Hi, I have made the changes to the policy as suggested my Miroslav. The reason I initially made two boolean's rather than one, is that OTP doesn't need the permissions granted by CHAP, and vice versa. -- William Brown <william@xxxxxxxxxxxxxxx>
diff -uNrp serefpolicy-3.12.1.orig/policy/modules/system/authlogin.fc serefpolicy-3.12.1.work/policy/modules/system/authlogin.fc
--- serefpolicy-3.12.1.orig/policy/modules/system/authlogin.fc 2014-03-27 21:31:39.758132865 +1030
+++ serefpolicy-3.12.1.work/policy/modules/system/authlogin.fc 2014-03-27 21:57:30.974519141 +1030
@@ -1,7 +1,11 @@
-HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.yubico gen_context(system_u:object_r:auth_home_rw_t,s0)
+HOME_DIR/\.yubico/challenge-(.*) gen_context(system_u:object_r:auth_home_rw_t,s0)
+HOME_DIR/\.yubico/(.*) gen_context(system_u:object_r:auth_home_t,s0)
HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
-/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.yubico gen_context(system_u:object_r:auth_home_rw_t,s0)
+/root/\.yubico/challenge-(.*) gen_context(system_u:object_r:auth_home_rw_t,s0)
+/root/\.yubico/(.*) gen_context(system_u:object_r:auth_home_t,s0)
/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
diff -uNrp serefpolicy-3.12.1.orig/policy/modules/system/authlogin.te serefpolicy-3.12.1.work/policy/modules/system/authlogin.te
--- serefpolicy-3.12.1.orig/policy/modules/system/authlogin.te 2014-03-27 21:31:39.759132841 +1030
+++ serefpolicy-3.12.1.work/policy/modules/system/authlogin.te 2014-04-01 12:03:02.741919487 +1030
@@ -14,7 +14,7 @@ gen_tunable(authlogin_radius, false)
## <desc>
## <p>
-## Allow users to login using a yubikey server
+## Allow users to login using a yubikey OTP server or challenge response mode
## </p>
## </desc>
gen_tunable(authlogin_yubikey, false)
@@ -39,6 +39,9 @@ logging_log_file(auth_cache_t)
type auth_home_t;
userdom_user_home_content(auth_home_t)
+type auth_home_rw_t;
+userdom_user_home_content(auth_home_rw_t)
+
type chkpwd_t, can_read_shadow_passwords;
type chkpwd_exec_t;
typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
@@ -538,6 +541,9 @@ files_var_filetrans(login_pgm, auth_cach
manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
+manage_dirs_pattern(login_pgm, auth_home_rw_t, auth_home_rw_t)
+manage_files_pattern(login_pgm, auth_home_rw_t, auth_home_rw_t)
+
auth_filetrans_admin_home_content(login_pgm)
auth_filetrans_home_content(login_pgm)
@@ -550,7 +556,18 @@ tunable_policy(`authlogin_radius',`
')
tunable_policy(`authlogin_yubikey',`
+ gen_require(`
+ attribute sudodomain;
+ ')
corenet_tcp_connect_http_port(login_pgm)
+
+ manage_dirs_pattern(sudodomain, auth_home_rw_t, auth_home_rw_t)
+ manage_files_pattern(sudodomain, auth_home_rw_t, auth_home_rw_t)
+ allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(login_pgm, auth_home_rw_t, auth_home_rw_t)
+ manage_files_pattern(login_pgm, auth_home_rw_t, auth_home_rw_t)
+ allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
')
corenet_tcp_connect_pki_ca_port(login_pgm)
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
