2009-05-22 17:40:13

by bwhalen

[permalink] [raw]
Subject: [refpolicy] su patch

Allow the derived su domains to run the pam cracklib module in the case that
the root password has expired and the user must reset it after an su.

Index: policy/modules/admin/su.if
===================================================================
--- policy/modules/admin/su.if (revision 2987)
+++ policy/modules/admin/su.if (working copy)
@@ -78,6 +78,9 @@
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
+ optional_policy(`
+ usermanage_read_crack_db($1_su_t)
+ ')

domain_use_interactive_fds($1_su_t)

@@ -204,6 +207,9 @@
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
+ optional_policy(`
+ usermanage_read_crack_db($1_su_t)
+ ')

corecmd_search_bin($1_su_t)



2009-06-18 13:58:10

by cpebenito

[permalink] [raw]
Subject: [refpolicy] su patch

On Fri, 2009-05-22 at 13:40 -0400, Brandon Whalen wrote:
> Allow the derived su domains to run the pam cracklib module in the
> case that
> the root password has expired and the user must reset it after an su.

Merged, with a little reorganization.

> Index: policy/modules/admin/su.if
> ===================================================================
> --- policy/modules/admin/su.if (revision 2987)
> +++ policy/modules/admin/su.if (working copy)
> @@ -78,6 +78,9 @@
> auth_dontaudit_read_shadow($1_su_t)
> auth_use_nsswitch($1_su_t)
> auth_rw_faillog($1_su_t)
> + optional_policy(`
> + usermanage_read_crack_db($1_su_t)
> + ')
>
> domain_use_interactive_fds($1_su_t)
>
> @@ -204,6 +207,9 @@
> auth_dontaudit_read_shadow($1_su_t)
> auth_use_nsswitch($1_su_t)
> auth_rw_faillog($1_su_t)
> + optional_policy(`
> + usermanage_read_crack_db($1_su_t)
> + ')
>
> corecmd_search_bin($1_su_t)
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150