Add auth_home_t for content that needs to be written by login programs, .google_authe...

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index a4784313fb9ea3200be18dd12468eeb262fc236e..facd6a8f5c9cadd052c58085dbadf6719e266d48 100644 (file)
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -209,7 +209,9 @@ storage_filetrans_all_named_dev(unconfined_domain_type)
 term_filetrans_all_named_dev(unconfined_domain_type)
 
 optional_policy(`
-       authlogin_filetrans_named_content(unconfined_domain_type)
+       auth_filetrans_named_content(unconfined_domain_type)
+       auth_filetrans_admin_home_content(unconfined_domain_type)
+       auth_filetrans_home_content(unconfined_domain_type)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index bb64dec9a0731fef153f445a736d43f8c4051f50..db5441ecab48fc52f0eb7e6ce2f53926f6305c9f 100644 (file)
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.google_authenticator                        gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator                   gen_context(system_u:object_r:auth_home_t,s0)
 
 /bin/login             --      gen_context(system_u:object_r:login_exec_t,s0)
 

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 131195da10f0e0af37d7ce994e807067f4016007..5551d16a61ae0fa5e5345806202c73aca367d7cc 100644 (file)
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -108,6 +108,7 @@ interface(`auth_login_pgm_domain',`
        gen_require(`
                type var_auth_t, auth_cache_t;
                attribute polydomain;
+               type auth_home_t;
        ')
 
        domain_type($1)
@@ -138,6 +139,11 @@ interface(`auth_login_pgm_domain',`
        manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
        files_var_filetrans($1, auth_cache_t, dir)
 
+       manage_dirs_pattern($1, auth_home_t, auth_home_t)
+       manage_files_pattern($1, auth_home_t, auth_home_t)
+       auth_filetrans_admin_home_content($1)
+       auth_filetrans_home_content($1)
+
        # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
        kernel_rw_afs_state($1)
 
@@ -1818,7 +1824,7 @@ interface(`auth_unconfined',`
 ##     </summary>
 ## </param>
 #
-interface(`authlogin_filetrans_named_content',`
+interface(`auth_filetrans_named_content',`
        gen_require(`
                type shadow_t;
                type passwd_file_t;
@@ -1942,3 +1948,42 @@ interface(`auth_manage_passwd',`
        files_etc_filetrans($1, passwd_file_t, file, "group")
        files_etc_filetrans($1, passwd_file_t, file, "group-")
 ')
+
+########################################
+## <summary>
+##     Create auth directory in the /root directory
+##     with an correct label.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_filetrans_admin_home_content',`
+       gen_require(`
+               type auth_home_t;
+       ')
+
+       userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+')
+
+########################################
+## <summary>
+##     Create auth directory in the user home directory
+##     with an correct label.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_filetrans_home_content',`
+       
+       gen_require(`
+               type auth_home_t;
+       ')
+
+       userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+')

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index e73bf1070587d76a9f51eaeeb87da925cecad49b..93188ef52992f223c7c76cabf5901b999692370f 100644 (file)
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -23,11 +23,14 @@ attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
 attribute polydomain;
-attribute nsswitch_domain;
+attribute nsswitch_domain;<
 
 type auth_cache_t;
 logging_log_file(auth_cache_t)
 
+type auth_home_t;
+userdom_user_home_content(auth_home_t)
+
 type chkpwd_t, can_read_shadow_passwords;
 type chkpwd_exec_t;
 typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 0281618f6763fd1bcc18391b79cbc68b08fd3e5e..290f54e4b548c4d36d09ef67e6162d0a8897dd1b 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -655,6 +655,8 @@ template(`userdom_common_user_template',`
        auth_read_login_records($1_usertype)
        auth_run_pam($1_t,$1_r)
        auth_run_utempter($1_t,$1_r)
+       auth_filetrans_admin_home_content($1_t)
+       auth_filetrans_home_content($1_t)
 
        init_read_utmp($1_usertype)