is delayed since they are generated by m4 -tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf - $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attributes.conf || true +tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf + $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true + $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true - $(QUIET) sed -e /^attribute/d -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf + $(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf ######################################## # diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index d3cd88b2..90a305cf 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -7,8 +7,7 @@ policy_module(authlogin,1.0) # Declarations # type chkpwd_exec_t; -authlogin_per_userdomain_template(system) -domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t) +files_make_file(chkpwd_exec_t) type faillog_t; logging_make_log_file(faillog_t) @@ -222,6 +221,15 @@ allow pam_console_t xdm_var_run_t:file { getattr read }; allow initrc_t pam_var_console_t:dir r_dir_perms; ') dnl endif TODO +######################################## +# +# System check password local policy +# + +authlogin_per_userdomain_template(system) + +domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t) + ######################################## # # Utempter local policy diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 1e017d3b..60653599 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -73,10 +73,10 @@ allow mount_t var_lib_nfs_t:dir mounton; allow mount_t lib_t:file { getattr read }; # TODO: Need to examine this further. Not sure how to handle this -type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type; -allow sysadm_t sysadm_mount_source_t:file create_file_perms; -allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom }; -allow mount_t sysadm_mount_source_t:file rw_file_perms; +#type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type; +#allow sysadm_t sysadm_mount_source_t:file create_file_perms; +#allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom }; +#allow mount_t sysadm_mount_source_t:file rw_file_perms; # TODO: Probably need a macro for reading/unlinking files # for when /etc/mtab loses its type diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 652ceab2..ddd1f26c 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -200,9 +200,9 @@ allow ping_t cardmgr_t:fd use; ') dnl end if ping ifdef(`dhcpd.te', `', ` -type dhcp_state_t, file_type, sysadmfile; -type dhcp_etc_t, file_type, sysadmfile, usercanread; -typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; +#type dhcp_state_t, file_type, sysadmfile; +#type dhcp_etc_t, file_type, sysadmfile, usercanread; +#typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; ') allow dhcpc_t dhcp_etc_t:dir { getattr read search };