Merge pull request #364 from pebenito/refine-authlogin
This commit is contained in:
commit
a5b41cbcf4
@ -68,6 +68,8 @@ template(`hadoop_domain_template',`
|
||||
filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
|
||||
|
||||
auth_use_nsswitch(hadoop_$1_t)
|
||||
auth_domtrans_chk_passwd(hadoop_$1_t)
|
||||
auth_domtrans_upd_passwd(hadoop_$1_t)
|
||||
|
||||
####################################
|
||||
#
|
||||
|
@ -216,8 +216,6 @@ dev_read_sysfs(hadoop_domain)
|
||||
files_search_runtime(hadoop_domain)
|
||||
files_search_var_lib(hadoop_domain)
|
||||
|
||||
auth_domtrans_chkpwd(hadoop_domain)
|
||||
|
||||
init_read_utmp(hadoop_domain)
|
||||
init_use_fds(hadoop_domain)
|
||||
init_use_script_fds(hadoop_domain)
|
||||
|
@ -31,7 +31,8 @@ files_runtime_filetrans(pwauth_t, pwauth_runtime_t, file)
|
||||
|
||||
domain_use_interactive_fds(pwauth_t)
|
||||
|
||||
auth_domtrans_chkpwd(pwauth_t)
|
||||
auth_domtrans_chk_passwd(pwauth_t)
|
||||
auth_domtrans_upd_passwd(pwauth_t)
|
||||
auth_use_nsswitch(pwauth_t)
|
||||
|
||||
init_read_utmp(pwauth_t)
|
||||
|
@ -41,42 +41,28 @@ interface(`auth_role',`
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_use_pam',`
|
||||
gen_require(`
|
||||
attribute can_read_shadow_passwords, nsswitch_domain, pam_domain;
|
||||
')
|
||||
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand($1)
|
||||
# for encrypted homedir
|
||||
dev_read_sysfs($1)
|
||||
typeattribute $1 can_read_shadow_passwords, nsswitch_domain, pam_domain;
|
||||
|
||||
#
|
||||
# due to the nested typeattributes:
|
||||
#
|
||||
|
||||
auth_create_faillog_files($1)
|
||||
auth_domtrans_chk_passwd($1)
|
||||
auth_domtrans_upd_passwd($1)
|
||||
auth_dontaudit_read_shadow($1)
|
||||
auth_rw_lastlog($1)
|
||||
auth_rw_faillog($1)
|
||||
auth_rw_login_records($1)
|
||||
auth_setattr_faillog_files($1)
|
||||
auth_exec_pam($1)
|
||||
auth_use_nsswitch($1)
|
||||
|
||||
logging_send_audit_msgs($1)
|
||||
logging_send_syslog_msg($1)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client($1)
|
||||
|
||||
optional_policy(`
|
||||
fprintd_dbus_chat($1)
|
||||
')
|
||||
fprintd_dbus_chat($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_manage_host_rcache($1)
|
||||
kerberos_read_config($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_authenticate($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -419,10 +405,6 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
pcscd_read_runtime_files($1)
|
||||
pcscd_stream_connect($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -437,13 +419,9 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_domtrans_chkpwd',`
|
||||
gen_require(`
|
||||
type chkpwd_t, chkpwd_exec_t, shadow_t;
|
||||
')
|
||||
refpolicywarn(`$0($*) has been deprecated, please use auth_domtrans_chk_passwd($1); auth_domtrans_upd_passwd($1) instead.')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
|
||||
dontaudit $1 shadow_t:file { getattr read };
|
||||
auth_domtrans_chk_passwd($1)
|
||||
auth_domtrans_upd_passwd($1)
|
||||
')
|
||||
|
||||
|
@ -5,6 +5,12 @@ policy_module(authlogin, 2.18.2)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(authlogin_pam, true)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
@ -17,6 +23,7 @@ attribute can_read_shadow_passwords;
|
||||
attribute can_write_shadow_passwords;
|
||||
attribute can_relabelto_shadow_passwords;
|
||||
attribute nsswitch_domain;
|
||||
attribute pam_domain;
|
||||
|
||||
type auth_cache_t;
|
||||
logging_log_file(auth_cache_t)
|
||||
@ -215,6 +222,41 @@ optional_policy(`
|
||||
locallogin_use_fds(pam_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# PAM users local policy
|
||||
#
|
||||
|
||||
# other access in auth_use_pam() due to nested typeattributes
|
||||
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand(pam_domain)
|
||||
# for encrypted homedir
|
||||
dev_read_sysfs(pam_domain)
|
||||
|
||||
auth_create_faillog_files(pam_domain)
|
||||
auth_domtrans_upd_passwd(pam_domain)
|
||||
auth_rw_lastlog(pam_domain)
|
||||
auth_rw_faillog(pam_domain)
|
||||
auth_rw_login_records(pam_domain)
|
||||
auth_setattr_faillog_files(pam_domain)
|
||||
auth_exec_pam(pam_domain)
|
||||
|
||||
files_read_etc_files(pam_domain)
|
||||
|
||||
logging_send_audit_msgs(pam_domain)
|
||||
logging_send_syslog_msg(pam_domain)
|
||||
|
||||
tunable_policy(`authlogin_pam',`
|
||||
dontaudit pam_domain shadow_t:file read_file_perms;
|
||||
',`
|
||||
allow pam_domain shadow_t:file read_file_perms;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_authenticate(pam_domain)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# PAM console local policy
|
||||
|
Loading…
Reference in New Issue
Block a user