From: bwhalen@tresys.com (Brandon Whalen)
Date: Fri, 22 May 2009 13:40:13 -0400
Subject: [refpolicy] su patch
Message-ID: <C63C5BBD.1E64F%bwhalen@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Allow the derived su domains to run the pam cracklib module in the case that
the root password has expired and the user must reset it after an su.

Index: policy/modules/admin/su.if
===================================================================
--- policy/modules/admin/su.if    (revision 2987)
+++ policy/modules/admin/su.if    (working copy)
@@ -78,6 +78,9 @@
     auth_dontaudit_read_shadow($1_su_t)
     auth_use_nsswitch($1_su_t)
     auth_rw_faillog($1_su_t)
+    optional_policy(`
+        usermanage_read_crack_db($1_su_t)
+    ')
 
     domain_use_interactive_fds($1_su_t)
 
@@ -204,6 +207,9 @@
     auth_dontaudit_read_shadow($1_su_t)
     auth_use_nsswitch($1_su_t)
     auth_rw_faillog($1_su_t)
+    optional_policy(`
+        usermanage_read_crack_db($1_su_t)
+    ')
 
     corecmd_search_bin($1_su_t)