From: Dan Walsh Date: Fri, 18 Nov 2011 16:23:10 +0000 (-0500) Subject: Add auth_home_t for content that needs to be written by login programs, .google_authe... X-Git-Tag: 000~96 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=11578593e78aea26fe858b91a7c928b0705e7d74;p=people%2Fstevee%2Fselinux-policy.git Add auth_home_t for content that needs to be written by login programs, .google_authenticator is the only one that I know of so far --- diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index a4784313..facd6a8f 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -209,7 +209,9 @@ storage_filetrans_all_named_dev(unconfined_domain_type) term_filetrans_all_named_dev(unconfined_domain_type) optional_policy(` - authlogin_filetrans_named_content(unconfined_domain_type) + auth_filetrans_named_content(unconfined_domain_type) + auth_filetrans_admin_home_content(unconfined_domain_type) + auth_filetrans_home_content(unconfined_domain_type) ') optional_policy(` diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index bb64dec9..db5441ec 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,3 +1,5 @@ +HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 131195da..5551d16a 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -108,6 +108,7 @@ interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; attribute polydomain; + type auth_home_t; ') domain_type($1) @@ -138,6 +139,11 @@ interface(`auth_login_pgm_domain',` manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) files_var_filetrans($1, auth_cache_t, dir) + manage_dirs_pattern($1, auth_home_t, auth_home_t) + manage_files_pattern($1, auth_home_t, auth_home_t) + auth_filetrans_admin_home_content($1) + auth_filetrans_home_content($1) + # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_rw_afs_state($1) @@ -1818,7 +1824,7 @@ interface(`auth_unconfined',` ## ## # -interface(`authlogin_filetrans_named_content',` +interface(`auth_filetrans_named_content',` gen_require(` type shadow_t; type passwd_file_t; @@ -1942,3 +1948,42 @@ interface(`auth_manage_passwd',` files_etc_filetrans($1, passwd_file_t, file, "group") files_etc_filetrans($1, passwd_file_t, file, "group-") ') + +######################################## +## +## Create auth directory in the /root directory +## with an correct label. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_filetrans_admin_home_content',` + gen_require(` + type auth_home_t; + ') + + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") +') + +######################################## +## +## Create auth directory in the user home directory +## with an correct label. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_filetrans_home_content',` + + gen_require(` + type auth_home_t; + ') + + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index e73bf107..93188ef5 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -23,11 +23,14 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; attribute polydomain; -attribute nsswitch_domain; +attribute nsswitch_domain;< type auth_cache_t; logging_log_file(auth_cache_t) +type auth_home_t; +userdom_user_home_content(auth_home_t) + type chkpwd_t, can_read_shadow_passwords; type chkpwd_exec_t; typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 0281618f..290f54e4 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -655,6 +655,8 @@ template(`userdom_common_user_template',` auth_read_login_records($1_usertype) auth_run_pam($1_t,$1_r) auth_run_utempter($1_t,$1_r) + auth_filetrans_admin_home_content($1_t) + auth_filetrans_home_content($1_t) init_read_utmp($1_usertype)