Dan Walsh 37b75a
diff -up serefpolicy-3.10.0/policy/modules/admin/mcelog.te.passwd serefpolicy-3.10.0/policy/modules/admin/mcelog.te
Dan Walsh 37b75a
--- serefpolicy-3.10.0/policy/modules/admin/mcelog.te.passwd	2011-10-21 09:57:41.024059743 -0400
Dan Walsh 37b75a
+++ serefpolicy-3.10.0/policy/modules/admin/mcelog.te	2011-10-21 09:57:41.523059314 -0400
Dan Walsh a004ca
@@ -45,6 +45,8 @@ files_read_etc_files(mcelog_t)
Dan Walsh a004ca
 # for /dev/mem access
Dan Walsh a004ca
 mls_file_read_all_levels(mcelog_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
+auth_read_passwd(mcelog_t)
Dan Walsh a004ca
+
Dan Walsh a004ca
 logging_send_syslog_msg(mcelog_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
 miscfiles_read_localization(mcelog_t)
Dan Walsh 37b75a
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.passwd serefpolicy-3.10.0/policy/modules/admin/usermanage.te
Dan Walsh 37b75a
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.passwd	2011-10-21 09:57:41.053059719 -0400
Dan Walsh 37b75a
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te	2011-10-21 09:58:51.127999915 -0400
Dan Walsh 37b75a
@@ -91,6 +91,7 @@ fs_search_auto_mountpoints(chfn_t)
Dan Walsh 859ba0
 dev_read_urand(chfn_t)
Dan Walsh 859ba0
 dev_dontaudit_getattr_all(chfn_t)
Dan Walsh 859ba0
 
Dan Walsh 859ba0
+auth_manage_passwd(chfn_t)
Dan Walsh 859ba0
 auth_use_pam(chfn_t)
Dan Walsh 859ba0
 
Dan Walsh 859ba0
 # allow checking if a shell is executable
Dan Walsh 37b75a
@@ -98,7 +99,6 @@ corecmd_check_exec_shell(chfn_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
 domain_use_interactive_fds(chfn_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
-files_manage_etc_files(chfn_t)
Dan Walsh a004ca
 files_read_etc_runtime_files(chfn_t)
Dan Walsh a004ca
 files_dontaudit_search_var(chfn_t)
Dan Walsh a004ca
 files_dontaudit_search_home(chfn_t)
Dan Walsh 37b75a
@@ -209,8 +209,8 @@ init_dontaudit_write_utmp(groupadd_t)
Dan Walsh 859ba0
 
Dan Walsh 859ba0
 domain_use_interactive_fds(groupadd_t)
Dan Walsh 859ba0
 
Dan Walsh 859ba0
-files_manage_etc_files(groupadd_t)
Dan Walsh 859ba0
 files_relabel_etc_files(groupadd_t)
Dan Walsh 859ba0
+files_read_etc_files(groupadd_t)
Dan Walsh 859ba0
 files_read_etc_runtime_files(groupadd_t)
Dan Walsh 859ba0
 files_read_usr_symlinks(groupadd_t)
Dan Walsh 859ba0
 
Dan Walsh 37b75a
@@ -225,9 +225,10 @@ miscfiles_read_localization(groupadd_t)
Dan Walsh 859ba0
 auth_domtrans_chk_passwd(groupadd_t)
Dan Walsh 859ba0
 auth_rw_lastlog(groupadd_t)
Dan Walsh 859ba0
 auth_use_nsswitch(groupadd_t)
Dan Walsh 859ba0
+auth_manage_passwd(groupadd_t)
Dan Walsh 859ba0
+auth_manage_shadow(groupadd_t)
Dan Walsh 859ba0
 # these may be unnecessary due to the above
Dan Walsh 859ba0
 # domtrans_chk_passwd() call.
Dan Walsh 859ba0
-auth_manage_shadow(groupadd_t)
Dan Walsh 859ba0
 auth_relabel_shadow(groupadd_t)
Dan Walsh 859ba0
 auth_etc_filetrans_shadow(groupadd_t)
Dan Walsh a004ca
 
Dan Walsh 37b75a
@@ -301,6 +302,7 @@ selinux_compute_user_contexts(passwd_t)
Dan Walsh 859ba0
 term_use_all_inherited_terms(passwd_t)
Dan Walsh 37b75a
 term_getattr_all_ptys(passwd_t)
Dan Walsh 859ba0
 
Dan Walsh 859ba0
+auth_manage_passwd(passwd_t)
Dan Walsh 859ba0
 auth_manage_shadow(passwd_t)
Dan Walsh 859ba0
 auth_relabel_shadow(passwd_t)
Dan Walsh 859ba0
 auth_etc_filetrans_shadow(passwd_t)
Dan Walsh 37b75a
@@ -315,7 +317,6 @@ corenet_tcp_connect_kerberos_password_po
Dan Walsh a004ca
 domain_use_interactive_fds(passwd_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
 files_read_etc_runtime_files(passwd_t)
Dan Walsh a004ca
-files_manage_etc_files(passwd_t)
Dan Walsh a004ca
 files_search_var(passwd_t)
Dan Walsh a004ca
 files_dontaudit_search_pids(passwd_t)
Dan Walsh a004ca
 files_relabel_etc_files(passwd_t)
Dan Walsh 37b75a
@@ -396,6 +397,7 @@ fs_search_auto_mountpoints(sysadm_passwd
Dan Walsh 859ba0
 term_use_all_inherited_terms(sysadm_passwd_t)
Dan Walsh 37b75a
 term_getattr_all_ptys(sysadm_passwd_t)
Dan Walsh a004ca
 
Dan Walsh 859ba0
+auth_manage_passwd(sysadm_passwd_t)
Dan Walsh 859ba0
 auth_manage_shadow(sysadm_passwd_t)
Dan Walsh 859ba0
 auth_relabel_shadow(sysadm_passwd_t)
Dan Walsh 859ba0
 auth_etc_filetrans_shadow(sysadm_passwd_t)
Dan Walsh 37b75a
@@ -408,7 +410,6 @@ files_read_usr_files(sysadm_passwd_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
 domain_use_interactive_fds(sysadm_passwd_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
-files_manage_etc_files(sysadm_passwd_t)
Dan Walsh a004ca
 files_relabel_etc_files(sysadm_passwd_t)
Dan Walsh a004ca
 files_read_etc_runtime_files(sysadm_passwd_t)
Dan Walsh a004ca
 # for nscd lookups
Dan Walsh 37b75a
@@ -467,7 +468,6 @@ domain_use_interactive_fds(useradd_t)
Dan Walsh a004ca
 domain_read_all_domains_state(useradd_t)
Dan Walsh a004ca
 domain_dontaudit_read_all_domains_state(useradd_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
-files_manage_etc_files(useradd_t)
Dan Walsh a004ca
 files_search_var_lib(useradd_t)
Dan Walsh a004ca
 files_relabel_etc_files(useradd_t)
Dan Walsh a004ca
 files_read_etc_runtime_files(useradd_t)
Dan Walsh 37b75a
@@ -495,6 +495,7 @@ auth_rw_faillog(useradd_t)
Dan Walsh a004ca
 auth_use_nsswitch(useradd_t)
Dan Walsh a004ca
 # these may be unnecessary due to the above
Dan Walsh a004ca
 # domtrans_chk_passwd() call.
Dan Walsh a004ca
+auth_manage_passwd(useradd_t)
Dan Walsh a004ca
 auth_manage_shadow(useradd_t)
Dan Walsh a004ca
 auth_relabel_shadow(useradd_t)
Dan Walsh a004ca
 auth_etc_filetrans_shadow(useradd_t)
Dan Walsh 37b75a
diff -up serefpolicy-3.10.0/policy/modules/apps/loadkeys.te.passwd serefpolicy-3.10.0/policy/modules/apps/loadkeys.te
Dan Walsh 37b75a
--- serefpolicy-3.10.0/policy/modules/apps/loadkeys.te.passwd	2011-10-21 09:57:41.074059700 -0400
Dan Walsh 37b75a
+++ serefpolicy-3.10.0/policy/modules/apps/loadkeys.te	2011-10-21 09:57:41.525059314 -0400
Dan Walsh a004ca
@@ -31,6 +31,8 @@ files_read_etc_runtime_files(loadkeys_t)
Dan Walsh a004ca
 term_dontaudit_use_console(loadkeys_t)
Dan Walsh a004ca
 term_use_unallocated_ttys(loadkeys_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
+auth_read_passwd(loadkeys_t)
Dan Walsh a004ca
+
Dan Walsh a004ca
 init_dontaudit_use_fds(loadkeys_t)
Dan Walsh a004ca
 init_dontaudit_use_script_ptys(loadkeys_t)
Dan Walsh a004ca
 
Dan Walsh 37b75a
diff -up serefpolicy-3.10.0/policy/modules/services/abrt.te.passwd serefpolicy-3.10.0/policy/modules/services/abrt.te
Dan Walsh 37b75a
--- serefpolicy-3.10.0/policy/modules/services/abrt.te.passwd	2011-10-21 09:57:41.146059638 -0400
Dan Walsh 37b75a
+++ serefpolicy-3.10.0/policy/modules/services/abrt.te	2011-10-21 09:57:41.527059312 -0400
Dan Walsh 37b75a
@@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file
Dan Walsh a004ca
 allow abrt_t self:tcp_socket create_stream_socket_perms;
Dan Walsh a004ca
 allow abrt_t self:udp_socket create_socket_perms;
Dan Walsh a004ca
 allow abrt_t self:unix_dgram_socket create_socket_perms;
Dan Walsh a004ca
-allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
Dan Walsh a004ca
 
Dan Walsh a004ca
 # abrt etc files
Dan Walsh a004ca
 list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
Dan Walsh a004ca
@@ -186,10 +185,10 @@ fs_read_nfs_files(abrt_t)
Dan Walsh a004ca
 fs_read_nfs_symlinks(abrt_t)
Dan Walsh a004ca
 fs_search_all(abrt_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
-sysnet_dns_name_resolve(abrt_t)
Dan Walsh a004ca
-
Dan Walsh a004ca
 logging_read_generic_logs(abrt_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
+auth_use_nsswitch(abrt_t)
Dan Walsh a004ca
+
Dan Walsh a004ca
 miscfiles_read_generic_certs(abrt_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
 userdom_dontaudit_read_user_home_content_files(abrt_t)
Dan Walsh a004ca
@@ -209,10 +208,6 @@ optional_policy(`
Dan Walsh a004ca
 ')
Dan Walsh a004ca
 
Dan Walsh a004ca
 optional_policy(`
Dan Walsh a004ca
-	nis_use_ypbind(abrt_t)
Dan Walsh a004ca
-')
Dan Walsh a004ca
-
Dan Walsh a004ca
-optional_policy(`
Dan Walsh a004ca
 	nsplugin_read_rw_files(abrt_t)
Dan Walsh a004ca
 	nsplugin_read_home(abrt_t)
Dan Walsh a004ca
 ')
Dan Walsh 37b75a
diff -up serefpolicy-3.10.0/policy/modules/services/audioentropy.te.passwd serefpolicy-3.10.0/policy/modules/services/audioentropy.te
Dan Walsh 37b75a
--- serefpolicy-3.10.0/policy/modules/services/audioentropy.te.passwd	2011-06-27 14:18:04.000000000 -0400
Dan Walsh 37b75a
+++ serefpolicy-3.10.0/policy/modules/services/audioentropy.te	2011-10-21 09:57:41.528059311 -0400
Dan Walsh a004ca
@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
 domain_use_interactive_fds(entropyd_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
+auth_read_passwd(entropyd_t)
Dan Walsh a004ca
+
Dan Walsh a004ca
 logging_send_syslog_msg(entropyd_t)
Dan Walsh a004ca
 
Dan Walsh a004ca
 miscfiles_read_localization(entropyd_t)
Dan Walsh 37b75a
diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.te.passwd serefpolicy-3.10.0/policy/modules/services/plymouthd.te
Dan Walsh 37b75a
--- serefpolicy-3.10.0/policy/modules/services/plymouthd.te.passwd	2011-10-21 09:57:41.332059479 -0400
Dan Walsh 37b75a
+++ serefpolicy-3.10.0/policy/modules/services/plymouthd.te	2011-10-21 09:57:41.530059309 -0400
Dan Walsh e15ae4
@@ -75,6 +75,8 @@ init_signal(plymouthd_t)
Dan Walsh e15ae4
 logging_link_generic_logs(plymouthd_t)
Dan Walsh e15ae4
 logging_delete_generic_logs(plymouthd_t)
Dan Walsh e15ae4
 
Dan Walsh e15ae4
+auth_read_passwd(plymouthd_t)
Dan Walsh e15ae4
+
Dan Walsh e15ae4
 miscfiles_read_localization(plymouthd_t)
Dan Walsh e15ae4
 miscfiles_read_fonts(plymouthd_t)
Dan Walsh e15ae4
 miscfiles_manage_fonts_cache(plymouthd_t)
Dan Walsh 37b75a
diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.passwd serefpolicy-3.10.0/policy/modules/services/virt.te
Dan Walsh 37b75a
--- serefpolicy-3.10.0/policy/modules/services/virt.te.passwd	2011-10-21 09:57:41.435059390 -0400
Dan Walsh 37b75a
+++ serefpolicy-3.10.0/policy/modules/services/virt.te	2011-10-21 09:57:41.533059306 -0400
Dan Walsh 9bf3aa
@@ -888,6 +888,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
Dan Walsh e15ae4
 fs_list_inotifyfs(svirt_lxc_domain)
Dan Walsh e15ae4
 fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
Dan Walsh e15ae4
 
Dan Walsh e15ae4
+auth_dontaudit_read_passwd(svirt_lxc_domain)
Dan Walsh e15ae4
 auth_dontaudit_read_login_records(svirt_lxc_domain)
Dan Walsh e15ae4
 auth_dontaudit_write_login_records(svirt_lxc_domain)
Dan Walsh e15ae4
 auth_search_pam_console_data(svirt_lxc_domain)
Dan Walsh 37b75a
diff -up serefpolicy-3.10.0/policy/modules/system/authlogin.fc.passwd serefpolicy-3.10.0/policy/modules/system/authlogin.fc
Dan Walsh 37b75a
--- serefpolicy-3.10.0/policy/modules/system/authlogin.fc.passwd	2011-10-21 09:57:41.451059376 -0400
Dan Walsh 37b75a
+++ serefpolicy-3.10.0/policy/modules/system/authlogin.fc	2011-10-21 09:57:41.534059305 -0400
Dan Walsh 9bf3aa
@@ -7,6 +7,9 @@
Dan Walsh 4d2486
 /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
Dan Walsh 4d2486
 /etc/passwd\.adjunct.*	--	gen_context(system_u:object_r:shadow_t,s0)
Dan Walsh 4d2486
 /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
Dan Walsh 859ba0
+/etc/passwd-?		--	gen_context(system_u:object_r:passwd_file_t,s0)
Dan Walsh 9bf3aa
+/etc/ptmptmp		--	gen_context(system_u:object_r:passwd_file_t,s0)
Dan Walsh 859ba0
+/etc/group-?		--	gen_context(system_u:object_r:passwd_file_t,s0)
Dan Walsh 4d2486
 
Dan Walsh 4d2486
 /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
Dan Walsh 4d2486
 /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
Dan Walsh 37b75a
diff -up serefpolicy-3.10.0/policy/modules/system/authlogin.if.passwd serefpolicy-3.10.0/policy/modules/system/authlogin.if
Dan Walsh 37b75a
--- serefpolicy-3.10.0/policy/modules/system/authlogin.if.passwd	2011-10-21 09:57:41.452059376 -0400
Dan Walsh 37b75a
+++ serefpolicy-3.10.0/policy/modules/system/authlogin.if	2011-10-21 09:57:41.535059304 -0400
Dan Walsh 37b75a
@@ -561,7 +561,6 @@ interface(`auth_domtrans_upd_passwd',`
Dan Walsh 4d2486
 
Dan Walsh 4d2486
 	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
Dan Walsh 4d2486
 	auth_dontaudit_read_shadow($1)
Dan Walsh 4d2486
-
Dan Walsh 4d2486
 ')
Dan Walsh 4d2486
 
Dan Walsh 4d2486
 ########################################
Dan Walsh 37b75a
@@ -758,6 +757,10 @@ interface(`auth_manage_shadow',`
Dan Walsh 4d2486
 
Dan Walsh 4d2486
 	allow $1 shadow_t:file manage_file_perms;
Dan Walsh 4d2486
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
Dan Walsh 4d2486
+	files_var_filetrans($1, shadow_t, file, "shadow")
Dan Walsh 4d2486
+	files_var_filetrans($1, shadow_t, file, "shadow-")
Dan Walsh 4d2486
+	files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
Dan Walsh 4d2486
+	files_etc_filetrans($1, shadow_t, file, "gshadow")
Dan Walsh 4d2486
 ')
Dan Walsh 4d2486
 
Dan Walsh 4d2486
 #######################################
Dan Walsh 37b75a
@@ -898,6 +901,9 @@ interface(`auth_manage_faillog',`
Dan Walsh 4d2486
 	files_search_pids($1)
Dan Walsh 4d2486
 	allow $1 faillog_t:dir manage_dir_perms;
Dan Walsh 4d2486
 	allow $1 faillog_t:file manage_file_perms;
Dan Walsh 4d2486
+	logging_log_named_filetrans($1, faillog_t, file, "tallylog")
Dan Walsh 4d2486
+	logging_log_named_filetrans($1, faillog_t, file, "faillog")
Dan Walsh 4d2486
+	logging_log_named_filetrans($1, faillog_t, file, "btmp")
Dan Walsh 4d2486
 ')
Dan Walsh 4d2486
 
Dan Walsh 4d2486
 #######################################
Dan Walsh 37b75a
@@ -1738,6 +1744,7 @@ interface(`auth_manage_login_records',`
Dan Walsh 4d2486
 
Dan Walsh 4d2486
 	logging_rw_generic_log_dirs($1)
Dan Walsh 4d2486
 	allow $1 wtmp_t:file manage_file_perms;
Dan Walsh 4d2486
+	logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
Dan Walsh 4d2486
 ')
Dan Walsh 4d2486
 
Dan Walsh 4d2486
 ########################################
Dan Walsh 37b75a
@@ -1813,19 +1820,123 @@ interface(`auth_unconfined',`
Dan Walsh 4d2486
 interface(`authlogin_filetrans_named_content',`
Dan Walsh 4d2486
 	gen_require(`
Dan Walsh 4d2486
 		type shadow_t;
Dan Walsh 4d2486
+		type passwd_file_t;
Dan Walsh 4d2486
 		type faillog_t;
Dan Walsh 4d2486
 		type wtmp_t;
Dan Walsh 4d2486
 	')
Dan Walsh 4d2486
 
Dan Walsh 9bf3aa
+	files_etc_filetrans($1, passwd_file_t, file, "group")
Dan Walsh 9bf3aa
+	files_etc_filetrans($1, passwd_file_t, file, "group-")
Dan Walsh 4d2486
+	files_etc_filetrans($1, passwd_file_t, file, "passwd")
Dan Walsh 9bf3aa
+	files_etc_filetrans($1, passwd_file_t, file, "passwd-")
Dan Walsh 9bf3aa
+	files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
Dan Walsh 4d2486
 	files_etc_filetrans($1, shadow_t, file, "shadow")
Dan Walsh 4d2486
 	files_etc_filetrans($1, shadow_t, file, "shadow-")
Dan Walsh 4d2486
 	files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
Dan Walsh 4d2486
 	files_etc_filetrans($1, shadow_t, file, "gshadow")
Dan Walsh 4d2486
-	files_var_filetrans($1, shadow_t, file, "shadow")
Dan Walsh 4d2486
-	files_var_filetrans($1, shadow_t, file, "shadow-")
Dan Walsh 4d2486
 	logging_log_named_filetrans($1, faillog_t, file, "tallylog")
Dan Walsh 4d2486
 	logging_log_named_filetrans($1, faillog_t, file, "faillog")
Dan Walsh 4d2486
 	logging_log_named_filetrans($1, faillog_t, file, "btmp")
Dan Walsh 4d2486
 	files_pid_filetrans($1, faillog_t, file, "faillog")
Dan Walsh 4d2486
 	logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
Dan Walsh 4d2486
 ')
Dan Walsh 4d2486
+
Dan Walsh 4d2486
+########################################
Dan Walsh 4d2486
+## <summary>
Dan Walsh 4d2486
+##	Get the attributes of the passwd passwords file.
Dan Walsh 4d2486
+## </summary>
Dan Walsh 4d2486
+## <param name="domain">
Dan Walsh 4d2486
+##	<summary>
Dan Walsh 4d2486
+##	Domain allowed access.
Dan Walsh 4d2486
+##	</summary>
Dan Walsh 4d2486
+## </param>
Dan Walsh 4d2486
+#
Dan Walsh 4d2486
+interface(`auth_getattr_passwd',`
Dan Walsh 4d2486
+	gen_require(`
Dan Walsh 4d2486
+		type passwd_file_t;
Dan Walsh 4d2486
+	')
Dan Walsh 4d2486
+
Dan Walsh 4d2486
+	files_search_etc($1)
Dan Walsh 4d2486
+	allow $1 passwd_file_t:file getattr;
Dan Walsh 4d2486
+')
Dan Walsh 4d2486
+
Dan Walsh 4d2486
+########################################
Dan Walsh 4d2486
+## <summary>
Dan Walsh 4d2486
+##	Do not audit attempts to get the attributes
Dan Walsh 4d2486
+##	of the passwd passwords file.
Dan Walsh 4d2486
+## </summary>
Dan Walsh 4d2486
+## <param name="domain">
Dan Walsh 4d2486
+##	<summary>
Dan Walsh 4d2486
+##	Domain to not audit.
Dan Walsh 4d2486
+##	</summary>
Dan Walsh 4d2486
+## </param>
Dan Walsh 4d2486
+#
Dan Walsh 4d2486
+interface(`auth_dontaudit_getattr_passwd',`
Dan Walsh 4d2486
+	gen_require(`
Dan Walsh 4d2486
+		type passwd_file_t;
Dan Walsh 4d2486
+	')
Dan Walsh 4d2486
+
Dan Walsh 4d2486
+	dontaudit $1 passwd_file_t:file getattr;
Dan Walsh 4d2486
+')
Dan Walsh 4d2486
+
Dan Walsh 4d2486
+########################################
Dan Walsh 4d2486
+## <summary>
Dan Walsh 4d2486
+##	Read the passwd passwords file (/etc/passwd)
Dan Walsh 4d2486
+## </summary>
Dan Walsh 4d2486
+## <param name="domain">
Dan Walsh 4d2486
+##	<summary>
Dan Walsh 4d2486
+##	Domain allowed access.
Dan Walsh 4d2486
+##	</summary>
Dan Walsh 4d2486
+## </param>
Dan Walsh 4d2486
+#
Dan Walsh 4d2486
+interface(`auth_read_passwd',`
Dan Walsh 4d2486
+	gen_require(`
Dan Walsh 4d2486
+		type passwd_file_t;
Dan Walsh 4d2486
+	')
Dan Walsh 4d2486
+
Dan Walsh 4d2486
+	allow $1 passwd_file_t:file read_file_perms;
Dan Walsh 4d2486
+')
Dan Walsh 4d2486
+
Dan Walsh 4d2486
+########################################
Dan Walsh 4d2486
+## <summary>
Dan Walsh 4d2486
+##	Do not audit attempts to read the passwd
Dan Walsh 4d2486
+##	password file (/etc/passwd).
Dan Walsh 4d2486
+## </summary>
Dan Walsh 4d2486
+## <param name="domain">
Dan Walsh 4d2486
+##	<summary>
Dan Walsh 4d2486
+##	Domain to not audit.
Dan Walsh 4d2486
+##	</summary>
Dan Walsh 4d2486
+## </param>
Dan Walsh 4d2486
+#
Dan Walsh 4d2486
+interface(`auth_dontaudit_read_passwd',`
Dan Walsh 4d2486
+	gen_require(`
Dan Walsh 4d2486
+		type passwd_file_t;
Dan Walsh 4d2486
+	')
Dan Walsh 4d2486
+
Dan Walsh 4d2486
+	dontaudit $1 passwd_file_t:file read_file_perms;
Dan Walsh 4d2486
+')
Dan Walsh 4d2486
+
Dan Walsh 4d2486
+########################################
Dan Walsh 4d2486
+## <summary>
Dan Walsh 4d2486
+##	Create, read, write, and delete the passwd
Dan Walsh 4d2486
+##	password file.
Dan Walsh 4d2486
+## </summary>
Dan Walsh 4d2486
+## <param name="domain">
Dan Walsh 4d2486
+##	<summary>
Dan Walsh 4d2486
+##	Domain allowed access.
Dan Walsh 4d2486
+##	</summary>
Dan Walsh 4d2486
+## </param>
Dan Walsh 4d2486
+#
Dan Walsh 4d2486
+interface(`auth_manage_passwd',`
Dan Walsh 4d2486
+	gen_require(`
Dan Walsh 4d2486
+		type passwd_file_t;
Dan Walsh 4d2486
+	')
Dan Walsh 4d2486
+
Dan Walsh 4d2486
+	files_rw_etc_dirs($1)
Dan Walsh 4d2486
+	allow $1 passwd_file_t:file manage_file_perms;
Dan Walsh 4d2486
+	files_etc_filetrans($1, passwd_file_t, file, "passwd")
Dan Walsh 859ba0
+	files_etc_filetrans($1, passwd_file_t, file, "passwd-")
Dan Walsh 9bf3aa
+	files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
Dan Walsh 859ba0
+	files_etc_filetrans($1, passwd_file_t, file, "group")
Dan Walsh 859ba0
+	files_etc_filetrans($1, passwd_file_t, file, "group-")
Dan Walsh 4d2486
+')
Dan Walsh 37b75a
diff -up serefpolicy-3.10.0/policy/modules/system/authlogin.te.passwd serefpolicy-3.10.0/policy/modules/system/authlogin.te
Dan Walsh 37b75a
--- serefpolicy-3.10.0/policy/modules/system/authlogin.te.passwd	2011-10-21 09:57:41.453059375 -0400
Dan Walsh 37b75a
+++ serefpolicy-3.10.0/policy/modules/system/authlogin.te	2011-10-21 09:57:41.536059303 -0400
Dan Walsh 37b75a
@@ -71,6 +71,9 @@ neverallow ~can_read_shadow_passwords sh
Dan Walsh 4d2486
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
Dan Walsh 4d2486
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
Dan Walsh 4d2486
 
Dan Walsh 4d2486
+type passwd_file_t;
Dan Walsh 4d2486
+files_type(passwd_file_t)
Dan Walsh 4d2486
+
Dan Walsh 4d2486
 type updpwd_t;
Dan Walsh 4d2486
 type updpwd_exec_t;
Dan Walsh 4d2486
 domain_type(updpwd_t)
Dan Walsh 4d2486
@@ -350,6 +353,7 @@ kernel_read_system_state(updpwd_t)
Dan Walsh 4d2486
 dev_read_urand(updpwd_t)
Dan Walsh 4d2486
 
Dan Walsh 4d2486
 files_manage_etc_files(updpwd_t)
Dan Walsh 4d2486
+auth_manage_passwd(updpwd_t)
Dan Walsh 4d2486
 
Dan Walsh 4d2486
 term_dontaudit_use_console(updpwd_t)
Dan Walsh 4d2486
 term_dontaudit_use_unallocated_ttys(updpwd_t)
Dan Walsh 4d2486
@@ -422,6 +426,9 @@ optional_policy(`
Dan Walsh 4d2486
 	')
Dan Walsh 4d2486
 ')
Dan Walsh 4d2486
 
Dan Walsh 4d2486
+
Dan Walsh 4d2486
+auth_read_passwd(nsswitch_domain)
Dan Walsh 4d2486
+
Dan Walsh 4d2486
 # read /etc/nsswitch.conf
Dan Walsh 4d2486
 files_read_etc_files(nsswitch_domain)
Dan Walsh 4d2486