commit: a529ea9e146a0a040d183a69c2840d1d36d034e4
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:51:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:53:02 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a529ea9e
authlogin: shadow map perms
update can_read_shadow_passwords neverallow to check map perm too
policy/modules/system/authlogin.if | 2 +-
policy/modules/system/authlogin.te | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/authlogin.if
b/policy/modules/system/authlogin.if
index 738b1e6f..1ab047bc 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -606,7 +606,7 @@ interface(`auth_tunable_read_shadow',`
')
files_list_etc($1)
- allow $1 shadow_t:file read_file_perms;
+ allow $1 shadow_t:file { read_file_perms map };
')
########################################
diff --git a/policy/modules/system/authlogin.te
b/policy/modules/system/authlogin.te
index 69337c89..8ddcd226 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -60,7 +60,7 @@ files_pid_file(pam_var_run_t)
type shadow_t;
files_auth_file(shadow_t)
-neverallow ~can_read_shadow_passwords shadow_t:file read;
+neverallow ~can_read_shadow_passwords shadow_t:file { read map };
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
@@ -99,7 +99,7 @@ allow chkpwd_t self:capability { dac_override setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
allow chkpwd_t self:process { getattr signal };
-allow chkpwd_t shadow_t:file read_file_perms;
+allow chkpwd_t shadow_t:file { read_file_perms map };
files_list_etc(chkpwd_t)
kernel_read_crypto_sysctls(chkpwd_t)
