diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index d9657ab..24613b8 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -72,10 +72,10 @@ class unix_dgram_socket { create read getattr write setattr append bind connect ####################################### # -# authlogin_make_login_program_entrypoint(type,[`optional']) +# authlogin_make_login_program_entrypoint(domain) # define(`authlogin_make_login_program_entrypoint',` -requires_block_template(authlogin_make_login_program_entrypoint_depend,$2) +requires_block_template(authlogin_make_login_program_entrypoint_depend) domain_make_entrypoint_file($1,login_exec_t) ') @@ -86,10 +86,10 @@ domain_make_entrypoint_file_depend ####################################### # -# authlogin_check_password_transition(type,[`optional']) +# authlogin_check_password_transition(domain) # define(`authlogin_check_password_transition',` -requires_block_template(authlogin_check_password_transition_depend,$2) +requires_block_template(authlogin_check_password_transition_depend) allow $1 chkpwd_exec_t:file { getattr read execute }; allow $1 system_chkpwd_t:process transition; dontaudit $1 shadow_t:file { getattr read }; @@ -108,10 +108,10 @@ class process transition; ####################################### # -# authlogin_modify_login_records(type,[`optional']) +# authlogin_modify_login_records(domain) # define(`authlogin_modify_login_records',` -requires_block_template(authlogin_modify_login_records_depend,$2) +requires_block_template(authlogin_modify_login_records_depend) allow $1 wtmp_t:file { getattr read write setattr }; ') @@ -122,10 +122,10 @@ class file { getattr read write setattr }; ####################################### # -# authlogin_read_shadow_passwords(type,[`optional']) +# authlogin_read_shadow_passwords(domain) # define(`authlogin_read_shadow_passwords',` -requires_block_template(authlogin_read_shadow_passwords_depend,$2) +requires_block_template(authlogin_read_shadow_passwords_depend) allow $1 shadow_t:file { getattr read }; typeattribute $1 can_read_shadow_passwords; ') @@ -138,10 +138,10 @@ class file { getattr read }; ####################################### # -# authlogin_ignore_read_shadow_passwords(type,[`optional']) +# authlogin_ignore_read_shadow_passwords(domain) # define(`authlogin_ignore_read_shadow_passwords',` -requires_block_template(authlogin_ignore_read_shadow_passwords_depend,$2) +requires_block_template(authlogin_ignore_read_shadow_passwords_depend) dontaudit $1 shadow_t:file { getattr read }; ') @@ -152,10 +152,10 @@ class file { getattr read }; ####################################### # -# authlogin_modify_shadow_passwords(type,[`optional']) +# authlogin_modify_shadow_passwords(domain) # define(`authlogin_modify_shadow_passwords',` -requires_block_template(authlogin_modify_shadow_passwords_depend,$2) +requires_block_template(authlogin_modify_shadow_passwords_depend) allow $1 shadow_t:file { getattr read write }; typeattribute $1 can_read_shadow_passwords; typeattribute $1 can_write_shadow_passwords; @@ -170,10 +170,10 @@ class file { getattr read write }; ####################################### # -# authlogin_modify_last_login_log(type,[`optional']) +# authlogin_modify_last_login_log(domain) # define(`authlogin_modify_last_login_log',` -requires_block_template(authlogin_modify_last_login_log_depend,$2) +requires_block_template(authlogin_modify_last_login_log_depend) allow $1 lastlog_t:file { getattr read write setattr }; ') @@ -181,3 +181,19 @@ define(`authlogin_modify_last_login_log_depend',` type lastlog_t; class file { getattr read write setattr }; ') + +####################################### +# +# authlogin_read_pam_runtime_data(domain) +# +define(`authlogin_read_pam_runtime_data',` +requires_block_template(authlogin_read_pam_runtime_data_depend) +# FIXME: search var_t +# FIXME: search var_run_t +allow $1 pam_var_run_t:file { getattr read }; +') + +define(`authlogin_read_pam_runtime_data_depend',` +type lastlog_t; +class file { getattr read }; +')