diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index e83330b..1c4b1e7 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -7,9 +7,6 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
-/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
-
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -42,6 +39,7 @@ ifdef(`distro_gentoo', `
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
-
/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 8fa6e24..54b9826 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -32,6 +32,54 @@ interface(`auth_role',`
########################################
##
+## Use PAM for authentication.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`auth_use_pam',`
+
+ # for SSP/ProPolice
+ dev_read_urand($1)
+ # for encrypted homedir
+ dev_read_sysfs($1)
+
+ auth_domtrans_chk_passwd($1)
+ auth_domtrans_upd_passwd($1)
+ auth_dontaudit_read_shadow($1)
+ auth_read_login_records($1)
+ auth_append_login_records($1)
+ auth_rw_lastlog($1)
+ auth_rw_faillog($1)
+ auth_exec_pam($1)
+ auth_use_nsswitch($1)
+
+ logging_send_audit_msgs($1)
+ logging_send_syslog_msg($1)
+
+ optional_policy(`
+ dbus_system_bus_client($1)
+
+ optional_policy(`
+ consolekit_dbus_chat($1)
+ ')
+ ')
+
+ optional_policy(`
+ kerberos_manage_host_rcache($1)
+ kerberos_read_config($1)
+ ')
+
+ optional_policy(`
+ nis_authenticate($1)
+ ')
+')
+
+########################################
+##
## Make the specified domain used for a login program.
##
##
@@ -51,19 +99,26 @@ interface(`auth_login_pgm_domain',`
domain_obj_id_change_exemption($1)
role system_r types $1;
+ # Needed for pam_selinux_permit to cleanup properly
+ domain_read_all_domains_state($1)
+ domain_kill_all_domains($1)
+
+ # pam_keyring
+ allow $1 self:capability ipc_lock;
+ allow $1 self:process setkeycreate;
+ allow $1 self:key manage_key_perms;
+
files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t)
- # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
- kernel_rw_afs_state($1)
-
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
manage_files_pattern($1, auth_cache_t, auth_cache_t)
manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
files_var_filetrans($1, auth_cache_t, dir)
- # for SSP/ProPolice
- dev_read_urand($1)
+ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+ kernel_rw_afs_state($1)
+
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
@@ -86,21 +141,12 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
- auth_domtrans_chk_passwd($1)
- auth_domtrans_upd_passwd($1)
- auth_dontaudit_read_shadow($1)
- auth_read_login_records($1)
- auth_append_login_records($1)
- auth_rw_lastlog($1)
- auth_rw_faillog($1)
- auth_exec_pam($1)
- auth_use_nsswitch($1)
+ auth_use_pam($1)
init_rw_utmp($1)
- logging_send_audit_msgs($1)
- logging_send_syslog_msg($1)
logging_set_loginuid($1)
+ logging_set_tty_audit($1)
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -258,6 +304,7 @@ interface(`auth_manage_cache',`
type auth_cache_t;
')
+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
manage_files_pattern($1, auth_cache_t, auth_cache_t)
')
@@ -305,19 +352,16 @@ interface(`auth_domtrans_chk_passwd',`
dev_read_rand($1)
dev_read_urand($1)
+ auth_use_nsswitch($1)
+ auth_rw_faillog($1)
+
logging_send_audit_msgs($1)
miscfiles_read_certs($1)
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-
optional_policy(`
- kerberos_use($1)
- ')
-
- optional_policy(`
- nis_use_ypbind($1)
+ kerberos_read_keytab($1)
+ kerberos_connect_524($1)
')
optional_policy(`
@@ -332,6 +376,28 @@ interface(`auth_domtrans_chk_passwd',`
########################################
##
+## Run unix_chkpwd to check a password.
+## Stripped down version to be called within boolean
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`auth_domtrans_chkpwd',`
+ gen_require(`
+ type chkpwd_t, chkpwd_exec_t, shadow_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
+ dontaudit $1 shadow_t:file { getattr read };
+ auth_domtrans_upd_passwd($1)
+')
+
+########################################
+##
## Execute chkpwd programs in the chkpwd domain.
##
##
@@ -1129,6 +1195,32 @@ interface(`auth_relabel_all_files_except_shadow',`
########################################
##
+## Read and write all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+##
+##
+##
+## The type of the domain perfoming this action.
+##
+##
+##
+##
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+##
+##
+#
+
+interface(`auth_rw_all_files_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_rw_all_files($1,$2 -shadow_t)
+')
+
+########################################
+##
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
##
@@ -1254,6 +1346,26 @@ interface(`auth_read_login_records',`
########################################
##
+## Do not audit attempts to read login records
+## files (/var/log/wtmp).
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`auth_dontaudit_read_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ dontaudit $1 wtmp_t:file read_file_perms;
+')
+
+########################################
+##
## Do not audit attempts to write to
## login records files.
##
@@ -1402,11 +1514,19 @@ interface(`auth_use_nsswitch',`
avahi_stream_connect($1)
')
+ optional_policy(`
+ ldap_stream_connect($1)
+ ')
+
optional_policy(`
likewise_stream_connect_lsassd($1)
')
optional_policy(`
+ kerberos_use($1)
+ ')
+
+ optional_policy(`
nis_use_ypbind($1)
')
@@ -1417,6 +1537,7 @@ interface(`auth_use_nsswitch',`
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
+ samba_dontaudit_write_var_files($1)
')
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 39cf811..e09435b 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin, 2.1.3)
+policy_module(authlogin, 2.1.4)
########################################
#
@@ -103,8 +103,10 @@ files_dontaudit_search_var(chkpwd_t)
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+term_dontaudit_use_console(chkpwd_t)
term_dontaudit_use_unallocated_ttys(chkpwd_t)
term_dontaudit_use_generic_ptys(chkpwd_t)
+term_dontaudit_use_all_ptys(chkpwd_t)
auth_use_nsswitch(chkpwd_t)
@@ -125,9 +127,18 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
+ # apache leaks file descriptors
+ apache_dontaudit_rw_tcp_sockets(chkpwd_t)
+')
+
+optional_policy(`
kerberos_use(chkpwd_t)
')
+optional_policy(`
+ nis_authenticate(chkpwd_t)
+')
+
########################################
#
# PAM local policy