Heres a patch I built in main policy for F15 that removes macros using
except_shadow and replaces them with except_auth_file.
It adds a new attribute declared in authlogin.te called
"authentication_file_type" and a new macro in files.te called
"files_authentication_file" to add the attribute for the file.
shadow_t has an authentication_file_type.
Dont *think* I broke anything with this patch.
My git skills are poor but this diff produces the changes I had made.
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index cae6e96..5950768 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)
-auth_relabel_all_files_except_shadow(dpkg_t)
-auth_manage_all_files_except_shadow(dpkg_t)
+auth_relabel_all_files_except_auth_file(dpkg_t)
+auth_manage_all_files_except_auth_file(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)
files_exec_etc_files(dpkg_t)
@@ -291,7 +291,7 @@ term_use_all_inherited_terms(dpkg_script_t)
auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
-auth_manage_all_files_except_shadow(dpkg_script_t)
+auth_manage_all_files_except_auth_file(dpkg_script_t)
init_domtrans_script(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index adde889..c863a60 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -170,9 +170,9 @@ interface(`portage_compile_domain',`
# needed for merging dbus:
selinux_compute_access_vector($1)
- auth_read_all_dirs_except_shadow($1)
- auth_read_all_files_except_shadow($1)
- auth_read_all_symlinks_except_shadow($1)
+ auth_read_all_dirs_except_auth_file($1)
+ auth_read_all_files_except_auth_file($1)
+ auth_read_all_symlinks_except_auth_file($1)
libs_exec_lib_files($1)
# some config scripts use ldd
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 0b100a8..905add9 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -172,8 +172,8 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
-auth_relabel_all_files_except_shadow(rpm_t)
-auth_manage_all_files_except_shadow(rpm_t)
+auth_relabel_all_files_except_auth_file(rpm_t)
+auth_manage_all_files_except_auth_file(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
@@ -326,7 +326,7 @@ term_use_all_inherited_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
# ideally we would not need this
-auth_manage_all_files_except_shadow(rpm_script_t)
+auth_manage_all_files_except_auth_file(rpm_script_t)
auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
index 7660180..95791d1 100644
--- a/policy/modules/admin/sosreport.te
+++ b/policy/modules/admin/sosreport.te
@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
# some config files do not have configfile attribute
# sosreport needs to read various files on system
-auth_read_all_files_except_shadow(sosreport_t)
+auth_read_all_files_except_auth_file(sosreport_t)
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index 689b2fd..c41ac75 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -66,7 +66,7 @@ fs_list_all(sxid_t)
term_dontaudit_use_console(sxid_t)
-auth_read_all_files_except_shadow(sxid_t)
+auth_read_all_files_except_auth_file(sxid_t)
auth_dontaudit_getattr_shadow(sxid_t)
init_use_fds(sxid_t)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 30d03e3..e4da90c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -375,9 +375,9 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
- auth_read_all_dirs_except_shadow(kernel_t)
- auth_read_all_files_except_shadow(kernel_t)
- auth_read_all_symlinks_except_shadow(kernel_t)
+ auth_read_all_dirs_except_auth_file(kernel_t)
+ auth_read_all_files_except_auth_file(kernel_t)
+ auth_read_all_symlinks_except_auth_file(kernel_t)
')
tunable_policy(`nfs_export_all_rw',`
@@ -386,7 +386,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
- auth_manage_all_files_except_shadow(kernel_t)
+ auth_manage_all_files_except_auth_file(kernel_t)
')
')
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index cce681a..c60c7e9 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -32,7 +32,7 @@ mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
auth_role(secadm_r, secadm_t)
-auth_relabel_all_files_except_shadow(secadm_t)
+auth_relabel_all_files_except_auth_file(secadm_t)
auth_relabel_shadow(secadm_t)
init_exec(secadm_t)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 0e56a5d..9aa3809 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -280,7 +280,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
- auth_manage_all_files_except_shadow(ftpd_t)
+ auth_manage_all_files_except_auth_file(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
@@ -419,7 +419,7 @@ userdom_dontaudit_list_admin_dir(sftpd_t)
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_shadow(sftpd_t)
+ auth_manage_all_files_except_auth_file(sftpd_t)
')
tunable_policy(`sftpd_write_ssh_home',`
@@ -453,7 +453,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_shadow(sftpd_t)
+ auth_manage_all_files_except_auth_file(sftpd_t)
')
tunable_policy(`use_samba_home_dirs',`
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 1f3974c..58b7f8c 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -147,7 +147,7 @@ sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
tunable_policy(`puppet_manage_all_files',`
- auth_manage_all_files_except_shadow(puppet_t)
+ auth_manage_all_files_except_auth_file(puppet_t)
')
optional_policy(`
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
index 034544f..22819ee 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -100,7 +100,7 @@ storage_getattr_fixed_disk_dev(rgmanager_t)
term_getattr_pty_fs(rgmanager_t)
# needed by resources scripts
-auth_read_all_files_except_shadow(rgmanager_t)
+auth_read_all_files_except_auth_file(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 446729b..3b9ff9f 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -176,7 +176,7 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
- auth_manage_all_files_except_shadow(nfsd_t)
+ auth_manage_all_files_except_auth_file(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
@@ -188,8 +188,8 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
- auth_read_all_dirs_except_shadow(nfsd_t)
- auth_read_all_files_except_shadow(nfsd_t)
+ auth_read_all_dirs_except_auth_file(nfsd_t)
+ auth_read_all_files_except_auth_file(nfsd_t)
')
########################################
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 5e7b7cf..22a5c02 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -132,9 +132,9 @@ tunable_policy(`rsync_export_all_ro',`
fs_read_noxattr_fs_files(rsync_t)
fs_read_nfs_files(rsync_t)
fs_read_cifs_files(rsync_t)
- auth_read_all_dirs_except_shadow(rsync_t)
- auth_read_all_files_except_shadow(rsync_t)
- auth_read_all_symlinks_except_shadow(rsync_t)
+ auth_read_all_dirs_except_auth_file(rsync_t)
+ auth_read_all_files_except_auth_file(rsync_t)
+ auth_read_all_symlinks_except_auth_file(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 941f823..3da2bb2 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -447,18 +447,18 @@ userdom_home_filetrans_user_home_dir(smbd_t)
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
- auth_read_all_dirs_except_shadow(smbd_t)
- auth_read_all_files_except_shadow(smbd_t)
+ auth_read_all_dirs_except_auth_file(smbd_t)
+ auth_read_all_files_except_auth_file(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
- auth_read_all_dirs_except_shadow(nmbd_t)
- auth_read_all_files_except_shadow(nmbd_t)
+ auth_read_all_dirs_except_auth_file(nmbd_t)
+ auth_read_all_files_except_auth_file(nmbd_t)
')
tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
- auth_manage_all_files_except_shadow(smbd_t)
+ auth_manage_all_files_except_auth_file(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
- auth_manage_all_files_except_shadow(nmbd_t)
+ auth_manage_all_files_except_auth_file(nmbd_t)
')
userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 5c0d25f..f91571b 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -103,7 +103,7 @@ storage_dontaudit_read_removable_device(snmpd_t)
storage_dontaudit_write_removable_device(snmpd_t)
auth_use_nsswitch(snmpd_t)
-auth_read_all_dirs_except_shadow(snmpd_t)
+auth_read_all_dirs_except_auth_file(snmpd_t)
init_read_utmp(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index e053e7d..0292cee 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1321,12 +1321,12 @@ interface(`auth_delete_pam_console_data',`
## </summary>
## </param>
#
-interface(`auth_read_all_dirs_except_shadow',`
+interface(`auth_read_all_dirs_except_auth_file',`
gen_require(`
- type shadow_t;
+ attribute authentication_file_type;
')
- files_read_all_dirs_except($1, $2 -shadow_t)
+ files_read_all_dirs_except($1, $2 -authentication_file_type)
')
########################################
@@ -1347,12 +1347,12 @@ interface(`auth_read_all_dirs_except_shadow',`
## </param>
## <rolecap/>
#
-interface(`auth_read_all_files_except_shadow',`
+interface(`auth_read_all_files_except_auth_file',`
gen_require(`
- type shadow_t;
+ attribute authentication_file_type;
')
- files_read_all_files_except($1, $2 -shadow_t)
+ files_read_all_files_except($1, $2 -authentication_file_type)
')
########################################
@@ -1372,12 +1372,12 @@ interface(`auth_read_all_files_except_shadow',`
## </summary>
## </param>
#
-interface(`auth_read_all_symlinks_except_shadow',`
+interface(`auth_read_all_symlinks_except_auth_file',`
gen_require(`
- type shadow_t;
+ attribute authentication_file_type;
')
- files_read_all_symlinks_except($1, $2 -shadow_t)
+ files_read_all_symlinks_except($1, $2 -authentication_file_type)
')
########################################
@@ -1398,12 +1398,12 @@ interface(`auth_read_all_symlinks_except_shadow',`
## </param>
#
-interface(`auth_relabel_all_files_except_shadow',`
+interface(`auth_relabel_all_files_except_auth_file',`
gen_require(`
- type shadow_t;
+ attribute authentication_file_type;
')
- files_relabel_all_files($1, $2 -shadow_t)
+ files_relabel_all_files($1, $2 -authentication_file_type)
')
########################################
@@ -1424,12 +1424,12 @@ interface(`auth_relabel_all_files_except_shadow',`
## </param>
#
-interface(`auth_rw_all_files_except_shadow',`
+interface(`auth_rw_all_files_except_auth_file',`
gen_require(`
- type shadow_t;
+ attribute authentication_file_type;
')
- files_rw_all_files($1, $2 -shadow_t)
+ files_rw_all_files($1, $2 -authentication_file_type)
')
########################################
@@ -1450,12 +1450,12 @@ interface(`auth_rw_all_files_except_shadow',`
## </param>
#
-interface(`auth_manage_all_files_except_shadow',`
+interface(`auth_manage_all_files_except_auth_file',`
gen_require(`
- type shadow_t;
+ attribute authentication_file_type;
')
- files_manage_all_files($1, $2 -shadow_t)
+ files_manage_all_files($1, $2 -authentication_file_type)
')
########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 335900f..755250d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -19,6 +19,7 @@ gen_tunable(authlogin_radius, false)
## </desc>
gen_tunable(authlogin_nsswitch_use_ldap, false)
+attribute authentication_file_type;
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
@@ -66,6 +67,7 @@ files_pid_file(pam_var_run_t)
type shadow_t;
files_security_file(shadow_t)
+files_authentication_file(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 43f0a0b..93f7513 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -215,8 +215,8 @@ ifdef(`distro_ubuntu',`
corecmd_exec_shell(mount_t)
tunable_policy(`allow_mount_anyfile',`
- auth_read_all_dirs_except_shadow(mount_t)
- auth_read_all_files_except_shadow(mount_t)
+ auth_read_all_dirs_except_auth_file(mount_t)
+ auth_read_all_files_except_auth_file(mount_t)
files_mounton_non_security(mount_t)
files_rw_all_inherited_files(mount_t)
')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 96406b1..c0d8a82 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -350,8 +350,8 @@ selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
-auth_relabel_all_files_except_shadow(restorecond_t )
-auth_read_all_files_except_shadow(restorecond_t)
+auth_relabel_all_files_except_auth_file(restorecond_t )
+auth_read_all_files_except_auth_file(restorecond_t)
auth_use_nsswitch(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)
@@ -478,7 +478,7 @@ selinux_set_all_booleans(semanage_t)
can_exec(semanage_t, semanage_exec_t)
# Admins are creating pp files in random locations
-auth_read_all_files_except_shadow(semanage_t)
+auth_read_all_files_except_auth_file(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b0955cf..593b710 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1445,9 +1445,9 @@ template(`userdom_admin_user_template',`
auth_getattr_shadow($1_t)
# Manage almost all files
- auth_manage_all_files_except_shadow($1_t)
+ auth_manage_all_files_except_auth_file($1_t)
# Relabel almost all files
- auth_relabel_all_files_except_shadow($1_t)
+ auth_relabel_all_files_except_auth_file($1_t)
init_telinit($1_t)
@@ -1541,7 +1541,7 @@ template(`userdom_security_admin_template',`
selinux_set_parameters($1)
selinux_read_policy($1)
- auth_relabel_all_files_except_shadow($1)
+ auth_relabel_all_files_except_auth_file($1)
auth_relabel_shadow($1)
init_exec($1)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
