From ba1a545fb3f371cad8f46a3247865afe39bfa45f Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Aug 17 2006 15:35:14 +0000
Subject: cleanup in authlogin


---

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index e0b90a7..29e1a77 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -128,7 +128,6 @@ template(`authlogin_per_userdomain_template',`
 	# Transition from the user domain to this domain.
 	domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
 	allow $1_chkpwd_t $2:fd use;
-	allow $2 $1_chkpwd_t:fd use;
 	allow $1_chkpwd_t $2:fifo_file rw_file_perms;
 	allow $1_chkpwd_t $2:process sigchld;
 
@@ -289,8 +288,6 @@ interface(`auth_domtrans_login_program',`
 
 	corecmd_search_bin($1)
 	domain_auto_trans($1,login_exec_t,$2)
-
-	allow $1 $2:fd use;
 	allow $2 $1:fd use;
 	allow $2 $1:fifo_file rw_file_perms;
 	allow $2 $1:process sigchld;
@@ -311,13 +308,12 @@ interface(`auth_domtrans_chk_passwd',`
 		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 	')
 
-	corecmd_search_sbin($1)
-	domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
 
 	allow $1 self:capability { audit_write audit_control };
 	allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
-	allow $1 system_chkpwd_t:fd use;
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
 	allow system_chkpwd_t $1:fd use;
 	allow system_chkpwd_t $1:fifo_file rw_file_perms;
 	allow system_chkpwd_t $1:process sigchld;
@@ -513,7 +509,7 @@ interface(`auth_manage_shadow',`
 		type shadow_t;
 	')
 
-	allow $1 shadow_t:file create_file_perms;
+	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
 
@@ -690,8 +686,6 @@ interface(`auth_domtrans_pam',`
 	')
 
 	domain_auto_trans($1,pam_exec_t,pam_t)
-
-	allow $1 pam_t:fd use;
 	allow pam_t $1:fd use;
 	allow pam_t $1:fifo_file rw_file_perms;
 	allow pam_t $1:process sigchld;
@@ -762,7 +756,7 @@ interface(`auth_manage_var_auth',`
 	')
 
 	files_search_var($1)
-	allow $1 var_auth_t:dir create_dir_perms;
+	allow $1 var_auth_t:dir manage_dir_perms;
 	allow $1 var_auth_t:file rw_file_perms;
 	allow $1 var_auth_t:lnk_file rw_file_perms;
 ')
@@ -782,9 +776,8 @@ interface(`auth_read_pam_pid',`
 		type pam_var_run_t;
 	')
 
-	files_search_var($1)
 	files_search_pids($1)
-	allow $1 pam_var_run_t:dir r_dir_perms;
+	allow $1 pam_var_run_t:dir list_dir_perms;
 	allow $1 pam_var_run_t:file r_file_perms;
 ')
 
@@ -821,7 +814,6 @@ interface(`auth_delete_pam_pid',`
 		type pam_var_run_t;
 	')
 
-	files_search_var($1)
 	files_search_pids($1)
 	allow $1 pam_var_run_t:dir { getattr search read write remove_name };
 	allow $1 pam_var_run_t:file { getattr unlink };
@@ -843,8 +835,8 @@ interface(`auth_manage_pam_pid',`
 	')
 
 	files_search_pids($1)
-	allow $1 pam_var_run_t:dir create_dir_perms;
-	allow $1 pam_var_run_t:file create_file_perms;
+	allow $1 pam_var_run_t:dir manage_dir_perms;
+	allow $1 pam_var_run_t:file manage_file_perms;
 ')
 
 ########################################
@@ -863,8 +855,6 @@ interface(`auth_domtrans_pam_console',`
 	')
 
 	domain_auto_trans($1,pam_console_exec_t,pam_console_t)
-
-	allow $1 pam_console_t:fd use;
 	allow pam_console_t $1:fd use;
 	allow pam_console_t $1:fifo_file rw_file_perms;
 	allow pam_console_t $1:process sigchld;
@@ -886,7 +876,6 @@ interface(`auth_search_pam_console_data',`
 		type pam_var_console_t;
 	')
 
-	files_search_var($1)
 	files_search_pids($1)
 	allow $1 pam_var_console_t:dir search_dir_perms;
 ')
@@ -907,9 +896,8 @@ interface(`auth_list_pam_console_data',`
 		type pam_var_console_t;
 	')
 
-	files_search_var($1)
 	files_search_pids($1)
-	allow $1 pam_var_console_t:dir r_dir_perms;
+	allow $1 pam_var_console_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -927,9 +915,8 @@ interface(`auth_read_pam_console_data',`
 		type pam_var_console_t;
 	')
 
-	files_search_var($1)
 	files_search_pids($1)
-	allow $1 pam_var_console_t:dir r_dir_perms;
+	allow $1 pam_var_console_t:dir list_dir_perms;
 	allow $1 pam_var_console_t:file r_file_perms;
 ')
 
@@ -949,10 +936,9 @@ interface(`auth_manage_pam_console_data',`
 		type pam_var_console_t;
 	')
 
-	files_search_var($1)
 	files_search_pids($1)
 	allow $1 pam_var_console_t:dir rw_dir_perms;
-	allow $1 pam_var_console_t:file create_file_perms;
+	allow $1 pam_var_console_t:file manage_file_perms;
 	allow $1 pam_var_console_t:lnk_file create_lnk_perms;
 ')
 
@@ -1120,8 +1106,6 @@ interface(`auth_domtrans_utempter',`
 	')
 
 	domain_auto_trans($1,utempter_exec_t,utempter_t)
-
-	allow $1 utempter_t:fd use;
 	allow utempter_t $1:fd use;
 	allow utempter_t $1:fifo_file rw_file_perms;
 	allow utempter_t $1:process sigchld;
@@ -1323,7 +1307,7 @@ interface(`auth_manage_login_records',`
 	')
 
 	logging_rw_generic_log_dirs($1)
-	allow $1 wtmp_t:file create_file_perms;
+	allow $1 wtmp_t:file manage_file_perms;
 ')
 
 ########################################
@@ -1343,8 +1327,8 @@ interface(`auth_use_nsswitch',`
 
 	allow $1 self:netlink_route_socket r_netlink_socket_perms;
 
-	allow $1 var_auth_t:dir r_dir_perms;
-	allow $1 var_auth_t:file create_file_perms;
+	allow $1 var_auth_t:dir list_dir_perms;
+	allow $1 var_auth_t:file manage_file_perms;
 	files_list_var_lib($1)
 
 	miscfiles_read_certs($1)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 978c2b3..5b93838 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -93,9 +93,10 @@ allow pam_t self:msg { send receive };
 
 allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
 allow pam_t pam_var_run_t:file { getattr read unlink };
+files_list_pids(pam_t)
 
-allow pam_t pam_tmp_t:dir create_dir_perms;
-allow pam_t pam_tmp_t:file create_file_perms;
+allow pam_t pam_tmp_t:dir manage_dir_perms;
+allow pam_t pam_tmp_t:file manage_file_perms;
 files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
 
 kernel_read_system_state(pam_t)
@@ -108,7 +109,6 @@ term_use_all_user_ptys(pam_t)
 init_dontaudit_rw_utmp(pam_t)
 
 files_read_etc_files(pam_t)
-files_list_pids(pam_t)
 
 libs_use_ld_so(pam_t)
 libs_use_shared_libs(pam_t)
@@ -140,10 +140,10 @@ dontaudit pam_console_t self:capability sys_tty_config;
 allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
 
 # for /var/run/console.lock checking
-allow pam_console_t pam_var_console_t:dir r_dir_perms;;
+allow pam_console_t pam_var_console_t:dir list_dir_perms;
+allow pam_console_t pam_var_console_t:lnk_file { getattr read };
 allow pam_console_t pam_var_console_t:file r_file_perms;
 dontaudit pam_console_t pam_var_console_t:file write;
-allow pam_console_t pam_var_console_t:lnk_file { getattr read };
 
 kernel_read_kernel_sysctls(pam_console_t)
 kernel_use_fds(pam_console_t)
@@ -220,13 +220,7 @@ seutil_read_file_contexts(pam_console_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
 
-# cjp: with the old daemon_(base_)domain being broken up into
-# a daemon and system interface, this probably is not needed:
-ifdef(`direct_sysadm_daemon', `
-	userdom_dontaudit_use_sysadm_terms(pam_console_t)
-')
-
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(pam_console_t)
 	term_dontaudit_use_generic_ptys(pam_console_t)
 	files_dontaudit_read_root_files(pam_console_t)