cleanup in authlogin

2006-08-17 15:35:14 +00:00 · 2006-08-17 15:35:14 +00:00 · ba1a545fb3
parent 3573908f1c
commit ba1a545fb3
2 changed files with 19 additions and 41 deletions
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@ -128,7 +128,6 @@ template(`authlogin_per_userdomain_template',`
 	# Transition from the user domain to this domain.
 	domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
 	allow $1_chkpwd_t $2:fd use;
-	allow $2 $1_chkpwd_t:fd use;
 	allow $1_chkpwd_t $2:fifo_file rw_file_perms;
 	allow $1_chkpwd_t $2:process sigchld;

@ -289,8 +288,6 @@ interface(`auth_domtrans_login_program',`

 	corecmd_search_bin($1)
 	domain_auto_trans($1,login_exec_t,$2)
-
-	allow $1 $2:fd use;
 	allow $2 $1:fd use;
 	allow $2 $1:fifo_file rw_file_perms;
 	allow $2 $1:process sigchld;
@ -311,13 +308,12 @@ interface(`auth_domtrans_chk_passwd',`
 		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 	')

-	corecmd_search_sbin($1)
-	domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)

 	allow $1 self:capability { audit_write audit_control };
 	allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

-	allow $1 system_chkpwd_t:fd use;
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
 	allow system_chkpwd_t $1:fd use;
 	allow system_chkpwd_t $1:fifo_file rw_file_perms;
 	allow system_chkpwd_t $1:process sigchld;
@ -513,7 +509,7 @@ interface(`auth_manage_shadow',`
 		type shadow_t;
 	')

-	allow $1 shadow_t:file create_file_perms;
+	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')

@ -690,8 +686,6 @@ interface(`auth_domtrans_pam',`
 	')

 	domain_auto_trans($1,pam_exec_t,pam_t)
-
-	allow $1 pam_t:fd use;
 	allow pam_t $1:fd use;
 	allow pam_t $1:fifo_file rw_file_perms;
 	allow pam_t $1:process sigchld;
@ -762,7 +756,7 @@ interface(`auth_manage_var_auth',`
 	')

 	files_search_var($1)
-	allow $1 var_auth_t:dir create_dir_perms;
+	allow $1 var_auth_t:dir manage_dir_perms;
 	allow $1 var_auth_t:file rw_file_perms;
 	allow $1 var_auth_t:lnk_file rw_file_perms;
 ')
@ -782,9 +776,8 @@ interface(`auth_read_pam_pid',`
 		type pam_var_run_t;
 	')

-	files_search_var($1)
 	files_search_pids($1)
-	allow $1 pam_var_run_t:dir r_dir_perms;
+	allow $1 pam_var_run_t:dir list_dir_perms;
 	allow $1 pam_var_run_t:file r_file_perms;
 ')

@ -821,7 +814,6 @@ interface(`auth_delete_pam_pid',`
 		type pam_var_run_t;
 	')

-	files_search_var($1)
 	files_search_pids($1)
 	allow $1 pam_var_run_t:dir { getattr search read write remove_name };
 	allow $1 pam_var_run_t:file { getattr unlink };
@ -843,8 +835,8 @@ interface(`auth_manage_pam_pid',`
 	')

 	files_search_pids($1)
-	allow $1 pam_var_run_t:dir create_dir_perms;
-	allow $1 pam_var_run_t:file create_file_perms;
+	allow $1 pam_var_run_t:dir manage_dir_perms;
+	allow $1 pam_var_run_t:file manage_file_perms;
 ')

 ########################################
@ -863,8 +855,6 @@ interface(`auth_domtrans_pam_console',`
 	')

 	domain_auto_trans($1,pam_console_exec_t,pam_console_t)
-
-	allow $1 pam_console_t:fd use;
 	allow pam_console_t $1:fd use;
 	allow pam_console_t $1:fifo_file rw_file_perms;
 	allow pam_console_t $1:process sigchld;
@ -886,7 +876,6 @@ interface(`auth_search_pam_console_data',`
 		type pam_var_console_t;
 	')

-	files_search_var($1)
 	files_search_pids($1)
 	allow $1 pam_var_console_t:dir search_dir_perms;
 ')
@ -907,9 +896,8 @@ interface(`auth_list_pam_console_data',`
 		type pam_var_console_t;
 	')

-	files_search_var($1)
 	files_search_pids($1)
-	allow $1 pam_var_console_t:dir r_dir_perms;
+	allow $1 pam_var_console_t:dir list_dir_perms;
 ')

 ########################################
@ -927,9 +915,8 @@ interface(`auth_read_pam_console_data',`
 		type pam_var_console_t;
 	')

-	files_search_var($1)
 	files_search_pids($1)
-	allow $1 pam_var_console_t:dir r_dir_perms;
+	allow $1 pam_var_console_t:dir list_dir_perms;
 	allow $1 pam_var_console_t:file r_file_perms;
 ')

@ -949,10 +936,9 @@ interface(`auth_manage_pam_console_data',`
 		type pam_var_console_t;
 	')

-	files_search_var($1)
 	files_search_pids($1)
 	allow $1 pam_var_console_t:dir rw_dir_perms;
-	allow $1 pam_var_console_t:file create_file_perms;
+	allow $1 pam_var_console_t:file manage_file_perms;
 	allow $1 pam_var_console_t:lnk_file create_lnk_perms;
 ')

@ -1120,8 +1106,6 @@ interface(`auth_domtrans_utempter',`
 	')

 	domain_auto_trans($1,utempter_exec_t,utempter_t)
-
-	allow $1 utempter_t:fd use;
 	allow utempter_t $1:fd use;
 	allow utempter_t $1:fifo_file rw_file_perms;
 	allow utempter_t $1:process sigchld;
@ -1323,7 +1307,7 @@ interface(`auth_manage_login_records',`
 	')

 	logging_rw_generic_log_dirs($1)
-	allow $1 wtmp_t:file create_file_perms;
+	allow $1 wtmp_t:file manage_file_perms;
 ')

 ########################################
@ -1343,8 +1327,8 @@ interface(`auth_use_nsswitch',`

 	allow $1 self:netlink_route_socket r_netlink_socket_perms;

-	allow $1 var_auth_t:dir r_dir_perms;
-	allow $1 var_auth_t:file create_file_perms;
+	allow $1 var_auth_t:dir list_dir_perms;
+	allow $1 var_auth_t:file manage_file_perms;
 	files_list_var_lib($1)

 	miscfiles_read_certs($1)
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@ -93,9 +93,10 @@ allow pam_t self:msg { send receive };

 allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
 allow pam_t pam_var_run_t:file { getattr read unlink };
+files_list_pids(pam_t)

-allow pam_t pam_tmp_t:dir create_dir_perms;
-allow pam_t pam_tmp_t:file create_file_perms;
+allow pam_t pam_tmp_t:dir manage_dir_perms;
+allow pam_t pam_tmp_t:file manage_file_perms;
 files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })

 kernel_read_system_state(pam_t)
@ -108,7 +109,6 @@ term_use_all_user_ptys(pam_t)
 init_dontaudit_rw_utmp(pam_t)

 files_read_etc_files(pam_t)
-files_list_pids(pam_t)

 libs_use_ld_so(pam_t)
 libs_use_shared_libs(pam_t)
@ -140,10 +140,10 @@ dontaudit pam_console_t self:capability sys_tty_config;
 allow pam_console_t self:process { sigchld sigkill sigstop signull signal };

 # for /var/run/console.lock checking
-allow pam_console_t pam_var_console_t:dir r_dir_perms;;
+allow pam_console_t pam_var_console_t:dir list_dir_perms;
+allow pam_console_t pam_var_console_t:lnk_file { getattr read };
 allow pam_console_t pam_var_console_t:file r_file_perms;
 dontaudit pam_console_t pam_var_console_t:file write;
-allow pam_console_t pam_var_console_t:lnk_file { getattr read };

 kernel_read_kernel_sysctls(pam_console_t)
 kernel_use_fds(pam_console_t)
@ -220,13 +220,7 @@ seutil_read_file_contexts(pam_console_t)

 userdom_dontaudit_use_unpriv_user_fds(pam_console_t)

-# cjp: with the old daemon_(base_)domain being broken up into
-# a daemon and system interface, this probably is not needed:
-ifdef(`direct_sysadm_daemon', `
-	userdom_dontaudit_use_sysadm_terms(pam_console_t)
-')
-
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(pam_console_t)
 	term_dontaudit_use_generic_ptys(pam_console_t)
 	files_dontaudit_read_root_files(pam_console_t)