SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List logging in using sereference policy This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ] From: Serge E. Hallyn <serue_at_us.ibm.com> Date: Fri, 30 Dec 2005 11:08:27 -0600 Ok, I'm inlining one patch, and attaching another patch of which the inlined patch is a subset. The inlined patch allowed me to log in in enforcing mode. The rest were supporting pieces which addressed various denied messages I'd been seeing. I know most of these allow statements need to be moved to appropriate macros in completely different files, but I won't be able to get around to that until mid next week at the earliest, so here's the info in any case. Kind of obvious in retrospect :) And I sort of knew that must be what was going on, but wasn't sure how to find the real problem if there was no audit msg about it. In the future I may just have to start by adding a debug make target which removes all dontaudits. -serge Index: refpolicy/policy/modules/system/authlogin.if refpolicy.orig/policy/modules/system/authlogin.if 2005-12-08 14:34:32.000000000 -0600 +++ refpolicy/policy/modules/system/authlogin.if 2005-12-30 10:44:51.000000000 -0600 @@ -115,6 +115,8 @@ template(`authlogin_per_userdomain_templ allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; dontaudit $2 shadow_t:file { getattr read }; + typeattribute $2 can_read_shadow_passwords; + allow $2 shadow_t:file { getattr read }; # Transition from the user domain to this domain. domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t) @@ -253,6 +255,8 @@ interface(`auth_domtrans_chk_passwd',` allow system_chkpwd_t $1:process sigchld; dontaudit $1 shadow_t:file { getattr read }; + typeattribute $1 can_read_shadow_passwords; + allow $1 shadow_t:file { getattr read }; dev_read_rand($1) dev_read_urand($1) Index: refpolicy/policy/modules/system/userdomain.if refpolicy.orig/policy/modules/system/userdomain.if 2005-12-06 15:32:13.000000000 -0600 +++ refpolicy/policy/modules/system/userdomain.if 2005-12-30 10:53:25.000000000 -0600 @@ -33,6 +33,10 @@ template(`base_user_template',` role $1_r types $1_t; allow system_r $1_r; + # serge + allow $1_t local_login_t:process { sigchld }; + allow $1_t etc_runtime_t:file r_file_perms; + # user pseudoterminal type $1_devpts_t; term_user_pty($1_t,$1_devpts_t) thanks, -serge -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. text/plain attachment: policy_fixes.patch Received on Fri 30 Dec 2005 - 12:08:40 EST This message: [ Message body ] Next message: Ivan Gyurdiev: "Re: logging in using sereference policy" Previous message: Joshua Brindle: "SELinux Symposium Registration now open" Next in thread: Ivan Gyurdiev: "Re: logging in using sereference policy" Reply: Ivan Gyurdiev: "Re: logging in using sereference policy" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom