diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 0950bc7..3a87501 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -18,6 +18,10 @@ interface(`usermanage_domtrans_chfn',` files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, chfn_exec_t, chfn_t) + + ifdef(`hide_broken_symptoms',` + dontaudit chfn_t $1:socket_class_set { read write }; + ') ') ######################################## @@ -63,6 +67,10 @@ interface(`usermanage_domtrans_groupadd',` files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, groupadd_exec_t, groupadd_t) + + ifdef(`hide_broken_symptoms',` + dontaudit groupadd_t $1:socket_class_set { read write }; + ') ') ######################################## @@ -113,6 +121,10 @@ interface(`usermanage_domtrans_passwd',` files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, passwd_exec_t, passwd_t) + + ifdef(`hide_broken_symptoms',` + dontaudit passwd_t $1:socket_class_set { read write }; + ') ') ######################################## @@ -247,6 +259,10 @@ interface(`usermanage_domtrans_useradd',` files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, useradd_exec_t, useradd_t) + + ifdef(`hide_broken_symptoms',` + dontaudit useradd_t $1:socket_class_set { read write }; + ') ') ######################################## @@ -274,6 +290,8 @@ interface(`usermanage_run_useradd',` usermanage_domtrans_useradd($1) role $2 types useradd_t; + seutil_run_semanage(useradd_t, $2) + optional_policy(` nscd_run(useradd_t, $2) ') diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index e0b50c5..c35d801 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,4 +1,4 @@ -policy_module(usermanage, 1.15.0) +policy_module(usermanage, 1.15.1) ######################################## # @@ -208,6 +208,7 @@ domain_use_interactive_fds(groupadd_t) files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) files_read_etc_runtime_files(groupadd_t) +files_read_usr_symlinks(groupadd_t) # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}. corecmd_exec_bin(groupadd_t) @@ -255,7 +256,8 @@ optional_policy(` # Passwd local policy # -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; +allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; +dontaudit passwd_t self:capability sys_tty_config; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; allow passwd_t self:fd use; @@ -449,6 +451,7 @@ corecmd_exec_shell(useradd_t) corecmd_exec_bin(useradd_t) domain_use_interactive_fds(useradd_t) +domain_read_all_domains_state(useradd_t) files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) @@ -530,6 +533,12 @@ optional_policy(` ') optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(useradd_t) + ') +') + +optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ')