From 210b64f10a44fd4f7431d0915b95543e00adf3c2 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Sun, 1 Sep 2019 14:46:20 +0200 Subject: [PATCH] Remove shell automatic domain transitions to unconfined_t from various pam login programs I think these may have been adopted from the old Red Hat targeted policy (that model only had unconfined users) Some aspect to note: 1. The ssh_sysadm_login boolean now applies to unconfined_t as well 2. remotelogin only allows unpriv logins The rshd module also calls unconfined_shell_domtrans() but I ignored that one because that policy currently does not have support for manual transitions with pam_selinux. Signed-off-by: Dominick Grift --- policy/modules/services/remotelogin.te | 4 ---- policy/modules/services/ssh.te | 4 ---- policy/modules/system/locallogin.te | 4 ---- 3 files changed, 12 deletions(-) diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te index bc2292e37..c7c9c5646 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te @@ -91,10 +91,6 @@ optional_policy(` telnet_use_ptys(remote_login_t) ') -optional_policy(` - unconfined_shell_domtrans(remote_login_t) -') - optional_policy(` usermanage_read_crack_db(remote_login_t) ') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 1958ae473..a8127b422 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -329,10 +329,6 @@ optional_policy(` systemd_dbus_chat_logind(sshd_t) ') -optional_policy(` - unconfined_shell_domtrans(sshd_t) -') - optional_policy(` xserver_domtrans_xauth(sshd_t) xserver_link_xdm_keys(sshd_t) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 04332aa56..412f8c01c 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -204,10 +204,6 @@ optional_policy(` systemd_write_inherited_logind_sessions_pipes(local_login_t) ') -optional_policy(` - unconfined_shell_domtrans(local_login_t) -') - optional_policy(` usermanage_read_crack_db(local_login_t) ')