diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 88501b3..8e0730b 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Fixes from Dan Walsh for ldap and authlogin. - Fix corenetwork gen_context()'s to expand during the policy build phase instead of during the generation phase. - DISTRO=redhat now implies DIRECT_INITRC=y. diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 672ef1c..ae0005d 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -1,5 +1,5 @@ -policy_module(ldap,1.0) +policy_module(ldap,1.0.1) ######################################## # @@ -10,12 +10,18 @@ type slapd_t; type slapd_exec_t; init_daemon_domain(slapd_t,slapd_exec_t) +type slapd_cert_t; +files_type(slapd_cert_t) + type slapd_db_t; files_type(slapd_db_t) type slapd_etc_t; files_config_file(slapd_etc_t) +type slapd_lock_t; +files_lock_file(slapd_lock_t) + type slapd_replog_t; files_type(slapd_replog_t) @@ -41,6 +47,10 @@ allow slapd_t self:udp_socket create_socket_perms; #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) allow slapd_t self:tcp_socket create_stream_socket_perms; +allow slapd_t slapd_cert_t:dir r_dir_perms; +allow slapd_t slapd_cert_t:file r_file_perms; +allow slapd_t slapd_cert_t:lnk_file { getattr read }; + # Allow access to the slapd databases allow slapd_t slapd_db_t:dir create_dir_perms; allow slapd_t slapd_db_t:file create_file_perms; @@ -48,6 +58,9 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms; allow slapd_t slapd_etc_t:file { getattr read }; +allow slapd_t slapd_lock_t:file create_file_perms; +files_create_lock(slapd_t,slapd_lock_t) + # Allow access to write the replication log (should tighten this) allow slapd_t slapd_replog_t:dir create_dir_perms; allow slapd_t slapd_replog_t:file create_file_perms; diff --git a/refpolicy/policy/modules/system/authlogin.fc b/refpolicy/policy/modules/system/authlogin.fc index 9f37e2f..898eab6 100644 --- a/refpolicy/policy/modules/system/authlogin.fc +++ b/refpolicy/policy/modules/system/authlogin.fc @@ -23,6 +23,8 @@ ifdef(`distro_suse', ` /var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) +/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) /var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 46d3fbf..8fedb48 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -920,6 +920,12 @@ interface(`auth_manage_login_records',` ## # interface(`auth_use_nsswitch',` + gen_require(` + type var_auth_t; + ') + + allow $1 var_auth_t:dir r_dir_perms; + allow $1 var_auth_t:file create_file_perms; sysnet_dns_name_resolve($1) sysnet_use_ldap($1) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index ee6fd72..5178167 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.0) +policy_module(authlogin,1.0.1) ######################################## # @@ -64,6 +64,13 @@ domain_type(utempter_t) type utempter_exec_t; domain_entry_file(utempter_t,utempter_exec_t) +# +# var_auth_t is the type of /var/lib/auth, usually +# used for auth data in pam_able +# +type var_auth_t; +files_type(var_auth_t) + type wtmp_t; logging_log_file(wtmp_t) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index e6f2fac..afffb4f 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.0) +policy_module(logging,1.0.1) ######################################## # @@ -108,6 +108,7 @@ allow auditd_t self:process { signal_perms setsched }; allow auditd_t self:file { getattr read write }; allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; +allow auditd_t self:fifo_file rw_file_perms; allow auditd_t auditd_etc_t:file r_file_perms;