diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 3490ea530..1b3f56526 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -78,10 +78,10 @@
#
interface(`files_type',`
gen_require(`
- attribute file_type, non_security_file_type;
+ attribute file_type, non_security_file_type, non_auth_file_type;
')
- typeattribute $1 file_type, non_security_file_type;
+ typeattribute $1 file_type, non_security_file_type, non_auth_file_type;
')
########################################
@@ -99,10 +99,10 @@ interface(`files_type',`
#
interface(`files_security_file',`
gen_require(`
- attribute file_type, security_file_type;
+ attribute file_type, security_file_type, non_auth_file_type;
')
- typeattribute $1 file_type, security_file_type;
+ typeattribute $1 file_type, security_file_type, non_auth_file_type;
')
########################################
@@ -1275,6 +1275,161 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount;
')
+########################################
+##
+## Mark the specified type as a file
+## that is related to authentication.
+##
+##
+##
+## Type of the authentication-related
+## file.
+##
+##
+#
+interface(`files_auth_file',`
+ gen_require(`
+ attribute file_type, security_file_type, auth_file_type;
+ ')
+
+ typeattribute $1 file_type, security_file_type, auth_file_type;
+')
+
+########################################
+##
+## Read all non-authentication related
+## directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_list_non_auth_dirs',`
+ gen_require(`
+ attribute non_auth_file_type;
+ ')
+
+ allow $1 non_auth_file_type:dir list_dir_perms;
+')
+
+########################################
+##
+## Read all non-authentication related
+## files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_non_auth_files',`
+ gen_require(`
+ attribute non_auth_file_type;
+ ')
+
+ read_files_pattern($1, non_auth_file_type, non_auth_file_type)
+')
+
+########################################
+##
+## Read all non-authentication related
+## symbolic links.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_non_auth_symlinks',`
+ gen_require(`
+ attribute non_auth_file_type;
+ ')
+
+ read_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+')
+
+########################################
+##
+## Relabel all non-authentication related
+## files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_relabel_non_auth_files',`
+ gen_require(`
+ attribute non_auth_file_type;
+ ')
+
+ allow $1 non_auth_file_type:dir list_dir_perms;
+ relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
+ relabel_files_pattern($1, non_auth_file_type, non_auth_file_type)
+ relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+ relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
+ relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
+ # this is only relabelfrom since there should be no
+ # device nodes with file types.
+ relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+ relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+')
+
+########################################
+##
+## rw non-authentication related files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_rw_non_auth_files',`
+ gen_require(`
+ attribute non_auth_file_type;
+ ')
+
+ rw_files_pattern($1, non_auth_file_type, non_auth_file_type)
+')
+
+########################################
+##
+## Manage non-authentication related
+## files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_manage_non_auth_files',`
+ gen_require(`
+ attribute non_auth_file_type;
+ ')
+
+ manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
+ manage_files_pattern($1, non_auth_file_type, non_auth_file_type)
+ manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+ manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
+ manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
+
+ # satisfy the assertions:
+ seutil_create_bin_policy($1)
+ files_manage_kernel_modules($1)
+')
+
#############################################
##
## Manage all configuration directories on filesystem
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 40a3378cb..ff94f9745 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -29,6 +29,12 @@ attribute security_file_type;
# and its opposite
attribute non_security_file_type;
+# sensitive authentication files whose accesses should
+# not be dontaudited for uses
+attribute auth_file_type;
+# and its opposite
+attribute non_auth_file_type;
+
attribute tmpfile;
attribute tmpfsfile;
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 01c73316c..6a96393c3 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,7 +5,6 @@ policy_module(authlogin, 2.3.0)
# Declarations
#
-attribute auth_file_type;
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
@@ -51,7 +50,7 @@ type pam_var_run_t;
files_pid_file(pam_var_run_t)
type shadow_t;
-auth_file(shadow_t)
+files_auth_file(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;