Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
Date: Sun, 10 Sep 2017 14:04:03
Message-Id: 1505051582.a529ea9e146a0a040d183a69c2840d1d36d034e4.perfinion@gentoo
1 commit: a529ea9e146a0a040d183a69c2840d1d36d034e4
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Sun Sep 10 13:51:28 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sun Sep 10 13:53:02 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a529ea9e
7
8 authlogin: shadow map perms
9
10 update can_read_shadow_passwords neverallow to check map perm too
11
12 policy/modules/system/authlogin.if | 2 +-
13 policy/modules/system/authlogin.te | 4 ++--
14 2 files changed, 3 insertions(+), 3 deletions(-)
15
16 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
17 index 738b1e6f..1ab047bc 100644
18 --- a/policy/modules/system/authlogin.if
19 +++ b/policy/modules/system/authlogin.if
20 @@ -606,7 +606,7 @@ interface(`auth_tunable_read_shadow',`
21 ')
22
23 files_list_etc($1)
24 - allow $1 shadow_t:file read_file_perms;
25 + allow $1 shadow_t:file { read_file_perms map };
26 ')
27
28 ########################################
29
30 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
31 index 69337c89..8ddcd226 100644
32 --- a/policy/modules/system/authlogin.te
33 +++ b/policy/modules/system/authlogin.te
34 @@ -60,7 +60,7 @@ files_pid_file(pam_var_run_t)
35
36 type shadow_t;
37 files_auth_file(shadow_t)
38 -neverallow ~can_read_shadow_passwords shadow_t:file read;
39 +neverallow ~can_read_shadow_passwords shadow_t:file { read map };
40 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
41 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
42
43 @@ -99,7 +99,7 @@ allow chkpwd_t self:capability { dac_override setuid };
44 dontaudit chkpwd_t self:capability sys_tty_config;
45 allow chkpwd_t self:process { getattr signal };
46
47 -allow chkpwd_t shadow_t:file read_file_perms;
48 +allow chkpwd_t shadow_t:file { read_file_perms map };
49 files_list_etc(chkpwd_t)
50
51 kernel_read_crypto_sysctls(chkpwd_t)
Report Message
Find on MARC Find on Google Groups