Allow the locallogin module to be turned off. This required any interface use to be moved into an optional_policy block. Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> --- policy/modules/admin/dmidecode.te | 7 +++++-- policy/modules/admin/firstboot.te | 6 ++++-- policy/modules/admin/mcelog.te | 6 ++++-- policy/modules/admin/tzdata.te | 6 ++++-- policy/modules/admin/vpn.te | 6 ++++-- policy/modules/apps/java.te | 6 ++++-- policy/modules/apps/loadkeys.te | 6 ++++-- policy/modules/apps/wm.te | 6 ++++-- policy/modules/services/bluetooth.te | 5 ++++- policy/modules/services/chronyd.te | 5 +++-- policy/modules/services/oddjob.te | 6 ++++-- policy/modules/services/pcscd.te | 6 ++++-- policy/modules/services/pyzor.te | 6 ++++-- policy/modules/services/ricci.te | 12 ++++++++---- policy/modules/services/samba.te | 6 ++++-- policy/modules/services/setroubleshoot.te | 6 ++++-- policy/modules/services/sysstat.te | 6 ++++-- policy/modules/services/xserver.te | 6 ++++-- policy/modules/system/getty.te | 6 ++++-- policy/modules/system/ipsec.te | 12 ++++++++---- policy/modules/system/setrans.te | 6 ++++-- policy/modules/system/systemd.te | 6 ++++-- policy/modules/system/xen.te | 6 ++++-- 23 files changed, 100 insertions(+), 49 deletions(-) diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te index bda30744..e5a481fa 100644 --- a/policy/modules/admin/dmidecode.te +++ b/policy/modules/admin/dmidecode.te @@ -29,6 +29,9 @@ files_list_usr(dmidecode_t) mls_file_read_all_levels(dmidecode_t) -locallogin_use_fds(dmidecode_t) - userdom_use_inherited_user_terminals(dmidecode_t) + +optional_policy(` + locallogin_use_fds(dmidecode_t) +') + diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te index 2ac82a13..140933f4 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -69,8 +69,6 @@ init_rw_utmp(firstboot_t) libs_exec_ld_so(firstboot_t) libs_exec_lib_files(firstboot_t) -locallogin_use_fds(firstboot_t) - logging_send_syslog_msg(firstboot_t) miscfiles_read_localization(firstboot_t) @@ -96,6 +94,10 @@ optional_policy(` ') ') +optional_policy(` + locallogin_use_fds(firstboot_t) +') + optional_policy(` modutils_domtrans(firstboot_t) modutils_read_module_config(firstboot_t) diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te index 1c342132..1728052e 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te @@ -93,8 +93,6 @@ files_read_etc_files(mcelog_t) mls_file_read_all_levels(mcelog_t) -locallogin_use_fds(mcelog_t) - miscfiles_read_localization(mcelog_t) tunable_policy(`mcelog_client',` @@ -122,3 +120,7 @@ tunable_policy(`mcelog_syslog',` optional_policy(` cron_system_entry(mcelog_t, mcelog_exec_t) ') + +optional_policy(` + locallogin_use_fds(mcelog_t) +') diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te index cbfb2299..35cd0fcc 100644 --- a/policy/modules/admin/tzdata.te +++ b/policy/modules/admin/tzdata.te @@ -25,14 +25,16 @@ fs_getattr_xattr_fs(tzdata_t) term_dontaudit_list_ptys(tzdata_t) -locallogin_dontaudit_use_fds(tzdata_t) - miscfiles_read_localization(tzdata_t) miscfiles_manage_localization(tzdata_t) miscfiles_etc_filetrans_localization(tzdata_t) userdom_use_user_terminals(tzdata_t) +optional_policy(` + locallogin_dontaudit_use_fds(tzdata_t) +') + optional_policy(` postfix_search_spool(tzdata_t) ') diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index 65de9063..99a9310b 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -98,8 +98,6 @@ init_dontaudit_use_fds(vpnc_t) libs_exec_ld_so(vpnc_t) libs_exec_lib_files(vpnc_t) -locallogin_use_fds(vpnc_t) - logging_send_syslog_msg(vpnc_t) logging_dontaudit_search_logs(vpnc_t) @@ -122,6 +120,10 @@ optional_policy(` ') ') +optional_policy(` + locallogin_use_fds(vpnc_t) +') + optional_policy(` networkmanager_attach_tun_iface(vpnc_t) ') diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index 6502efeb..5cb8588d 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -139,11 +139,13 @@ corecmd_search_bin(java_t) dev_read_sysfs(java_t) -locallogin_use_fds(java_t) - userdom_read_user_tmp_files(java_t) userdom_use_user_terminals(java_t) +optional_policy(` + locallogin_use_fds(java_t) +') + optional_policy(` xserver_user_x_domain_template(java, java_t, java_tmpfs_t) ') diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te index 1976e2cb..71725fde 100644 --- a/policy/modules/apps/loadkeys.te +++ b/policy/modules/apps/loadkeys.te @@ -41,8 +41,6 @@ term_use_unallocated_ttys(loadkeys_t) init_read_script_tmp_files(loadkeys_t) -locallogin_use_fds(loadkeys_t) - miscfiles_read_localization(loadkeys_t) userdom_use_user_ttys(loadkeys_t) @@ -52,6 +50,10 @@ optional_policy(` keyboardd_read_pipes(loadkeys_t) ') +optional_policy(` + locallogin_use_fds(loadkeys_t) +') + optional_policy(` nscd_dontaudit_search_pid(loadkeys_t) ') diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te index df481cc7..99bf1299 100644 --- a/policy/modules/apps/wm.te +++ b/policy/modules/apps/wm.te @@ -65,8 +65,6 @@ kernel_read_fs_sysctls(wm_domain) kernel_read_proc_symlinks(wm_domain) kernel_read_sysctl(wm_domain) -locallogin_dontaudit_use_fds(wm_domain) - miscfiles_read_fonts(wm_domain) miscfiles_read_generic_certs(wm_domain) miscfiles_read_localization(wm_domain) @@ -120,6 +118,10 @@ optional_policy(` games_dbus_chat(wm_domain) ') +optional_policy(` + locallogin_dontaudit_use_fds(wm_domain) +') + optional_policy(` # gnome-shell mount_exec(wm_domain) diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index 45e5a361..1498e243 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -210,7 +210,6 @@ term_dontaudit_use_all_ttys(bluetooth_helper_t) auth_use_nsswitch(bluetooth_helper_t) -locallogin_dontaudit_use_fds(bluetooth_helper_t) logging_send_syslog_msg(bluetooth_helper_t) @@ -223,6 +222,10 @@ optional_policy(` dbus_connect_system_bus(bluetooth_helper_t) ') +optional_policy(` + locallogin_dontaudit_use_fds(bluetooth_helper_t) +') + optional_policy(` xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t) ') diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te index 77716407..54985b68 100644 --- a/policy/modules/services/chronyd.te +++ b/policy/modules/services/chronyd.te @@ -136,8 +136,6 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t) files_read_etc_files(chronyc_t) files_read_usr_files(chronyc_t) -locallogin_use_fds(chronyc_t) - logging_send_syslog_msg(chronyc_t) sysnet_read_config(chronyc_t) @@ -150,3 +148,6 @@ userdom_use_user_ttys(chronyc_t) chronyd_dgram_send(chronyc_t) chronyd_read_config(chronyc_t) +optional_policy(` + locallogin_use_fds(chronyc_t) +') diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te index 39e2dcf5..e656bea6 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -58,13 +58,15 @@ auth_use_nsswitch(oddjob_t) miscfiles_read_localization(oddjob_t) -locallogin_dontaudit_use_fds(oddjob_t) - optional_policy(` dbus_system_bus_client(oddjob_t) dbus_connect_system_bus(oddjob_t) ') +optional_policy(` + locallogin_dontaudit_use_fds(oddjob_t) +') + optional_policy(` unconfined_domtrans(oddjob_t) ') diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te index 247fe5c8..bca54f9d 100644 --- a/policy/modules/services/pcscd.te +++ b/policy/modules/services/pcscd.te @@ -59,8 +59,6 @@ files_read_etc_runtime_files(pcscd_t) term_use_unallocated_ttys(pcscd_t) term_dontaudit_getattr_pty_dirs(pcscd_t) -locallogin_use_fds(pcscd_t) - logging_send_syslog_msg(pcscd_t) miscfiles_read_localization(pcscd_t) @@ -79,6 +77,10 @@ optional_policy(` ') ') +optional_policy(` + locallogin_use_fds(pcscd_t) +') + optional_policy(` openct_stream_connect(pcscd_t) openct_read_pid_files(pcscd_t) diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index 3119df00..cdea0bfd 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -151,10 +151,12 @@ auth_use_nsswitch(pyzord_t) logging_send_syslog_msg(pyzord_t) -locallogin_dontaudit_use_fds(pyzord_t) - miscfiles_read_localization(pyzord_t) userdom_dontaudit_search_user_home_dirs(pyzord_t) mta_manage_spool(pyzord_t) + +optional_policy(` + locallogin_dontaudit_use_fds(pyzord_t) +') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index d808ab66..048ae41e 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -145,8 +145,6 @@ auth_append_login_records(ricci_t) init_stream_connect_script(ricci_t) -locallogin_dontaudit_use_fds(ricci_t) - logging_send_syslog_msg(ricci_t) miscfiles_read_localization(ricci_t) @@ -173,6 +171,10 @@ optional_policy(` oddjob_system_entry(ricci_t, ricci_exec_t) ') +optional_policy(` + locallogin_dontaudit_use_fds(ricci_t) +') + optional_policy(` rpm_use_script_fds(ricci_t) ') @@ -332,8 +334,6 @@ auth_use_nsswitch(ricci_modclusterd_t) init_stream_connect_script(ricci_modclusterd_t) -locallogin_dontaudit_use_fds(ricci_modclusterd_t) - logging_send_syslog_msg(ricci_modclusterd_t) miscfiles_read_localization(ricci_modclusterd_t) @@ -351,6 +351,10 @@ optional_policy(` ccs_read_config(ricci_modclusterd_t) ') +optional_policy(` + locallogin_dontaudit_use_fds(ricci_modclusterd_t) +') + optional_policy(` rgmanager_stream_connect(ricci_modclusterd_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 6d8c0cbe..eb497b8d 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -720,8 +720,6 @@ miscfiles_read_localization(smbmount_t) mount_use_fds(smbmount_t) -locallogin_use_fds(smbmount_t) - logging_search_logs(smbmount_t) userdom_use_user_terminals(smbmount_t) @@ -731,6 +729,10 @@ optional_policy(` cups_read_rw_config(smbmount_t) ') +optional_policy(` + locallogin_use_fds(smbmount_t) +') + ######################################## # # Swat Local policy diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index 3ee1e0d5..56dc8c2c 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -110,8 +110,6 @@ init_dontaudit_write_utmp(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t) -locallogin_dontaudit_use_fds(setroubleshootd_t) - logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) @@ -132,6 +130,10 @@ optional_policy(` ') ') +optional_policy(` + locallogin_dontaudit_use_fds(setroubleshootd_t) +') + optional_policy(` locate_read_lib_files(setroubleshootd_t) ') diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te index ffa56160..2ef803d0 100644 --- a/policy/modules/services/sysstat.te +++ b/policy/modules/services/sysstat.te @@ -58,8 +58,6 @@ auth_use_nsswitch(sysstat_t) init_use_fds(sysstat_t) -locallogin_use_fds(sysstat_t) - logging_send_syslog_msg(sysstat_t) miscfiles_read_localization(sysstat_t) @@ -70,3 +68,7 @@ optional_policy(` cron_system_entry(sysstat_t, sysstat_exec_t) cron_rw_tmp_files(sysstat_t) ') + +optional_policy(` + locallogin_use_fds(sysstat_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 7d4c0c1b..06022f2c 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -785,8 +785,6 @@ term_use_unallocated_ttys(xserver_t) getty_use_fds(xserver_t) -locallogin_use_fds(xserver_t) - logging_send_syslog_msg(xserver_t) logging_send_audit_msgs(xserver_t) @@ -841,6 +839,10 @@ optional_policy(` auth_search_pam_console_data(xserver_t) ') +optional_policy(` + locallogin_use_fds(xserver_t) +') + optional_policy(` rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index 6d3c4284..88b408a9 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -85,8 +85,6 @@ auth_rw_login_records(getty_t) init_rw_utmp(getty_t) -locallogin_domtrans(getty_t) - logging_send_syslog_msg(getty_t) miscfiles_read_localization(getty_t) @@ -114,6 +112,10 @@ optional_policy(` mta_send_mail(getty_t) ') +optional_policy(` + locallogin_domtrans(getty_t) +') + optional_policy(` nscd_use(getty_t) ') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 7dc80136..2855174d 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -411,8 +411,6 @@ auth_use_nsswitch(racoon_t) ipsec_setcontext_default_spd(racoon_t) -locallogin_use_fds(racoon_t) - logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -425,6 +423,10 @@ tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) ') +optional_policy(` + locallogin_use_fds(racoon_t) +') + ######################################## # # Setkey local policy @@ -451,14 +453,16 @@ init_read_script_tmp_files(setkey_t) # allow setkey to set the context for ipsec SAs and policy. corenet_setcontext_all_spds(setkey_t) -locallogin_use_fds(setkey_t) - miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) +optional_policy(` + locallogin_use_fds(setkey_t) +') + ######################################## # # ipsec_supervisor policy diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 24c3577e..3182f83e 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -81,14 +81,16 @@ term_dontaudit_use_unallocated_ttys(setrans_t) init_dontaudit_use_script_ptys(setrans_t) -locallogin_dontaudit_use_fds(setrans_t) - logging_send_syslog_msg(setrans_t) miscfiles_read_localization(setrans_t) seutil_libselinux_linked(setrans_t) +optional_policy(` + locallogin_dontaudit_use_fds(setrans_t) +') + optional_policy(` rpm_use_script_fds(setrans_t) ') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index e9b74257..251094b9 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -464,8 +464,6 @@ init_stop_all_units(systemd_logind_t) init_start_system(systemd_logind_t) init_stop_system(systemd_logind_t) -locallogin_read_state(systemd_logind_t) - seutil_libselinux_linked(systemd_logind_t) seutil_read_default_contexts(systemd_logind_t) seutil_read_file_contexts(systemd_logind_t) @@ -514,6 +512,10 @@ optional_policy(` devicekit_dbus_chat_power(systemd_logind_t) ') +optional_policy(` + locallogin_read_state(systemd_logind_t) +') + optional_policy(` modemmanager_dbus_chat(systemd_logind_t) ') diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 04dd1ea7..67552cca 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -297,8 +297,6 @@ term_getattr_pty_fs(xend_t) init_stream_connect_script(xend_t) -locallogin_dontaudit_use_fds(xend_t) - logging_send_syslog_msg(xend_t) miscfiles_read_localization(xend_t) @@ -340,6 +338,10 @@ optional_policy(` consoletype_exec(xend_t) ') +optional_policy(` + locallogin_dontaudit_use_fds(xend_t) +') + optional_policy(` lvm_domtrans(xend_t) ') -- 2.19.1
