diff --git a/passwd.patch b/passwd.patch index 6046b91..f507510 100644 --- a/passwd.patch +++ b/passwd.patch @@ -1,3 +1,143 @@ +diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te +index ef8bc09..ea06507 100644 +--- a/policy/modules/admin/mcelog.te ++++ b/policy/modules/admin/mcelog.te +@@ -45,6 +45,8 @@ files_read_etc_files(mcelog_t) + # for /dev/mem access + mls_file_read_all_levels(mcelog_t) + ++auth_read_passwd(mcelog_t) ++ + logging_send_syslog_msg(mcelog_t) + + miscfiles_read_localization(mcelog_t) +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index 4779a8d..c2ee43e 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -96,11 +96,12 @@ corecmd_check_exec_shell(chfn_t) + + domain_use_interactive_fds(chfn_t) + +-files_manage_etc_files(chfn_t) + files_read_etc_runtime_files(chfn_t) + files_dontaudit_search_var(chfn_t) + files_dontaudit_search_home(chfn_t) + ++auth_manage_passwd(chfn_t) ++ + # /usr/bin/passwd asks for w access to utmp, but it will operate + # correctly without it. Do not audit write denials to utmp. + init_dontaudit_rw_utmp(chfn_t) +@@ -310,13 +311,14 @@ corenet_tcp_connect_kerberos_password_port(passwd_t) + domain_use_interactive_fds(passwd_t) + + files_read_etc_runtime_files(passwd_t) +-files_manage_etc_files(passwd_t) + files_search_var(passwd_t) + files_dontaudit_search_pids(passwd_t) + files_relabel_etc_files(passwd_t) + + term_search_ptys(passwd_t) + ++auth_manage_passwd(passwd_t) ++ + # /usr/bin/passwd asks for w access to utmp, but it will operate + # correctly without it. Do not audit write denials to utmp. + init_dontaudit_rw_utmp(passwd_t) +@@ -402,12 +404,13 @@ files_read_usr_files(sysadm_passwd_t) + + domain_use_interactive_fds(sysadm_passwd_t) + +-files_manage_etc_files(sysadm_passwd_t) + files_relabel_etc_files(sysadm_passwd_t) + files_read_etc_runtime_files(sysadm_passwd_t) + # for nscd lookups + files_dontaudit_search_pids(sysadm_passwd_t) + ++auth_manage_passwd(sysadm_passwd_t) ++ + # /usr/bin/passwd asks for w access to utmp, but it will operate + # correctly without it. Do not audit write denials to utmp. + init_dontaudit_rw_utmp(sysadm_passwd_t) +@@ -461,7 +464,6 @@ domain_use_interactive_fds(useradd_t) + domain_read_all_domains_state(useradd_t) + domain_dontaudit_read_all_domains_state(useradd_t) + +-files_manage_etc_files(useradd_t) + files_search_var_lib(useradd_t) + files_relabel_etc_files(useradd_t) + files_read_etc_runtime_files(useradd_t) +@@ -488,6 +490,7 @@ auth_rw_faillog(useradd_t) + auth_use_nsswitch(useradd_t) + # these may be unnecessary due to the above + # domtrans_chk_passwd() call. ++auth_manage_passwd(useradd_t) + auth_manage_shadow(useradd_t) + auth_relabel_shadow(useradd_t) + auth_etc_filetrans_shadow(useradd_t) +diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te +index 50629a8..09669b6 100644 +--- a/policy/modules/apps/loadkeys.te ++++ b/policy/modules/apps/loadkeys.te +@@ -31,6 +31,8 @@ files_read_etc_runtime_files(loadkeys_t) + term_dontaudit_use_console(loadkeys_t) + term_use_unallocated_ttys(loadkeys_t) + ++auth_read_passwd(loadkeys_t) ++ + init_dontaudit_use_fds(loadkeys_t) + init_dontaudit_use_script_ptys(loadkeys_t) + +diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te +index bd5ff95..c77b9f1 100644 +--- a/policy/modules/services/abrt.te ++++ b/policy/modules/services/abrt.te +@@ -105,7 +105,6 @@ allow abrt_t self:fifo_file rw_fifo_file_perms; + allow abrt_t self:tcp_socket create_stream_socket_perms; + allow abrt_t self:udp_socket create_socket_perms; + allow abrt_t self:unix_dgram_socket create_socket_perms; +-allow abrt_t self:netlink_route_socket r_netlink_socket_perms; + + # abrt etc files + list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t) +@@ -186,10 +185,10 @@ fs_read_nfs_files(abrt_t) + fs_read_nfs_symlinks(abrt_t) + fs_search_all(abrt_t) + +-sysnet_dns_name_resolve(abrt_t) +- + logging_read_generic_logs(abrt_t) + ++auth_use_nsswitch(abrt_t) ++ + miscfiles_read_generic_certs(abrt_t) + + userdom_dontaudit_read_user_home_content_files(abrt_t) +@@ -209,10 +208,6 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(abrt_t) +-') +- +-optional_policy(` + nsplugin_read_rw_files(abrt_t) + nsplugin_read_home(abrt_t) + ') +diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te +index 2b348c7..b89658c 100644 +--- a/policy/modules/services/audioentropy.te ++++ b/policy/modules/services/audioentropy.te +@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t) + + domain_use_interactive_fds(entropyd_t) + ++auth_read_passwd(entropyd_t) ++ + logging_send_syslog_msg(entropyd_t) + + miscfiles_read_localization(entropyd_t) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index 59742f4..51ca568 100644 --- a/policy/modules/system/authlogin.fc @@ -11,7 +151,7 @@ index 59742f4..51ca568 100644 /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index f05a80f..c15deb5 100644 +index f05a80f..c317b16 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',` diff --git a/selinux-policy.spec b/selinux-policy.spec index a856cc1..49f328f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 34.3%{?dist} +Release: 34.5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Sep 29 2011 Dan Walsh 3.10.0-34.4 +- Fixes caused by the labeling of /etc/passwd + * Thu Sep 29 2011 Miroslav Grepl 3.10.0-34.3 - Add support for Clustered Samba commands - Allow ricci_modrpm_t to send log msgs