Remove shell automatic domain transitions to unconfined_t from various pam login programs

I think these may have been adopted from the old Red Hat targeted policy (that model only had unconfined users)

Some aspect to note:

1. The ssh_sysadm_login boolean now applies to unconfined_t as well
2. remotelogin only allows unpriv logins

The rshd module also calls unconfined_shell_domtrans() but I ignored that one because that policy currently does not have support for manual transitions with pam_selinux.

Signed-off-by: Dominick Grift <dac.override@gmail.com>
This commit is contained in:
Dominick Grift 2019-09-01 14:46:20 +02:00 committed by Chris PeBenito
parent 51c4812c23
commit 210b64f10a
3 changed files with 0 additions and 12 deletions

View File

@ -91,10 +91,6 @@ optional_policy(`
telnet_use_ptys(remote_login_t) telnet_use_ptys(remote_login_t)
') ')
optional_policy(`
unconfined_shell_domtrans(remote_login_t)
')
optional_policy(` optional_policy(`
usermanage_read_crack_db(remote_login_t) usermanage_read_crack_db(remote_login_t)
') ')

View File

@ -329,10 +329,6 @@ optional_policy(`
systemd_dbus_chat_logind(sshd_t) systemd_dbus_chat_logind(sshd_t)
') ')
optional_policy(`
unconfined_shell_domtrans(sshd_t)
')
optional_policy(` optional_policy(`
xserver_domtrans_xauth(sshd_t) xserver_domtrans_xauth(sshd_t)
xserver_link_xdm_keys(sshd_t) xserver_link_xdm_keys(sshd_t)

View File

@ -204,10 +204,6 @@ optional_policy(`
systemd_write_inherited_logind_sessions_pipes(local_login_t) systemd_write_inherited_logind_sessions_pipes(local_login_t)
') ')
optional_policy(`
unconfined_shell_domtrans(local_login_t)
')
optional_policy(` optional_policy(`
usermanage_read_crack_db(local_login_t) usermanage_read_crack_db(local_login_t)
') ')