diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 89c56c2..9cc216e 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -682,3 +682,33 @@ interface(`auth_manage_login_records',` logging_rw_log_dir($1) allow $1 wtmp_t:file create_file_perms; ') + +######################################## +## +## Unconfined access to the authlogin module. +## +## +##

+## Unconfined access to the authlogin module. +##

+##

+## Currently, this only allows assertions for +## the shadow passwords file (/etc/shadow) to +## be passed. No access is granted yet. +##

+##
+## +## Domain allowed access. +## +# +interface(`auth_unconfined',` + gen_require(` + attribute can_read_shadow_passwords; + attribute can_write_shadow_passwords; + attribute can_relabelto_shadow_passwords; + ') + + typeattribute $1 can_read_shadow_passwords; + typeattribute $1 can_write_shadow_passwords; + typeattribute $1 can_relabelto_shadow_passwords; +') diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 19ed6b1..cb9d29a 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -116,7 +116,7 @@ optional_policy(`portmap.te', ` ') # for kernel package installation -optional_policy(`mount.te', ` +optional_policy(`rpm.te', ` rpm_rw_pipe(mount_t) ') diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index d2e306e..1ffc6f3 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -37,10 +37,8 @@ template(`unconfined_domain_template',` allow $1 self:process execmem; ') - # to satisfy assertions: optional_policy(`authlogin.te',` - auth_manage_shadow($1) - auth_relabelto_shadow($1) + auth_unconfined($1) ') optional_policy(`bootloader.te',` @@ -136,7 +134,7 @@ interface(`unconfined_shell_domtrans',` type unconfined_t; ') - corecmd_domtrans_shell($1,unconfined_t) + corecmd_shell_domtrans($1,unconfined_t) ') ######################################## diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index 48845cc..80a543d 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -25,7 +25,7 @@ ifdef(`targeted_policy',` # Define some type aliases to help with compatibility with # macros and domains from the "strict" policy. -# typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t }; + typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t }; init_domtrans_script(unconfined_t)