nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

move system_chkpwd to .te rather then using template, so that the

Browse Source 
ifelse(system,..) can be eliminated
This commit is contained in:
Chris PeBenito 2005-05-09 21:06:51 +00:00
parent cb28738d20
commit 5c162193b7
2 changed files with 85 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
refpolicy/policy/modules/system/authlogin.if
View File

@ -9,7 +9,7 @@
define(`authlogin_per_userdomain_template',` define(`authlogin_per_userdomain_template',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
type $1_chkpwd_t; # , nscd_client_domain; type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
domain_make_domain($1_chkpwd_t) domain_make_domain($1_chkpwd_t)
domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t) domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
role $1_r types $1_chkpwd_t; role $1_r types $1_chkpwd_t;
@ -18,22 +18,45 @@ role $1_r types system_chkpwd_t;
allow $1_chkpwd_t self:capability setuid; allow $1_chkpwd_t self:capability setuid;
allow $1_chkpwd_t self:process getattr; allow $1_chkpwd_t self:process getattr;
authlogin_read_shadow_passwords($1_chkpwd_t) # FIXME: read etc_t dir
logging_send_system_log_message($1_chkpwd_t) allow $1_chkpwd_t shadow_t:file { getattr read };
libraries_use_dynamic_loader($1_chkpwd_t)
libraries_read_shared_libraries($1_chkpwd_t)
files_read_general_system_config($1_chkpwd_t)
miscfiles_read_localization($1_chkpwd_t)
selinux_read_config($1_chkpwd_t)
filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
# is_selinux_enabled # is_selinux_enabled
kernel_read_system_state($1_chkpwd_t) kernel_read_system_state($1_chkpwd_t)
filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t)
domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
libraries_use_dynamic_loader($1_chkpwd_t)
libraries_read_shared_libraries($1_chkpwd_t)
files_read_general_system_config($1_chkpwd_t)
# for nscd
files_ignore_search_system_state_data_directory($1_chkpwd_t)
logging_send_system_log_message($1_chkpwd_t)
miscfiles_read_localization($1_chkpwd_t)
selinux_read_config($1_chkpwd_t)
#can_ypbind($1_chkpwd_t) #can_ypbind($1_chkpwd_t)
#can_kerberos($1_chkpwd_t) #can_kerberos($1_chkpwd_t)
#can_ldap($1_chkpwd_t) #can_ldap($1_chkpwd_t)
# Transition from the user domain to this domain.
allow $1_t chkpwd_exec_t:file { getattr read execute };
allow $1_t $1_chkpwd_t:process transition;
type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
# Write to the user domain tty.
#userdomain_use_$1_terminal($1_chkpwd_t)
#userdomain_use_$1_pty($1_chkpwd_t)
# Inherit and use descriptors from gnome-pty-helper.
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
tunable_policy(`use_dns',` tunable_policy(`use_dns',`
allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
corenetwork_network_udp_on_all_interfaces($1_chkpwd_t) corenetwork_network_udp_on_all_interfaces($1_chkpwd_t)
@ -43,42 +66,17 @@ corenetwork_network_raw_on_all_nodes($1_chkpwd_t)
corenetwork_bind_udp_on_all_nodes($1_chkpwd_t) corenetwork_bind_udp_on_all_nodes($1_chkpwd_t)
corenetwork_network_udp_on_dns_port($1_chkpwd_t) corenetwork_network_udp_on_dns_port($1_chkpwd_t)
sysnetwork_read_network_config($1_chkpwd_t) sysnetwork_read_network_config($1_chkpwd_t)
') dnl end use_dns ')
# for nscd
files_ignore_search_system_state_data_directory($1_chkpwd_t)
# Transition from the user domain to this domain.
ifelse($1, system, `
#dontaudit $1_chkpwd_t user_tty_type:chr_file rw_file_perms;
terminal_use_general_physical_terminal($1_chkpwd_t)
', `
# Transition from the user domain to this domain.
allow $1_t chkpwd_exec_t:file { getattr read execute };
allow $1_t $1_chkpwd_t:process transition;
type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
#allow $1_t sbin_t:dir search;
# Write to the user domain tty.
#userdomain_use_$1_terminal($1_chkpwd_t)
#userdomain_use_$1_pty($1_chkpwd_t)
domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
# Inherit and use descriptors from gnome-pty-helper.
#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_use_file_descriptors($1_chkpwd_t) selinux_newrole_use_file_descriptors($1_chkpwd_t)
') ')
') dnl ifelse system
') dnl end authlogin_per_userdomain_template ') dnl end authlogin_per_userdomain_template
define(`authlogin_per_userdomain_template_depend',` define(`authlogin_per_userdomain_template_depend',`
type chkpwd_exec_t, system_chkpwd_t; attribute can_read_shadow_passwords;
type chkpwd_exec_t, system_chkpwd_t, shadow_t;
class file { getattr read execute }; class file { getattr read execute };
class process { getattr transition }; class process { getattr transition };
class capability setuid; class capability setuid;

51
refpolicy/policy/modules/system/authlogin.te
View File

@ -50,6 +50,11 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
domain_make_domain(system_chkpwd_t)
domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)
role system_r types system_chkpwd_t;
type utempter_t; #, nscd_client_domain; type utempter_t; #, nscd_client_domain;
domain_make_domain(utempter_t) domain_make_domain(utempter_t)
@ -224,9 +229,51 @@ allow initrc_t pam_var_console_t:dir r_dir_perms;
# System check password local policy # System check password local policy
# #
authlogin_per_userdomain_template(system) allow system_chkpwd_t self:capability setuid;
allow system_chkpwd_t self:process getattr;
domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t) allow system_chkpwd_t shadow_t:file { getattr read };
# is_selinux_enabled
kernel_read_system_state(system_chkpwd_t)
filesystem_ignore_get_persistent_filesystem_attributes(system_chkpwd_t)
terminal_use_general_physical_terminal(system_chkpwd_t)
files_read_general_system_config(system_chkpwd_t)
# for nscd
files_ignore_search_system_state_data_directory(system_chkpwd_t)
libraries_use_dynamic_loader(system_chkpwd_t)
libraries_read_shared_libraries(system_chkpwd_t)
logging_send_system_log_message(system_chkpwd_t)
miscfiles_read_localization(system_chkpwd_t)
selinux_read_config(system_chkpwd_t)
tunable_policy(`use_dns',`
allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
corenetwork_network_udp_on_all_interfaces(system_chkpwd_t)
corenetwork_network_raw_on_all_interfaces(system_chkpwd_t)
corenetwork_network_udp_on_all_nodes(system_chkpwd_t)
corenetwork_network_raw_on_all_nodes(system_chkpwd_t)
corenetwork_bind_udp_on_all_nodes(system_chkpwd_t)
corenetwork_network_udp_on_dns_port(system_chkpwd_t)
sysnetwork_read_network_config(system_chkpwd_t)
')
ifdef(`TODO',`
# FIXME: read etc_t dir
can_ypbind(system_chkpwd_t)
can_kerberos(system_chkpwd_t)
can_ldap(system_chkpwd_t)
dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
')
######################################## ########################################
# #