diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 7ea2918..7f06066 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4717,8 +4717,7 @@ interface(`files_polyinstantiate_all',`
files_search_home($1)
corecmd_exec_bin($1)
seutil_domtrans_setfiles($1)
- fs_mount_tmpfs($1)
- fs_unmount_tmpfs($1)
+ mount_domtrans($1)
')
')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 2380629..7bc860c 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.7.3)
+policy_module(files,1.7.4)
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 2704cda..a8760e6 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -837,6 +837,27 @@ interface(`kernel_dontaudit_read_proc_symlinks',`
#######################################
##
+## Allow caller to read and write state information for AFS.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`kernel_rw_afs_state',`
+ gen_require(`
+ type proc_t, proc_afs_t;
+ ')
+
+ read_files_pattern($1,proc_t,proc_afs_t)
+
+ list_dirs_pattern($1,proc_t,proc_t)
+')
+
+#######################################
+##
## Allow caller to read the state information for software raid.
##
##
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index f858edb..a3e56e7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.8.2)
+policy_module(kernel,1.8.3)
########################################
#
@@ -71,6 +71,9 @@ fs_type(proc_t)
genfscon proc / gen_context(system_u:object_r:proc_t,s0)
genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
+type proc_afs_t, proc_type;
+genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)
+
# kernel message interface
type proc_kmsg_t, proc_type;
genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index c2a6e65..af07b7a 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -32,6 +32,7 @@
/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
+/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 717cdfa..69a09c3 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,5 +1,5 @@
-policy_module(storage,1.4.1)
+policy_module(storage,1.4.2)
########################################
#
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
index 3816dac..8e4b8c2 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
@@ -63,6 +63,26 @@ interface(`application_exec',`
########################################
##
+## Execute all executable files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`application_exec_all',`
+ corecmd_dontaudit_exec_all_executables($1)
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+ corecmd_exec_chroot($1)
+
+ application_exec($1)
+')
+
+########################################
+##
## Create a domain which can be started by users
##
##
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
index 94c7aac..cb06708 100644
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
@@ -1,5 +1,5 @@
-policy_module(application,1.0.0)
+policy_module(application,1.0.1)
# Attribute of user applications
attribute application_domain_type;
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index a882151..2cb9e78 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -13,6 +13,7 @@
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index fc5889d..47ac2c3 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -26,7 +26,8 @@ template(`authlogin_common_auth_domain_template',`
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
- allow $1_chkpwd_t self:capability { audit_control setuid };
+ allow $1_chkpwd_t self:capability { dac_override setuid };
+ dontaudit $1_chkpwd_t self:capability sys_tty_config;
allow $1_chkpwd_t self:process getattr;
files_list_etc($1_chkpwd_t)
@@ -106,9 +107,6 @@ template(`authlogin_per_role_template',`
role $3 types $1_chkpwd_t;
role $3 types system_chkpwd_t;
- # cjp: is this really needed?
- allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
dontaudit $2 shadow_t:file { getattr read };
# Transition from the user domain to this domain.
@@ -169,6 +167,9 @@ template(`auth_domtrans_user_chk_passwd',`
##
#
interface(`auth_login_pgm_domain',`
+ gen_require(`
+ type var_auth_t;
+ ')
domain_type($1)
domain_subj_id_change_exemption($1)
@@ -176,11 +177,22 @@ interface(`auth_login_pgm_domain',`
domain_obj_id_change_exemption($1)
role system_r types $1;
+ files_list_var_lib($1)
+ manage_files_pattern($1, var_auth_t, var_auth_t)
+
+ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+ kernel_rw_afs_state($1)
+
# for SSP/ProPolice
dev_read_urand($1)
+ # for fingerprint readers
+ dev_rw_input_dev($1)
+ dev_rw_generic_usb_dev($1)
files_read_etc_files($1)
+ fs_list_auto_mountpoints($1)
+
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
@@ -196,16 +208,20 @@ interface(`auth_login_pgm_domain',`
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
+ auth_domtrans_upd_passwd($1)
auth_dontaudit_read_shadow($1)
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
- auth_append_faillog($1)
+ auth_rw_faillog($1)
auth_exec_pam($1)
+ auth_use_nsswitch($1)
init_rw_utmp($1)
+ logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
+# logging_set_loginuid($1)
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -309,11 +325,8 @@ interface(`auth_domtrans_chk_passwd',`
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
- # cjp: is this really needed?
- allow $1 self:capability audit_control;
-
corecmd_search_bin($1)
- domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
+ domtrans_pattern($1, chkpwd_exec_t, system_chkpwd_t)
dontaudit $1 shadow_t:file { getattr read };
@@ -347,6 +360,86 @@ interface(`auth_domtrans_chk_passwd',`
########################################
##
+## Execute chkpwd programs in the chkpwd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to allow the updpwd domain.
+##
+##
+##
+##
+## The type of the terminal allow the updpwd domain to use.
+##
+##
+#
+interface(`auth_run_chk_passwd',`
+ gen_require(`
+ type system_chkpwd_t;
+ ')
+
+ auth_domtrans_chk_passwd($1)
+ role $2 types system_chkpwd_t;
+ allow system_chkpwd_t $3:chr_file rw_file_perms;
+')
+
+########################################
+##
+## Execute a domain transition to run unix_update.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`auth_domtrans_upd_passwd',`
+ gen_require(`
+ type updpwd_t, updpwd_exec_t;
+ ')
+
+ domtrans_pattern($1,updpwd_exec_t,updpwd_t)
+ auth_dontaudit_read_shadow($1)
+
+')
+
+########################################
+##
+## Execute updpwd programs in the updpwd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to allow the updpwd domain.
+##
+##
+##
+##
+## The type of the terminal allow the updpwd domain to use.
+##
+##
+#
+interface(`auth_run_upd_passwd',`
+ gen_require(`
+ type updpwd_t;
+ ')
+
+ auth_domtrans_upd_passwd($1)
+ role $2 types updpwd_t;
+ allow updpwd_t $3:chr_file rw_file_perms;
+')
+
+########################################
+##
## Get the attributes of the shadow passwords file.
##
##
@@ -695,6 +788,24 @@ interface(`auth_domtrans_pam',`
########################################
##
+## Execute pam programs in the pam domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`auth_signal_pam',`
+ gen_require(`
+ type pam_t;
+ ')
+
+ allow $1 pam_t:process signal;
+')
+
+########################################
+##
## Execute pam programs in the PAM domain.
##
##
@@ -1318,16 +1429,14 @@ interface(`auth_manage_login_records',`
##
#
interface(`auth_use_nsswitch',`
- gen_require(`
- type var_auth_t;
- ')
allow $1 self:netlink_route_socket r_netlink_socket_perms;
- allow $1 var_auth_t:dir list_dir_perms;
- allow $1 var_auth_t:file manage_file_perms;
files_list_var_lib($1)
+ # read /etc/nsswitch.conf
+ files_read_etc_files($1)
+
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
@@ -1347,6 +1456,7 @@ interface(`auth_use_nsswitch',`
optional_policy(`
samba_stream_connect_winbind($1)
+ samba_read_var_files($1)
')
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index d4765bf..c9b2cc6 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin,1.8.1)
+policy_module(authlogin,1.8.2)
########################################
#
@@ -49,6 +49,12 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
+type updpwd_t;
+type updpwd_exec_t;
+domain_type(updpwd_t)
+domain_entry_file(updpwd_t,updpwd_exec_t)
+role system_r types updpwd_t;
+
type utempter_t;
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -94,10 +100,14 @@ allow pam_t pam_tmp_t:dir manage_dir_perms;
allow pam_t pam_tmp_t:file manage_file_perms;
files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
+auth_use_nsswitch(pam_t)
+
kernel_read_system_state(pam_t)
fs_search_auto_mountpoints(pam_t)
+miscfiles_read_localization(pam_t)
+
term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)
@@ -149,6 +159,8 @@ dev_getattr_apm_bios_dev(pam_console_t)
dev_setattr_apm_bios_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
+dev_getattr_input_dev(pam_console_t)
+dev_setattr_input_dev(pam_console_t)
dev_getattr_framebuffer_dev(pam_console_t)
dev_setattr_framebuffer_dev(pam_console_t)
dev_getattr_generic_usb_dev(pam_console_t)
@@ -159,6 +171,8 @@ dev_getattr_mouse_dev(pam_console_t)
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
+dev_getattr_printer_dev(pam_console_t)
+dev_setattr_printer_dev(pam_console_t)
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
@@ -200,6 +214,7 @@ files_read_etc_runtime_files(pam_console_t)
fs_list_auto_mountpoints(pam_console_t)
fs_list_noxattr_fs(pam_console_t)
+fs_getattr_all_fs(pam_console_t)
init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)
@@ -236,7 +251,7 @@ optional_policy(`
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
- xserver_use_xdm_fds(pam_t)
+ xserver_dontaudit_write_log(pam_console_t)
')
########################################
@@ -259,6 +274,34 @@ userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
########################################
#
+# updpwd local policy
+#
+
+allow updpwd_t self:process setfscreate;
+allow updpwd_t self:fifo_file { read write };
+allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
+allow updpwd_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(updpwd_t)
+
+files_manage_etc_files(updpwd_t)
+
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_unallocated_ttys(updpwd_t)
+
+auth_manage_shadow(updpwd_t)
+auth_use_nsswitch(updpwd_t)
+
+libs_use_ld_so(updpwd_t)
+libs_use_shared_libs(updpwd_t)
+
+logging_send_syslog_msg(updpwd_t)
+
+miscfiles_read_localization(updpwd_t)
+
+########################################
+#
# Utempter local policy
#