more authlogin handling
This commit is contained in:
parent
5c162193b7
commit
13e94c09e4
@ -241,13 +241,12 @@ logging_send_system_log_message(groupadd_t)
|
||||
|
||||
miscfiles_read_localization(groupadd_t)
|
||||
|
||||
authlogin_manage_shadow_passwords(groupadd_t)
|
||||
authlogin_modify_last_login_log(groupadd_t)
|
||||
|
||||
selinux_read_config(groupadd_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
domain_auto_trans(initrc_t, groupadd_exec_t, groupadd_t)
|
||||
|
||||
role sysadm_r types groupadd_t;
|
||||
domain_auto_trans(sysadm_t, groupadd_exec_t, groupadd_t)
|
||||
|
||||
@ -258,14 +257,8 @@ allow groupadd_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
file_type_auto_trans(groupadd_t, etc_t, shadow_t, file)
|
||||
|
||||
allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
|
||||
# but will operate without them.
|
||||
dontaudit groupadd_t device_t:dir search;
|
||||
|
||||
# Access terminals.
|
||||
ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
|
||||
|
||||
@ -518,12 +511,11 @@ selinux_read_config(useradd_t)
|
||||
|
||||
logging_send_system_log_message(useradd_t)
|
||||
|
||||
authlogin_manage_shadow_passwords(useradd_t)
|
||||
authlogin_modify_last_login_log(useradd_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
domain_auto_trans(initrc_t, useradd_exec_t, useradd_t)
|
||||
|
||||
role sysadm_r types useradd_t;
|
||||
domain_auto_trans(sysadm_t, useradd_exec_t, useradd_t)
|
||||
|
||||
@ -534,8 +526,6 @@ allow useradd_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
# Update /etc/shadow and /etc/passwd
|
||||
file_type_auto_trans(useradd_t, etc_t, shadow_t, file)
|
||||
|
||||
allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||||
|
||||
# Access terminals.
|
||||
|
@ -55,14 +55,17 @@ terminal_ignore_use_general_pseudoterminal(hostname_t)
|
||||
files_ignore_read_rootfs_file(hostname_t)
|
||||
')dnl end targeted_policy tunable
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_database(hostname_t)
|
||||
optional_policy(`hostname.te',`
|
||||
hotplug_ignore_use_file_descriptors(hostname_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(hostname_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_database(hostname_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
|
@ -46,6 +46,20 @@ type hotplug_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# hotplug_ignore_use_file_descriptors(domain)
|
||||
#
|
||||
define(`hotplug_ignore_use_file_descriptors',`
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 hotplug_t:fd use;
|
||||
')
|
||||
|
||||
define(`hotplug_ignore_use_file_descriptors_depend',`
|
||||
type hotplug_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# hotplug_ignore_search_config_directory(domain)
|
||||
|
@ -100,6 +100,10 @@ optional_policy(`consoletype.te',`
|
||||
consoletype_transition(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`hostname.te',`
|
||||
hostname_execute(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`iptables.te',`
|
||||
iptables_transition(hotplug_t)
|
||||
')
|
||||
@ -108,6 +112,10 @@ optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
sysnetwork_ifconfig_transition(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_transition(hotplug_t)
|
||||
udev_read_database(hotplug_t)
|
||||
@ -158,15 +166,6 @@ allow hotplug_t var_log_t:dir search;
|
||||
dontaudit hotplug_t domain:dir { getattr search };
|
||||
dontaudit hotplug_t { init_t kernel_t }:file read;
|
||||
|
||||
optional_policy(`hostname.te',`
|
||||
hostname_execute(hotplug_t)
|
||||
dontaudit hostname_t hotplug_t:fd use;
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
ifconfig_transition(hotplug_t)
|
||||
')
|
||||
|
||||
tunable_policy(`distro_redhat', `
|
||||
optional_policy(`netutils.te', `
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
|
@ -164,8 +164,6 @@ files_ignore_read_rootfs_file(syslogd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow syslogd_t proc_t:dir r_dir_perms;
|
||||
allow syslogd_t proc_t:lnk_file read;
|
||||
dontaudit syslogd_t unpriv_userdomain:fd use;
|
||||
allow syslogd_t autofs_t:dir { search getattr };
|
||||
|
Loading…
Reference in New Issue
Block a user