This patch adds some needed permissions to the chkpwd_t domain
in policy/modules/system/authlogin.te.
--- refpolicy-git-15022011/policy/modules/system/authlogin.te 2011-01-08 19:07:21.347757938 +0100
+++ refpolicy-git-15022011-new-modified/policy/modules/system/authlogin.te 2011-02-15 22:30:53.148753919 +0100
@@ -83,11 +83,13 @@ logging_log_file(wtmp_t)
allow chkpwd_t self:capability { dac_override setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
-allow chkpwd_t self:process getattr;
+allow chkpwd_t self:process { getattr signal };
allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
+kernel_read_crypto_sysctls(chkpwd_t)
+
# is_selinux_enabled
kernel_read_system_state(chkpwd_t)
On 02/16/11 01:27, Guido Trentalancia wrote:
> This patch adds some needed permissions to the chkpwd_t domain
> in policy/modules/system/authlogin.te.
>
> --- refpolicy-git-15022011/policy/modules/system/authlogin.te 2011-01-08 19:07:21.347757938 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/system/authlogin.te 2011-02-15 22:30:53.148753919 +0100
> @@ -83,11 +83,13 @@ logging_log_file(wtmp_t)
>
> allow chkpwd_t self:capability { dac_override setuid };
> dontaudit chkpwd_t self:capability sys_tty_config;
> -allow chkpwd_t self:process getattr;
> +allow chkpwd_t self:process { getattr signal };
>
> allow chkpwd_t shadow_t:file read_file_perms;
> files_list_etc(chkpwd_t)
>
> +kernel_read_crypto_sysctls(chkpwd_t)
> +
> # is_selinux_enabled
> kernel_read_system_state(chkpwd_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com