From: russell@coker.com.au (Russell Coker) Date: Fri, 26 Sep 2008 06:57:48 +1000 Subject: [refpolicy] useradd/passwd patch In-Reply-To: <48DBF07B.30000@redhat.com> References: <48DAB33E.3030209@kutulu.org> <200809251712.08588.russell@coker.com.au> <48DBF07B.30000@redhat.com> Message-ID: <200809260657.50453.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Friday 26 September 2008 06:11, Daniel J Walsh wrote: > Perhaps they are using pam to verify password entry, pam defaults to > unix_chkpwd so this could cause the avc. ?I don't see where this is a > problem though. Since when does PAM default to unix_chkpwd? When I first wrote the code and policy for this PAM had special-case code to only call unix_chkpwd in the case of a non-root caller. It might make some sense to only check the password in one way (IE call the executable even when running as root without SE Linux) as it's not something that happens often enough to cause performance. But in that case I think that the suitably privileged domains should be permitted to execute unix_chkpwd in the same domain. -- russell at coker.com.au http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development