Create a new attribute for auth_file types. Add shadow as an auth_file type. Add new interfaces to manage auth_file types Deprecate *_except_shadow macros in favour of *_except_auth_files

policy/modules/system/authlogin.if

@@ -178,6 +178,37 @@ interface(`auth_login_entry_type',`
 	domain_entry_file($1, login_exec_t)
 ')
 
+########################################
+## <summary>
+##	Make the specified type usable as a
+##	login file.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable as a login file,
+##	This type has restricted modification capabilities when used with
+##	other interfaces that permit files_type access.
+##	The default type has properties similar to that of the shadow file.
+##	This will also make the type usable as a security file, making
+##	calls to files_security_file() redundant.
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used as a login file.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`auth_file',`
+	gen_require(`
+		attribute auth_file_type;
+	')
+        
+	files_security_file($1)
+	typeattribute $1 auth_file_type;
+')
+
 ########################################
 ## <summary>
 ##	Execute a login_program in the target domain.
@@ -1152,6 +1183,31 @@ interface(`auth_delete_pam_console_data',`
 	delete_files_pattern($1, pam_var_console_t, pam_var_console_t)
 ')
 
+########################################
+## <summary>
+##	Read all directories on the filesystem, except
+##	login files and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_read_all_dirs_except_auth_files',`
+	gen_require(`
+		attribute auth_file_type;
+	')
+
+	files_read_all_dirs_except($1, $2 -auth_file_type)
+')
+
 ########################################
 ## <summary>
 ##	Read all directories on the filesystem, except
@@ -1170,11 +1226,34 @@ interface(`auth_delete_pam_console_data',`
 ## </param>
 #
 interface(`auth_read_all_dirs_except_shadow',`
+	refpolicywarn(`$0($*) has been deprecated, use auth_read_all_dirs_except_auth_files() instead.')
+	auth_read_all_dirs_except_auth_files($1, $2)
+')
+
+########################################
+## <summary>
+##	Read all files on the filesystem, except
+##	login files and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_read_all_files_except_auth_files',`
 	gen_require(`
-		type shadow_t;
+		attribute auth_file_type;
 	')
 
-	files_read_all_dirs_except($1, $2 -shadow_t)
+	files_read_all_files_except($1, $2 -auth_file_type)
 ')
 
 ########################################
@@ -1196,11 +1275,33 @@ interface(`auth_read_all_dirs_except_shadow',`
 ## <rolecap/>
 #
 interface(`auth_read_all_files_except_shadow',`
+	refpolicywarn(`$0($*) has been deprecated, use auth_read_all_files_except_auth_files() instead.')
+	auth_read_all_files_except_auth_files($1, $2)
+')
+
+########################################
+## <summary>
+##	Read all symbolic links on the filesystem, except
+##	login files and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_read_all_symlinks_except_auth_files',`
 	gen_require(`
-		type shadow_t;
+		attribute auth_file_type;
 	')
 
-	files_read_all_files_except($1, $2 -shadow_t)
+	files_read_all_symlinks_except($1, $2 -auth_file_type)
 ')
 
 ########################################
@@ -1221,11 +1322,33 @@ interface(`auth_read_all_files_except_shadow',`
 ## </param>
 #
 interface(`auth_read_all_symlinks_except_shadow',`
+	refpolicywarn(`$0($*) has been deprecated, use auth_read_all_symlinks_except_auth_files() instead.')
+	auth_read_all_symlinks_except_auth_files($1, $2)
+')
+
+#######################################
+## <summary>
+##	Relabel all files on the filesystem, except
+##	login files and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_all_files_except_auth_files',`
 	gen_require(`
-		type shadow_t;
+		attribute auth_file_type;
 	')
 
-	files_read_all_symlinks_except($1, $2 -shadow_t)
+	files_relabel_all_files($1, $2 -auth_file_type)
 ')
 
 ########################################
@@ -1245,13 +1368,34 @@ interface(`auth_read_all_symlinks_except_shadow',`
 ##	</summary>
 ## </param>
 #
-
 interface(`auth_relabel_all_files_except_shadow',`
+	refpolicywarn(`$0($*) has been deprecated, use auth_relabel_all_files_except_auth_files() instead.')
+	auth_relabel_all_files_except_auth_files($1, $2)
+')
+
+########################################
+## <summary>
+##	Read and write all files on the filesystem, except
+##	login files and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_all_files_except_auth_files',`
 	gen_require(`
-		type shadow_t;
+		attribute auth_file_type;
 	')
 
-	files_relabel_all_files($1, $2 -shadow_t)
+	files_rw_all_files($1, $2 -auth_file_type)
 ')
 
 ########################################
@@ -1271,13 +1415,34 @@ interface(`auth_relabel_all_files_except_shadow',`
 ##	</summary>
 ## </param>
 #
-
 interface(`auth_rw_all_files_except_shadow',`
+	refpolicywarn(`$0($*) has been deprecated, use auth_rw_all_files_except_auth_files() instead.')
+	auth_rw_all_files_except_auth_files($1, $2)
+')
+
+########################################
+## <summary>
+##	Manage all files on the filesystem, except
+##	login files passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`auth_manage_all_files_except_auth_files',`
 	gen_require(`
-		type shadow_t;
+		attribute auth_file_type;
 	')
 
-	files_rw_all_files($1, $2 -shadow_t)
+	files_manage_all_files($1, $2 -auth_file_type)
 ')
 
 ########################################
@@ -1297,13 +1462,9 @@ interface(`auth_rw_all_files_except_shadow',`
 ##	</summary>
 ## </param>
 #
-
 interface(`auth_manage_all_files_except_shadow',`
-	gen_require(`
-		type shadow_t;
-	')
-
-	files_manage_all_files($1, $2 -shadow_t)
+	refpolicywarn(`$0($*) has been deprecated, use auth_manage_all_files_except_auth_files() instead.')
+	auth_manage_all_files_except_auth_files($1, $2)
 ')
 
 ########################################

policy/modules/system/authlogin.te

@@ -5,6 +5,7 @@ policy_module(authlogin, 2.2.1)
 # Declarations
 #
 
+attribute auth_file_type;
 attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
@@ -50,7 +51,7 @@ type pam_var_run_t;
 files_pid_file(pam_var_run_t)
 
 type shadow_t;
-files_security_file(shadow_t)
+auth_file(shadow_t)
 neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;