more authlogin handling

refpolicy/policy/modules/admin/usermanage.te

@@ -241,13 +241,12 @@ logging_send_system_log_message(groupadd_t)
 
 miscfiles_read_localization(groupadd_t)
 
+authlogin_manage_shadow_passwords(groupadd_t)
 authlogin_modify_last_login_log(groupadd_t)
 
 selinux_read_config(groupadd_t)
 
 ifdef(`TODO',`
-domain_auto_trans(initrc_t, groupadd_exec_t, groupadd_t)
-
 role sysadm_r types groupadd_t;
 domain_auto_trans(sysadm_t, groupadd_exec_t, groupadd_t)
 
@@ -258,14 +257,8 @@ allow groupadd_t autofs_t:dir { search getattr };
 ')
 
 # Update /etc/shadow and /etc/passwd
-file_type_auto_trans(groupadd_t, etc_t, shadow_t, file)
-
 allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
-# useradd/userdel request read/write for /var/log/lastlog, and read of /dev, 
-# but will operate without them.
-dontaudit groupadd_t device_t:dir search;
-
 # Access terminals.
 ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
 
@@ -518,12 +511,11 @@ selinux_read_config(useradd_t)
 
 logging_send_system_log_message(useradd_t)
 
+authlogin_manage_shadow_passwords(useradd_t)
 authlogin_modify_last_login_log(useradd_t)
 
 ifdef(`TODO',`
 
-domain_auto_trans(initrc_t, useradd_exec_t, useradd_t)
-
 role sysadm_r types useradd_t;
 domain_auto_trans(sysadm_t, useradd_exec_t, useradd_t)
 
@@ -534,8 +526,6 @@ allow useradd_t autofs_t:dir { search getattr };
 ')
 
 # Update /etc/shadow and /etc/passwd
-file_type_auto_trans(useradd_t, etc_t, shadow_t, file)
-
 allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
 # Access terminals.

refpolicy/policy/modules/system/hostname.te

@@ -55,14 +55,17 @@ terminal_ignore_use_general_pseudoterminal(hostname_t)
 files_ignore_read_rootfs_file(hostname_t)
 ')dnl end targeted_policy tunable
 
-optional_policy(`udev.te', `
+optional_policy(`hostname.te',`
-udev_read_database(hostname_t)
+hotplug_ignore_use_file_descriptors(hostname_t)
 ')
 
 optional_policy(`selinux.te',`
 selinux_newrole_sigchld(hostname_t)
 ')
 
+optional_policy(`udev.te', `
+udev_read_database(hostname_t)
+')
 
 ifdef(`TODO',`
 

refpolicy/policy/modules/system/hotplug.if

@@ -46,6 +46,20 @@ type hotplug_t;
 class fd use;
 ')
 
+#######################################
+#
+# hotplug_ignore_use_file_descriptors(domain)
+#
+define(`hotplug_ignore_use_file_descriptors',`
+requires_block_template(`$0'_depend)
+dontaudit $1 hotplug_t:fd use;
+')
+
+define(`hotplug_ignore_use_file_descriptors_depend',`
+type hotplug_t;
+class fd use;
+')
+
 ########################################
 #
 # hotplug_ignore_search_config_directory(domain)

refpolicy/policy/modules/system/hotplug.te

@@ -100,6 +100,10 @@ optional_policy(`consoletype.te',`
 consoletype_transition(hotplug_t)
 ')
 
+optional_policy(`hostname.te',`
+hostname_execute(hotplug_t)
+')
+
 optional_policy(`iptables.te',`
 iptables_transition(hotplug_t)
 ')
@@ -108,6 +112,10 @@ optional_policy(`selinux.te',`
 selinux_newrole_sigchld(hotplug_t)
 ')
 
+optional_policy(`sysnetwork.te',`
+sysnetwork_ifconfig_transition(hotplug_t)
+')
+
 optional_policy(`udev.te', `
 udev_transition(hotplug_t)
 udev_read_database(hotplug_t)
@@ -158,15 +166,6 @@ allow hotplug_t var_log_t:dir search;
 dontaudit hotplug_t domain:dir { getattr search };
 dontaudit hotplug_t { init_t kernel_t }:file read;
 
-optional_policy(`hostname.te',`
-hostname_execute(hotplug_t)
-dontaudit hostname_t hotplug_t:fd use;
-')
-
-optional_policy(`sysnetwork.te',`
-ifconfig_transition(hotplug_t)
-')
-
 tunable_policy(`distro_redhat', `
 optional_policy(`netutils.te', `
 # for arping used for static IP addresses on PCMCIA ethernet

refpolicy/policy/modules/system/logging.te

@@ -164,8 +164,6 @@ files_ignore_read_rootfs_file(syslogd_t)
 ')
 
 ifdef(`TODO',`
-
-allow syslogd_t proc_t:dir r_dir_perms;
 allow syslogd_t proc_t:lnk_file read;
 dontaudit syslogd_t unpriv_userdomain:fd use;
 allow syslogd_t autofs_t:dir { search getattr };