Allow the derived su domains to run the pam cracklib module in the case that
the root password has expired and the user must reset it after an su.
Index: policy/modules/admin/su.if
===================================================================
--- policy/modules/admin/su.if (revision 2987)
+++ policy/modules/admin/su.if (working copy)
@@ -78,6 +78,9 @@
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
+ optional_policy(`
+ usermanage_read_crack_db($1_su_t)
+ ')
domain_use_interactive_fds($1_su_t)
@@ -204,6 +207,9 @@
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
+ optional_policy(`
+ usermanage_read_crack_db($1_su_t)
+ ')
corecmd_search_bin($1_su_t)
On Fri, 2009-05-22 at 13:40 -0400, Brandon Whalen wrote:
> Allow the derived su domains to run the pam cracklib module in the
> case that
> the root password has expired and the user must reset it after an su.
Merged, with a little reorganization.
> Index: policy/modules/admin/su.if
> ===================================================================
> --- policy/modules/admin/su.if (revision 2987)
> +++ policy/modules/admin/su.if (working copy)
> @@ -78,6 +78,9 @@
> auth_dontaudit_read_shadow($1_su_t)
> auth_use_nsswitch($1_su_t)
> auth_rw_faillog($1_su_t)
> + optional_policy(`
> + usermanage_read_crack_db($1_su_t)
> + ')
>
> domain_use_interactive_fds($1_su_t)
>
> @@ -204,6 +207,9 @@
> auth_dontaudit_read_shadow($1_su_t)
> auth_use_nsswitch($1_su_t)
> auth_rw_faillog($1_su_t)
> + optional_policy(`
> + usermanage_read_crack_db($1_su_t)
> + ')
>
> corecmd_search_bin($1_su_t)
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150