From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 25 Sep 2008 16:11:39 -0400 Subject: [refpolicy] useradd/passwd patch In-Reply-To: <200809251712.08588.russell@coker.com.au> References: <48DAB33E.3030209@kutulu.org> <200809251712.08588.russell@coker.com.au> Message-ID: <48DBF07B.30000@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Russell Coker wrote: > On Thursday 25 September 2008 07:38, Mike Edenfield wrote: >> Allows passwd and useradd to execute unix_chkpwd (and related binaries) >> to read and update user passwords. > > Why would passwd and useradd ever need to do that? > > unix_chkpwd is only ever called if the shadow file can't be read directly. > passwd needs direct read access and while it might be possible to write a > useradd that doesn't need read access (if based on the assumption > that /etc/shadow would never be in any way corrupt or out of sync > with /etc/paasswd), realistically it will always need such access. > Perhaps they are using pam to verify password entry, pam defaults to unix_chkpwd so this could cause the avc. I don't see where this is a problem though.