From 61fb2009adcabe9e5238c9e23f9c9735b33089ea Mon Sep 17 00:00:00 2001 From: Matthew Ife Date: Thu, 14 Jul 2011 15:59:15 +0100 Subject: [PATCH] Create a new attribute for auth_file types. Add shadow as an auth_file type. Add new interfaces to manage auth_file types Deprecate *_except_shadow macros in favour of *_except_auth_files --- policy/modules/system/authlogin.if | 197 ++++++++++++++++++++++++++--- policy/modules/system/authlogin.te | 3 +- 2 files changed, 181 insertions(+), 19 deletions(-) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 73554ec2d..5e0322a09 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -178,6 +178,37 @@ interface(`auth_login_entry_type',` domain_entry_file($1, login_exec_t) ') +######################################## +## +## Make the specified type usable as a +## login file. +## +## +##

+## Make the specified type usable as a login file, +## This type has restricted modification capabilities when used with +## other interfaces that permit files_type access. +## The default type has properties similar to that of the shadow file. +## This will also make the type usable as a security file, making +## calls to files_security_file() redundant. +##

+## +## +## +## Type to be used as a login file. +## +## +## +# +interface(`auth_file',` + gen_require(` + attribute auth_file_type; + ') + + files_security_file($1) + typeattribute $1 auth_file_type; +') + ######################################## ## ## Execute a login_program in the target domain. @@ -1152,6 +1183,31 @@ interface(`auth_delete_pam_console_data',` delete_files_pattern($1, pam_var_console_t, pam_var_console_t) ') +######################################## +## +## Read all directories on the filesystem, except +## login files and listed exceptions. +## +## +## +## Domain allowed access. +## +## +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +# +interface(`auth_read_all_dirs_except_auth_files',` + gen_require(` + attribute auth_file_type; + ') + + files_read_all_dirs_except($1, $2 -auth_file_type) +') + ######################################## ## ## Read all directories on the filesystem, except @@ -1170,11 +1226,34 @@ interface(`auth_delete_pam_console_data',` ## # interface(`auth_read_all_dirs_except_shadow',` + refpolicywarn(`$0($*) has been deprecated, use auth_read_all_dirs_except_auth_files() instead.') + auth_read_all_dirs_except_auth_files($1, $2) +') + +######################################## +## +## Read all files on the filesystem, except +## login files and listed exceptions. +## +## +## +## Domain allowed access. +## +## +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +## +# +interface(`auth_read_all_files_except_auth_files',` gen_require(` - type shadow_t; + attribute auth_file_type; ') - files_read_all_dirs_except($1, $2 -shadow_t) + files_read_all_files_except($1, $2 -auth_file_type) ') ######################################## @@ -1196,11 +1275,33 @@ interface(`auth_read_all_dirs_except_shadow',` ## # interface(`auth_read_all_files_except_shadow',` + refpolicywarn(`$0($*) has been deprecated, use auth_read_all_files_except_auth_files() instead.') + auth_read_all_files_except_auth_files($1, $2) +') + +######################################## +## +## Read all symbolic links on the filesystem, except +## login files and listed exceptions. +## +## +## +## Domain allowed access. +## +## +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +# +interface(`auth_read_all_symlinks_except_auth_files',` gen_require(` - type shadow_t; + attribute auth_file_type; ') - files_read_all_files_except($1, $2 -shadow_t) + files_read_all_symlinks_except($1, $2 -auth_file_type) ') ######################################## @@ -1221,11 +1322,33 @@ interface(`auth_read_all_files_except_shadow',` ## # interface(`auth_read_all_symlinks_except_shadow',` + refpolicywarn(`$0($*) has been deprecated, use auth_read_all_symlinks_except_auth_files() instead.') + auth_read_all_symlinks_except_auth_files($1, $2) +') + +####################################### +## +## Relabel all files on the filesystem, except +## login files and listed exceptions. +## +## +## +## Domain allowed access. +## +## +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +# +interface(`auth_relabel_all_files_except_auth_files',` gen_require(` - type shadow_t; + attribute auth_file_type; ') - files_read_all_symlinks_except($1, $2 -shadow_t) + files_relabel_all_files($1, $2 -auth_file_type) ') ######################################## @@ -1245,13 +1368,34 @@ interface(`auth_read_all_symlinks_except_shadow',` ## ## # - interface(`auth_relabel_all_files_except_shadow',` + refpolicywarn(`$0($*) has been deprecated, use auth_relabel_all_files_except_auth_files() instead.') + auth_relabel_all_files_except_auth_files($1, $2) +') + +######################################## +## +## Read and write all files on the filesystem, except +## login files and listed exceptions. +## +## +## +## Domain allowed access. +## +## +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +# +interface(`auth_rw_all_files_except_auth_files',` gen_require(` - type shadow_t; + attribute auth_file_type; ') - files_relabel_all_files($1, $2 -shadow_t) + files_rw_all_files($1, $2 -auth_file_type) ') ######################################## @@ -1271,13 +1415,34 @@ interface(`auth_relabel_all_files_except_shadow',` ## ## # - interface(`auth_rw_all_files_except_shadow',` + refpolicywarn(`$0($*) has been deprecated, use auth_rw_all_files_except_auth_files() instead.') + auth_rw_all_files_except_auth_files($1, $2) +') + +######################################## +## +## Manage all files on the filesystem, except +## login files passwords and listed exceptions. +## +## +## +## Domain allowed access. +## +## +## +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. +## +## +# +interface(`auth_manage_all_files_except_auth_files',` gen_require(` - type shadow_t; + attribute auth_file_type; ') - files_rw_all_files($1, $2 -shadow_t) + files_manage_all_files($1, $2 -auth_file_type) ') ######################################## @@ -1297,13 +1462,9 @@ interface(`auth_rw_all_files_except_shadow',` ## ## # - interface(`auth_manage_all_files_except_shadow',` - gen_require(` - type shadow_t; - ') - - files_manage_all_files($1, $2 -shadow_t) + refpolicywarn(`$0($*) has been deprecated, use auth_manage_all_files_except_auth_files() instead.') + auth_manage_all_files_except_auth_files($1, $2) ') ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index b7a5f00ea..9a0db51b8 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,7 @@ policy_module(authlogin, 2.2.1) # Declarations # +attribute auth_file_type; attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; @@ -50,7 +51,7 @@ type pam_var_run_t; files_pid_file(pam_var_run_t) type shadow_t; -files_security_file(shadow_t) +auth_file(shadow_t) neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;