LinuxLists.cc - [refpolicy] authlogin patch

2009-05-22 17:40:12

Subject: [refpolicy] authlogin patch

Allow unix_update to change the security attributes associate with files so
that it can properly create the shadow file. Also allow it to read from
urandom so that it can add salt to the password hash.

Index: policy/modules/system/authlogin.te
===================================================================
--- policy/modules/system/authlogin.te (revision 2987)
+++ policy/modules/system/authlogin.te (working copy)
@@ -57,6 +57,7 @@
type updpwd_exec_t;
domain_type(updpwd_t)
domain_entry_file(updpwd_t,updpwd_exec_t)
+domain_obj_id_change_exemption(updpwd_t)
role system_r types updpwd_t;

type utempter_t;
@@ -307,6 +308,7 @@
#

allow updpwd_t self:process setfscreate;
+allow updpwd_t self:capability { chown dac_override };
allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
allow updpwd_t self:unix_dgram_socket create_socket_perms;
@@ -318,6 +320,8 @@
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)

+dev_read_urand(updpwd_t)
+
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)

2009-06-18 13:37:28

by cpebenito

[permalink] [raw]

Subject: [refpolicy] authlogin patch

On Fri, 2009-05-22 at 13:40 -0400, Brandon Whalen wrote:
> Allow unix_update to change the security attributes associate with files so
> that it can properly create the shadow file. Also allow it to read from
> urandom so that it can add salt to the password hash.

Merged.

> Index: policy/modules/system/authlogin.te
> ===================================================================
> --- policy/modules/system/authlogin.te (revision 2987)
> +++ policy/modules/system/authlogin.te (working copy)
> @@ -57,6 +57,7 @@
> type updpwd_exec_t;
> domain_type(updpwd_t)
> domain_entry_file(updpwd_t,updpwd_exec_t)
> +domain_obj_id_change_exemption(updpwd_t)
> role system_r types updpwd_t;
>
> type utempter_t;
> @@ -307,6 +308,7 @@
> #
>
> allow updpwd_t self:process setfscreate;
> +allow updpwd_t self:capability { chown dac_override };
> allow updpwd_t self:fifo_file rw_fifo_file_perms;
> allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
> allow updpwd_t self:unix_dgram_socket create_socket_perms;
> @@ -318,6 +320,8 @@
> term_dontaudit_use_console(updpwd_t)
> term_dontaudit_use_unallocated_ttys(updpwd_t)
>
> +dev_read_urand(updpwd_t)
> +
> auth_manage_shadow(updpwd_t)
> auth_use_nsswitch(updpwd_t)
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150