From: russell@coker.com.au (Russell Coker)
Date: Fri, 26 Sep 2008 06:57:48 +1000
Subject: [refpolicy] useradd/passwd patch
In-Reply-To: <48DBF07B.30000@redhat.com>
References: <48DAB33E.3030209@kutulu.org>
	<200809251712.08588.russell@coker.com.au>
	<48DBF07B.30000@redhat.com>
Message-ID: <200809260657.50453.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Friday 26 September 2008 06:11, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Perhaps they are using pam to verify password entry, pam defaults to
> unix_chkpwd so this could cause the avc. ?I don't see where this is a
> problem though.

Since when does PAM default to unix_chkpwd?

When I first wrote the code and policy for this PAM had special-case code to 
only call unix_chkpwd in the case of a non-root caller.

It might make some sense to only check the password in one way (IE call the 
executable even when running as root without SE Linux) as it's not something 
that happens often enough to cause performance.  But in that case I think 
that the suitably privileged domains should be permitted to execute 
unix_chkpwd in the same domain.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development