diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/authlogin.te refpolicy-git-18012011-new/policy/modules/system/authlogin.te
--- refpolicy-git-18012011/policy/modules/system/authlogin.te 2011-01-08 19:07:21.347757938 +0100
+++ refpolicy-git-18012011-new/policy/modules/system/authlogin.te 2011-01-23 03:05:26.447319474 +0100
@@ -91,6 +91,9 @@ files_list_etc(chkpwd_t)
# is_selinux_enabled
kernel_read_system_state(chkpwd_t)
+kernel_search_sysctl(chkpwd_t)
+kernel_read_crypto_sysctls(chkpwd_t)
+
domain_dontaudit_use_interactive_fds(chkpwd_t)
dev_read_rand(chkpwd_t)
@@ -269,6 +272,7 @@ term_setattr_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
term_use_unallocated_ttys(pam_console_t)
+term_use_generic_ptys(pam_console_t)
auth_use_nsswitch(pam_console_t)
@@ -334,6 +338,7 @@ files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
+term_use_generic_ptys(updpwd_t)
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/authlogin.te refpolicy-git-18012011-new/policy/modules/system/authlogin.te
> --- refpolicy-git-18012011/policy/modules/system/authlogin.te 2011-01-08 19:07:21.347757938 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/authlogin.te 2011-01-23 03:05:26.447319474 +0100
> @@ -91,6 +91,9 @@ files_list_etc(chkpwd_t)
> # is_selinux_enabled
> kernel_read_system_state(chkpwd_t)
>
> +kernel_search_sysctl(chkpwd_t)
I think this is duplicate. kernel_read_crypto_sysctls() already provides
access to search sysctl directories.
> +kernel_read_crypto_sysctls(chkpwd_t)
> +
> domain_dontaudit_use_interactive_fds(chkpwd_t)
>
> dev_read_rand(chkpwd_t)
> @@ -269,6 +272,7 @@ term_setattr_console(pam_console_t)
> term_getattr_unallocated_ttys(pam_console_t)
> term_setattr_unallocated_ttys(pam_console_t)
> term_use_unallocated_ttys(pam_console_t)
> +term_use_generic_ptys(pam_console_t)
Where do these generic ptys come from?
>
> auth_use_nsswitch(pam_console_t)
>
> @@ -334,6 +338,7 @@ files_manage_etc_files(updpwd_t)
>
> term_dontaudit_use_console(updpwd_t)
> term_dontaudit_use_unallocated_ttys(updpwd_t)
> +term_use_generic_ptys(updpwd_t)
>
> auth_manage_shadow(updpwd_t)
> auth_use_nsswitch(updpwd_t)
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEUEARECAAYFAk09hB0ACgkQMlxVo39jgT/WIACXdd1sXIQ3CbnS5xL/Uf4Btl4/
/wCeLgcW25UQUQm8uwOF3JsvmfVO4Oo=
=pG+w
-----END PGP SIGNATURE-----
Hello Dominick !
On Mon, 24/01/2011 at 14.52 +0100, Dominick Grift wrote:
> On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x
corenetwork.te -x modules.conf
refpolicy-git-18012011/policy/modules/system/authlogin.te
refpolicy-git-18012011-new/policy/modules/system/authlogin.te
> > --- refpolicy-git-18012011/policy/modules/system/authlogin.te
2011-01-08 19:07:21.347757938 +0100
> > +++ refpolicy-git-18012011-new/policy/modules/system/authlogin.te
2011-01-23 03:05:26.447319474 +0100
> > @@ -91,6 +91,9 @@ files_list_etc(chkpwd_t)
> > # is_selinux_enabled
> > kernel_read_system_state(chkpwd_t)
> >
> > +kernel_search_sysctl(chkpwd_t)
>
> I think this is duplicate. kernel_read_crypto_sysctls() already
provides
> access to search sysctl directories.
Changed.
> > +kernel_read_crypto_sysctls(chkpwd_t)
> > +
> > domain_dontaudit_use_interactive_fds(chkpwd_t)
> >
> > dev_read_rand(chkpwd_t)
> > @@ -269,6 +272,7 @@ term_setattr_console(pam_console_t)
> > term_getattr_unallocated_ttys(pam_console_t)
> > term_setattr_unallocated_ttys(pam_console_t)
> > term_use_unallocated_ttys(pam_console_t)
> > +term_use_generic_ptys(pam_console_t)
>
> Where do these generic ptys come from?
I am not sure... they might be mistaken.
Best thing to do is probably to remove them and test again. In the end I
had just submitted for comments, so nothing was meant to be definitive.
Thanks for pointing that out anyway ! As always your comments are much
appreciated and they always prove to be very useful.
> > auth_use_nsswitch(pam_console_t)
> >
> > @@ -334,6 +338,7 @@ files_manage_etc_files(updpwd_t)
> >
> > term_dontaudit_use_console(updpwd_t)
> > term_dontaudit_use_unallocated_ttys(updpwd_t)
> > +term_use_generic_ptys(updpwd_t)
> >
> > auth_manage_shadow(updpwd_t)
> > auth_use_nsswitch(updpwd_t)
Same as above for the generic ptys.
Regards,
Guido