1 |
commit: a529ea9e146a0a040d183a69c2840d1d36d034e4 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Sun Sep 10 13:51:28 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Sep 10 13:53:02 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a529ea9e |
7 |
|
8 |
authlogin: shadow map perms |
9 |
|
10 |
update can_read_shadow_passwords neverallow to check map perm too |
11 |
|
12 |
policy/modules/system/authlogin.if | 2 +- |
13 |
policy/modules/system/authlogin.te | 4 ++-- |
14 |
2 files changed, 3 insertions(+), 3 deletions(-) |
15 |
|
16 |
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if |
17 |
index 738b1e6f..1ab047bc 100644 |
18 |
--- a/policy/modules/system/authlogin.if |
19 |
+++ b/policy/modules/system/authlogin.if |
20 |
@@ -606,7 +606,7 @@ interface(`auth_tunable_read_shadow',` |
21 |
') |
22 |
|
23 |
files_list_etc($1) |
24 |
- allow $1 shadow_t:file read_file_perms; |
25 |
+ allow $1 shadow_t:file { read_file_perms map }; |
26 |
') |
27 |
|
28 |
######################################## |
29 |
|
30 |
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te |
31 |
index 69337c89..8ddcd226 100644 |
32 |
--- a/policy/modules/system/authlogin.te |
33 |
+++ b/policy/modules/system/authlogin.te |
34 |
@@ -60,7 +60,7 @@ files_pid_file(pam_var_run_t) |
35 |
|
36 |
type shadow_t; |
37 |
files_auth_file(shadow_t) |
38 |
-neverallow ~can_read_shadow_passwords shadow_t:file read; |
39 |
+neverallow ~can_read_shadow_passwords shadow_t:file { read map }; |
40 |
neverallow ~can_write_shadow_passwords shadow_t:file { create write }; |
41 |
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; |
42 |
|
43 |
@@ -99,7 +99,7 @@ allow chkpwd_t self:capability { dac_override setuid }; |
44 |
dontaudit chkpwd_t self:capability sys_tty_config; |
45 |
allow chkpwd_t self:process { getattr signal }; |
46 |
|
47 |
-allow chkpwd_t shadow_t:file read_file_perms; |
48 |
+allow chkpwd_t shadow_t:file { read_file_perms map }; |
49 |
files_list_etc(chkpwd_t) |
50 |
|
51 |
kernel_read_crypto_sysctls(chkpwd_t) |