Add label to /etc/passwd and /etc/group files, to start to block containers from...

diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
index ef8bc09d4272ff625be440320d59413c2a4a1a7a..ea06507fa091a5134c62c63d653203742a1e49d8 100644 (file)
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -45,6 +45,8 @@ files_read_etc_files(mcelog_t)
 # for /dev/mem access
 mls_file_read_all_levels(mcelog_t)
 
+auth_read_passwd(mcelog_t)
+
 logging_send_syslog_msg(mcelog_t)
 
 miscfiles_read_localization(mcelog_t)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index cd9d876f5d06cff3ea71b75dc035931ce427d4b1..e454730010f98bb64a6e7b9ac1ce70eb0e5fb1e3 100644 (file)
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -91,6 +91,7 @@ fs_search_auto_mountpoints(chfn_t)
 dev_read_urand(chfn_t)
 dev_dontaudit_getattr_all(chfn_t)
 
+auth_manage_passwd(chfn_t)
 auth_use_pam(chfn_t)
 
 # allow checking if a shell is executable
@@ -98,7 +99,6 @@ corecmd_check_exec_shell(chfn_t)
 
 domain_use_interactive_fds(chfn_t)
 
-files_manage_etc_files(chfn_t)
 files_read_etc_runtime_files(chfn_t)
 files_dontaudit_search_var(chfn_t)
 files_dontaudit_search_home(chfn_t)
@@ -209,8 +209,8 @@ init_dontaudit_write_utmp(groupadd_t)
 
 domain_use_interactive_fds(groupadd_t)
 
-files_manage_etc_files(groupadd_t)
 files_relabel_etc_files(groupadd_t)
+files_read_etc_files(groupadd_t)
 files_read_etc_runtime_files(groupadd_t)
 files_read_usr_symlinks(groupadd_t)
 
@@ -225,9 +225,10 @@ miscfiles_read_localization(groupadd_t)
 auth_domtrans_chk_passwd(groupadd_t)
 auth_rw_lastlog(groupadd_t)
 auth_use_nsswitch(groupadd_t)
+auth_manage_passwd(groupadd_t)
+auth_manage_shadow(groupadd_t)
 # these may be unnecessary due to the above
 # domtrans_chk_passwd() call.
-auth_manage_shadow(groupadd_t)
 auth_relabel_shadow(groupadd_t)
 auth_etc_filetrans_shadow(groupadd_t)
 
@@ -301,6 +302,7 @@ selinux_compute_user_contexts(passwd_t)
 term_use_all_inherited_terms(passwd_t)
 term_getattr_all_ptys(passwd_t)
 
+auth_manage_passwd(passwd_t)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
@@ -315,7 +317,6 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
 domain_use_interactive_fds(passwd_t)
 
 files_read_etc_runtime_files(passwd_t)
-files_manage_etc_files(passwd_t)
 files_search_var(passwd_t)
 files_dontaudit_search_pids(passwd_t)
 files_relabel_etc_files(passwd_t)
@@ -396,6 +397,7 @@ fs_search_auto_mountpoints(sysadm_passwd_t)
 term_use_all_inherited_terms(sysadm_passwd_t)
 term_getattr_all_ptys(sysadm_passwd_t)
 
+auth_manage_passwd(sysadm_passwd_t)
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
 auth_etc_filetrans_shadow(sysadm_passwd_t)
@@ -408,7 +410,6 @@ files_read_usr_files(sysadm_passwd_t)
 
 domain_use_interactive_fds(sysadm_passwd_t)
 
-files_manage_etc_files(sysadm_passwd_t)
 files_relabel_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
 # for nscd lookups
@@ -467,7 +468,6 @@ domain_use_interactive_fds(useradd_t)
 domain_read_all_domains_state(useradd_t)
 domain_dontaudit_read_all_domains_state(useradd_t)
 
-files_manage_etc_files(useradd_t)
 files_search_var_lib(useradd_t)
 files_relabel_etc_files(useradd_t)
 files_read_etc_runtime_files(useradd_t)
@@ -495,6 +495,7 @@ auth_rw_faillog(useradd_t)
 auth_use_nsswitch(useradd_t)
 # these may be unnecessary due to the above
 # domtrans_chk_passwd() call.
+auth_manage_passwd(useradd_t)
 auth_manage_shadow(useradd_t)
 auth_relabel_shadow(useradd_t)
 auth_etc_filetrans_shadow(useradd_t)

diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 50629a8eec8a30bfc114457cabafd64e8e6b293f..09669b66836612e64b538a95b8a0a7e8202659fb 100644 (file)
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -31,6 +31,8 @@ files_read_etc_runtime_files(loadkeys_t)
 term_dontaudit_use_console(loadkeys_t)
 term_use_unallocated_ttys(loadkeys_t)
 
+auth_read_passwd(loadkeys_t)
+
 init_dontaudit_use_fds(loadkeys_t)
 init_dontaudit_use_script_ptys(loadkeys_t)
 

diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index 4b0f7cc3dba5a8164ba026ce2873862126dc0edf..d5a9038ecc0c1435b499d3749e0496a3cea53c9f 100644 (file)
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file_perms;
 allow abrt_t self:tcp_socket create_stream_socket_perms;
 allow abrt_t self:udp_socket create_socket_perms;
 allow abrt_t self:unix_dgram_socket create_socket_perms;
-allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
 
 # abrt etc files
 list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
@@ -186,10 +185,10 @@ fs_read_nfs_files(abrt_t)
 fs_read_nfs_symlinks(abrt_t)
 fs_search_all(abrt_t)
 
-sysnet_dns_name_resolve(abrt_t)
-
 logging_read_generic_logs(abrt_t)
 
+auth_use_nsswitch(abrt_t)
+
 miscfiles_read_generic_certs(abrt_t)
 
 userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -208,10 +207,6 @@ optional_policy(`
        dbus_system_domain(abrt_t, abrt_exec_t)
 ')
 
-optional_policy(`
-       nis_use_ypbind(abrt_t)
-')
-
 optional_policy(`
        nsplugin_read_rw_files(abrt_t)
        nsplugin_read_home(abrt_t)

diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 2b348c7eb57fe2fd15c0fc5aec9c533ccf575783..b89658ce8f3831fce3e4b7213bb1766d00c51656 100644 (file)
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t)
 
 domain_use_interactive_fds(entropyd_t)
 
+auth_read_passwd(entropyd_t)
+
 logging_send_syslog_msg(entropyd_t)
 
 miscfiles_read_localization(entropyd_t)

diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
index 48c56f96a17d8fab9809e25c225657bdcedbee53..cadc832662de85488d3f0a161b7cba1375a2a8d0 100644 (file)
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -75,6 +75,8 @@ init_signal(plymouthd_t)
 logging_link_generic_logs(plymouthd_t)
 logging_delete_generic_logs(plymouthd_t)
 
+auth_read_passwd(plymouthd_t)
+
 miscfiles_read_localization(plymouthd_t)
 miscfiles_read_fonts(plymouthd_t)
 miscfiles_manage_fonts_cache(plymouthd_t)

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 54e53fb1e25248dedc067b9191dafcdc75e128e4..d6b0d85fadc7d9c5da85fa78738380881ea3214f 100644 (file)
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -903,6 +903,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
 fs_list_inotifyfs(svirt_lxc_domain)
 fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
 
+auth_dontaudit_read_passwd(svirt_lxc_domain)
 auth_dontaudit_read_login_records(svirt_lxc_domain)
 auth_dontaudit_write_login_records(svirt_lxc_domain)
 auth_search_pam_console_data(svirt_lxc_domain)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 59742f4c10704c18108959d2a77a847167216786..02a592a65cfe520ade6bb71d2ff4a68e0c4fa8f5 100644 (file)
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -7,6 +7,9 @@
 /etc/passwd\.lock      --      gen_context(system_u:object_r:shadow_t,s0)
 /etc/passwd\.adjunct.* --      gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*          --      gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd-?          --      gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/ptmptmp           --      gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/group-?           --      gen_context(system_u:object_r:passwd_file_t,s0)
 
 /sbin/pam_console_apply         --     gen_context(system_u:object_r:pam_console_exec_t,s0)
 /sbin/pam_timestamp_check --   gen_context(system_u:object_r:pam_exec_t,s0)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 2c6ee0efb0b041f8ef0f71bf7963167467195baf..6355d14eb66ea3a7f3fcd919c37f8138b171815c 100644 (file)
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -562,7 +562,6 @@ interface(`auth_domtrans_upd_passwd',`
 
        domtrans_pattern($1, updpwd_exec_t, updpwd_t)
        auth_dontaudit_read_shadow($1)
-
 ')
 
 ########################################
@@ -759,6 +758,10 @@ interface(`auth_manage_shadow',`
 
        allow $1 shadow_t:file manage_file_perms;
        typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
+       files_var_filetrans($1, shadow_t, file, "shadow")
+       files_var_filetrans($1, shadow_t, file, "shadow-")
+       files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
+       files_etc_filetrans($1, shadow_t, file, "gshadow")
 ')
 
 #######################################
@@ -899,6 +902,9 @@ interface(`auth_manage_faillog',`
        files_search_pids($1)
        allow $1 faillog_t:dir manage_dir_perms;
        allow $1 faillog_t:file manage_file_perms;
+       logging_log_named_filetrans($1, faillog_t, file, "tallylog")
+       logging_log_named_filetrans($1, faillog_t, file, "faillog")
+       logging_log_named_filetrans($1, faillog_t, file, "btmp")
 ')
 
 #######################################
@@ -1739,6 +1745,7 @@ interface(`auth_manage_login_records',`
 
        logging_rw_generic_log_dirs($1)
        allow $1 wtmp_t:file manage_file_perms;
+       logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
 ')
 
 ########################################
@@ -1814,19 +1821,123 @@ interface(`auth_unconfined',`
 interface(`authlogin_filetrans_named_content',`
        gen_require(`
                type shadow_t;
+               type passwd_file_t;
                type faillog_t;
                type wtmp_t;
        ')
 
+       files_etc_filetrans($1, passwd_file_t, file, "group")
+       files_etc_filetrans($1, passwd_file_t, file, "group-")
+       files_etc_filetrans($1, passwd_file_t, file, "passwd")
+       files_etc_filetrans($1, passwd_file_t, file, "passwd-")
+       files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
        files_etc_filetrans($1, shadow_t, file, "shadow")
        files_etc_filetrans($1, shadow_t, file, "shadow-")
        files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
        files_etc_filetrans($1, shadow_t, file, "gshadow")
-       files_var_filetrans($1, shadow_t, file, "shadow")
-       files_var_filetrans($1, shadow_t, file, "shadow-")
        logging_log_named_filetrans($1, faillog_t, file, "tallylog")
        logging_log_named_filetrans($1, faillog_t, file, "faillog")
        logging_log_named_filetrans($1, faillog_t, file, "btmp")
        files_pid_filetrans($1, faillog_t, file, "faillog")
        logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
 ')
+
+########################################
+## <summary>
+##     Get the attributes of the passwd passwords file.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_getattr_passwd',`
+       gen_require(`
+               type passwd_file_t;
+       ')
+
+       files_search_etc($1)
+       allow $1 passwd_file_t:file getattr;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to get the attributes
+##     of the passwd passwords file.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`auth_dontaudit_getattr_passwd',`
+       gen_require(`
+               type passwd_file_t;
+       ')
+
+       dontaudit $1 passwd_file_t:file getattr;
+')
+
+########################################
+## <summary>
+##     Read the passwd passwords file (/etc/passwd)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_read_passwd',`
+       gen_require(`
+               type passwd_file_t;
+       ')
+
+       allow $1 passwd_file_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to read the passwd
+##     password file (/etc/passwd).
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`auth_dontaudit_read_passwd',`
+       gen_require(`
+               type passwd_file_t;
+       ')
+
+       dontaudit $1 passwd_file_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     Create, read, write, and delete the passwd
+##     password file.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_manage_passwd',`
+       gen_require(`
+               type passwd_file_t;
+       ')
+
+       files_rw_etc_dirs($1)
+       allow $1 passwd_file_t:file manage_file_perms;
+       files_etc_filetrans($1, passwd_file_t, file, "passwd")
+       files_etc_filetrans($1, passwd_file_t, file, "passwd-")
+       files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
+       files_etc_filetrans($1, passwd_file_t, file, "group")
+       files_etc_filetrans($1, passwd_file_t, file, "group-")
+')

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 7edafdeb6627a7e4e9e3580ec8a4d05ec7d1c6e9..39d91d4d097562c4b455d658f745ac5ce9631eab 100644 (file)
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -72,6 +72,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
+type passwd_file_t;
+files_type(passwd_file_t)
+
 type updpwd_t;
 type updpwd_exec_t;
 domain_type(updpwd_t)
@@ -351,6 +354,7 @@ kernel_read_system_state(updpwd_t)
 dev_read_urand(updpwd_t)
 
 files_manage_etc_files(updpwd_t)
+auth_manage_passwd(updpwd_t)
 
 term_dontaudit_use_console(updpwd_t)
 term_dontaudit_use_unallocated_ttys(updpwd_t)
@@ -423,6 +427,9 @@ optional_policy(`
        ')
 ')
 
+
+auth_read_passwd(nsswitch_domain)
+
 # read /etc/nsswitch.conf
 files_read_etc_files(nsswitch_domain)