859ba0c85a
ricci_modservice send syslog msgs Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly Allow systemd_logind_t to manage /run/USER/dconf/user
398 lines
12 KiB
Diff
398 lines
12 KiB
Diff
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
|
|
index ef8bc09..ea06507 100644
|
|
--- a/policy/modules/admin/mcelog.te
|
|
+++ b/policy/modules/admin/mcelog.te
|
|
@@ -45,6 +45,8 @@ files_read_etc_files(mcelog_t)
|
|
# for /dev/mem access
|
|
mls_file_read_all_levels(mcelog_t)
|
|
|
|
+auth_read_passwd(mcelog_t)
|
|
+
|
|
logging_send_syslog_msg(mcelog_t)
|
|
|
|
miscfiles_read_localization(mcelog_t)
|
|
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
|
index 4779a8d..b8eac3e 100644
|
|
--- a/policy/modules/admin/usermanage.te
|
|
+++ b/policy/modules/admin/usermanage.te
|
|
@@ -89,6 +89,7 @@ fs_search_auto_mountpoints(chfn_t)
|
|
dev_read_urand(chfn_t)
|
|
dev_dontaudit_getattr_all(chfn_t)
|
|
|
|
+auth_manage_passwd(chfn_t)
|
|
auth_use_pam(chfn_t)
|
|
|
|
# allow checking if a shell is executable
|
|
@@ -96,7 +97,6 @@ corecmd_check_exec_shell(chfn_t)
|
|
|
|
domain_use_interactive_fds(chfn_t)
|
|
|
|
-files_manage_etc_files(chfn_t)
|
|
files_read_etc_runtime_files(chfn_t)
|
|
files_dontaudit_search_var(chfn_t)
|
|
files_dontaudit_search_home(chfn_t)
|
|
@@ -205,8 +205,8 @@ init_dontaudit_write_utmp(groupadd_t)
|
|
|
|
domain_use_interactive_fds(groupadd_t)
|
|
|
|
-files_manage_etc_files(groupadd_t)
|
|
files_relabel_etc_files(groupadd_t)
|
|
+files_read_etc_files(groupadd_t)
|
|
files_read_etc_runtime_files(groupadd_t)
|
|
files_read_usr_symlinks(groupadd_t)
|
|
|
|
@@ -221,9 +221,10 @@ miscfiles_read_localization(groupadd_t)
|
|
auth_domtrans_chk_passwd(groupadd_t)
|
|
auth_rw_lastlog(groupadd_t)
|
|
auth_use_nsswitch(groupadd_t)
|
|
+auth_manage_passwd(groupadd_t)
|
|
+auth_manage_shadow(groupadd_t)
|
|
# these may be unnecessary due to the above
|
|
# domtrans_chk_passwd() call.
|
|
-auth_manage_shadow(groupadd_t)
|
|
auth_relabel_shadow(groupadd_t)
|
|
auth_etc_filetrans_shadow(groupadd_t)
|
|
|
|
@@ -296,6 +297,7 @@ selinux_compute_user_contexts(passwd_t)
|
|
|
|
term_use_all_inherited_terms(passwd_t)
|
|
|
|
+auth_manage_passwd(passwd_t)
|
|
auth_manage_shadow(passwd_t)
|
|
auth_relabel_shadow(passwd_t)
|
|
auth_etc_filetrans_shadow(passwd_t)
|
|
@@ -310,7 +312,6 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
|
|
domain_use_interactive_fds(passwd_t)
|
|
|
|
files_read_etc_runtime_files(passwd_t)
|
|
-files_manage_etc_files(passwd_t)
|
|
files_search_var(passwd_t)
|
|
files_dontaudit_search_pids(passwd_t)
|
|
files_relabel_etc_files(passwd_t)
|
|
@@ -390,6 +391,7 @@ fs_search_auto_mountpoints(sysadm_passwd_t)
|
|
|
|
term_use_all_inherited_terms(sysadm_passwd_t)
|
|
|
|
+auth_manage_passwd(sysadm_passwd_t)
|
|
auth_manage_shadow(sysadm_passwd_t)
|
|
auth_relabel_shadow(sysadm_passwd_t)
|
|
auth_etc_filetrans_shadow(sysadm_passwd_t)
|
|
@@ -402,7 +404,6 @@ files_read_usr_files(sysadm_passwd_t)
|
|
|
|
domain_use_interactive_fds(sysadm_passwd_t)
|
|
|
|
-files_manage_etc_files(sysadm_passwd_t)
|
|
files_relabel_etc_files(sysadm_passwd_t)
|
|
files_read_etc_runtime_files(sysadm_passwd_t)
|
|
# for nscd lookups
|
|
@@ -461,7 +462,6 @@ domain_use_interactive_fds(useradd_t)
|
|
domain_read_all_domains_state(useradd_t)
|
|
domain_dontaudit_read_all_domains_state(useradd_t)
|
|
|
|
-files_manage_etc_files(useradd_t)
|
|
files_search_var_lib(useradd_t)
|
|
files_relabel_etc_files(useradd_t)
|
|
files_read_etc_runtime_files(useradd_t)
|
|
@@ -488,6 +488,7 @@ auth_rw_faillog(useradd_t)
|
|
auth_use_nsswitch(useradd_t)
|
|
# these may be unnecessary due to the above
|
|
# domtrans_chk_passwd() call.
|
|
+auth_manage_passwd(useradd_t)
|
|
auth_manage_shadow(useradd_t)
|
|
auth_relabel_shadow(useradd_t)
|
|
auth_etc_filetrans_shadow(useradd_t)
|
|
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
|
|
index 50629a8..09669b6 100644
|
|
--- a/policy/modules/apps/loadkeys.te
|
|
+++ b/policy/modules/apps/loadkeys.te
|
|
@@ -31,6 +31,8 @@ files_read_etc_runtime_files(loadkeys_t)
|
|
term_dontaudit_use_console(loadkeys_t)
|
|
term_use_unallocated_ttys(loadkeys_t)
|
|
|
|
+auth_read_passwd(loadkeys_t)
|
|
+
|
|
init_dontaudit_use_fds(loadkeys_t)
|
|
init_dontaudit_use_script_ptys(loadkeys_t)
|
|
|
|
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
|
|
index bd5ff95..c77b9f1 100644
|
|
--- a/policy/modules/services/abrt.te
|
|
+++ b/policy/modules/services/abrt.te
|
|
@@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file_perms;
|
|
allow abrt_t self:tcp_socket create_stream_socket_perms;
|
|
allow abrt_t self:udp_socket create_socket_perms;
|
|
allow abrt_t self:unix_dgram_socket create_socket_perms;
|
|
-allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
# abrt etc files
|
|
list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
|
|
@@ -186,10 +185,10 @@ fs_read_nfs_files(abrt_t)
|
|
fs_read_nfs_symlinks(abrt_t)
|
|
fs_search_all(abrt_t)
|
|
|
|
-sysnet_dns_name_resolve(abrt_t)
|
|
-
|
|
logging_read_generic_logs(abrt_t)
|
|
|
|
+auth_use_nsswitch(abrt_t)
|
|
+
|
|
miscfiles_read_generic_certs(abrt_t)
|
|
|
|
userdom_dontaudit_read_user_home_content_files(abrt_t)
|
|
@@ -209,10 +208,6 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- nis_use_ypbind(abrt_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
nsplugin_read_rw_files(abrt_t)
|
|
nsplugin_read_home(abrt_t)
|
|
')
|
|
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
|
|
index 2b348c7..b89658c 100644
|
|
--- a/policy/modules/services/audioentropy.te
|
|
+++ b/policy/modules/services/audioentropy.te
|
|
@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t)
|
|
|
|
domain_use_interactive_fds(entropyd_t)
|
|
|
|
+auth_read_passwd(entropyd_t)
|
|
+
|
|
logging_send_syslog_msg(entropyd_t)
|
|
|
|
miscfiles_read_localization(entropyd_t)
|
|
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
|
|
index 4f9a575..5fc3a55 100644
|
|
--- a/policy/modules/services/plymouthd.te
|
|
+++ b/policy/modules/services/plymouthd.te
|
|
@@ -75,6 +75,8 @@ init_signal(plymouthd_t)
|
|
logging_link_generic_logs(plymouthd_t)
|
|
logging_delete_generic_logs(plymouthd_t)
|
|
|
|
+auth_read_passwd(plymouthd_t)
|
|
+
|
|
miscfiles_read_localization(plymouthd_t)
|
|
miscfiles_read_fonts(plymouthd_t)
|
|
miscfiles_manage_fonts_cache(plymouthd_t)
|
|
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
|
|
index 52df08a..7790f7e 100644
|
|
--- a/policy/modules/services/virt.te
|
|
+++ b/policy/modules/services/virt.te
|
|
@@ -882,6 +882,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
|
|
fs_list_inotifyfs(svirt_lxc_domain)
|
|
fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
|
|
|
|
+auth_dontaudit_read_passwd(svirt_lxc_domain)
|
|
auth_dontaudit_read_login_records(svirt_lxc_domain)
|
|
auth_dontaudit_write_login_records(svirt_lxc_domain)
|
|
auth_search_pam_console_data(svirt_lxc_domain)
|
|
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
|
|
index 59742f4..904e39c 100644
|
|
--- a/policy/modules/system/authlogin.fc
|
|
+++ b/policy/modules/system/authlogin.fc
|
|
@@ -7,6 +7,8 @@
|
|
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
|
|
/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
|
|
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
|
|
+/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0)
|
|
+/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0)
|
|
|
|
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
|
|
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
|
|
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
|
index f05a80f..4372e5d 100644
|
|
--- a/policy/modules/system/authlogin.if
|
|
+++ b/policy/modules/system/authlogin.if
|
|
@@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',`
|
|
|
|
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
|
|
auth_dontaudit_read_shadow($1)
|
|
-
|
|
')
|
|
|
|
########################################
|
|
@@ -755,6 +754,10 @@ interface(`auth_manage_shadow',`
|
|
|
|
allow $1 shadow_t:file manage_file_perms;
|
|
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
|
+ files_var_filetrans($1, shadow_t, file, "shadow")
|
|
+ files_var_filetrans($1, shadow_t, file, "shadow-")
|
|
+ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
|
|
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
|
|
')
|
|
|
|
#######################################
|
|
@@ -895,6 +898,9 @@ interface(`auth_manage_faillog',`
|
|
files_search_pids($1)
|
|
allow $1 faillog_t:dir manage_dir_perms;
|
|
allow $1 faillog_t:file manage_file_perms;
|
|
+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
|
|
+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
|
|
+ logging_log_named_filetrans($1, faillog_t, file, "btmp")
|
|
')
|
|
|
|
#######################################
|
|
@@ -1735,6 +1741,7 @@ interface(`auth_manage_login_records',`
|
|
|
|
logging_rw_generic_log_dirs($1)
|
|
allow $1 wtmp_t:file manage_file_perms;
|
|
+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
|
|
')
|
|
|
|
########################################
|
|
@@ -1810,19 +1817,118 @@ interface(`auth_unconfined',`
|
|
interface(`authlogin_filetrans_named_content',`
|
|
gen_require(`
|
|
type shadow_t;
|
|
+ type passwd_file_t;
|
|
type faillog_t;
|
|
type wtmp_t;
|
|
')
|
|
|
|
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
|
|
files_etc_filetrans($1, shadow_t, file, "shadow")
|
|
files_etc_filetrans($1, shadow_t, file, "shadow-")
|
|
files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
|
|
files_etc_filetrans($1, shadow_t, file, "gshadow")
|
|
- files_var_filetrans($1, shadow_t, file, "shadow")
|
|
- files_var_filetrans($1, shadow_t, file, "shadow-")
|
|
logging_log_named_filetrans($1, faillog_t, file, "tallylog")
|
|
logging_log_named_filetrans($1, faillog_t, file, "faillog")
|
|
logging_log_named_filetrans($1, faillog_t, file, "btmp")
|
|
files_pid_filetrans($1, faillog_t, file, "faillog")
|
|
logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Get the attributes of the passwd passwords file.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`auth_getattr_passwd',`
|
|
+ gen_require(`
|
|
+ type passwd_file_t;
|
|
+ ')
|
|
+
|
|
+ files_search_etc($1)
|
|
+ allow $1 passwd_file_t:file getattr;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Do not audit attempts to get the attributes
|
|
+## of the passwd passwords file.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`auth_dontaudit_getattr_passwd',`
|
|
+ gen_require(`
|
|
+ type passwd_file_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 passwd_file_t:file getattr;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read the passwd passwords file (/etc/passwd)
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`auth_read_passwd',`
|
|
+ gen_require(`
|
|
+ type passwd_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 passwd_file_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Do not audit attempts to read the passwd
|
|
+## password file (/etc/passwd).
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`auth_dontaudit_read_passwd',`
|
|
+ gen_require(`
|
|
+ type passwd_file_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 passwd_file_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete the passwd
|
|
+## password file.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`auth_manage_passwd',`
|
|
+ gen_require(`
|
|
+ type passwd_file_t;
|
|
+ ')
|
|
+
|
|
+ files_rw_etc_dirs($1)
|
|
+ allow $1 passwd_file_t:file manage_file_perms;
|
|
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
|
|
+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
|
|
+ files_etc_filetrans($1, passwd_file_t, file, "group")
|
|
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
|
|
+')
|
|
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
|
index a53db2b..16e2e63 100644
|
|
--- a/policy/modules/system/authlogin.te
|
|
+++ b/policy/modules/system/authlogin.te
|
|
@@ -71,6 +71,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
|
|
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
|
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
|
|
|
+type passwd_file_t;
|
|
+files_type(passwd_file_t)
|
|
+
|
|
type updpwd_t;
|
|
type updpwd_exec_t;
|
|
domain_type(updpwd_t)
|
|
@@ -350,6 +353,7 @@ kernel_read_system_state(updpwd_t)
|
|
dev_read_urand(updpwd_t)
|
|
|
|
files_manage_etc_files(updpwd_t)
|
|
+auth_manage_passwd(updpwd_t)
|
|
|
|
term_dontaudit_use_console(updpwd_t)
|
|
term_dontaudit_use_unallocated_ttys(updpwd_t)
|
|
@@ -422,6 +426,9 @@ optional_policy(`
|
|
')
|
|
')
|
|
|
|
+
|
|
+auth_read_passwd(nsswitch_domain)
|
|
+
|
|
# read /etc/nsswitch.conf
|
|
files_read_etc_files(nsswitch_domain)
|
|
|