From 099ea7b7bd113cac657f98d406c77839cce98859 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 25 Aug 2020 16:33:38 +0200 Subject: [PATCH] Change transitions for ~/.config/Yubico Created the auth_filetrans_auth_home_content() interface which is used to allow the filename transition in gnome config directory for the login_pgm and userdomain attributes. This commit reverts the transitions introduced in commit 1363710b88904f29915e39335fef0dfb673a0f70. Signed-off-by: lujie42 <572084868@qq.com> --- policy/modules/system/authlogin.if | 23 +++++++++++++++++++++-- policy/modules/system/authlogin.te | 1 + policy/modules/system/userdomain.te | 2 ++ 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 90ae5fe..ab68d31 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -2313,7 +2313,6 @@ interface(`auth_filetrans_admin_home_content',` userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico") - userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") ') @@ -2378,7 +2377,27 @@ interface(`auth_filetrans_home_content',` userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico") - userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") +') + +######################################## +## +## Create auth directory in the config home directory +## with a correct label. +## +## +## +## Domain allowed access. +## +## +# +interface(`auth_filetrans_auth_home_content',` + gen_require(` + type auth_home_t; + ') + + optional_policy(` + gnome_config_filetrans($1, auth_home_t, dir, "Yubico") + ') ') ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index f3870d3..068caed 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -603,6 +603,7 @@ manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t) manage_files_pattern(login_pgm, auth_home_t, auth_home_t) auth_filetrans_admin_home_content(login_pgm) auth_filetrans_home_content(login_pgm) +auth_filetrans_auth_home_content(login_pgm) # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_search_network_sysctl(login_pgm) diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 756ac4a..196bcc0 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -147,6 +147,7 @@ dontaudit unpriv_userdomain self:dir setattr; allow unpriv_userdomain self:file manage_file_perms; allow unpriv_userdomain self:key manage_key_perms; +auth_filetrans_auth_home_content(userdomain) files_dontaudit_manage_boot_files(unpriv_userdomain) @@ -289,6 +290,7 @@ userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp") optional_policy(` gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") + gnome_config_filetrans(userdom_filetrans_type, auth_home_t, dir, "Yubico") #gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") ') -- 1.8.3.1