From: bwhalen@tresys.com (Brandon Whalen) Date: Fri, 22 May 2009 13:40:13 -0400 Subject: [refpolicy] su patch Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Allow the derived su domains to run the pam cracklib module in the case that the root password has expired and the user must reset it after an su. Index: policy/modules/admin/su.if =================================================================== --- policy/modules/admin/su.if (revision 2987) +++ policy/modules/admin/su.if (working copy) @@ -78,6 +78,9 @@ auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) auth_rw_faillog($1_su_t) + optional_policy(` + usermanage_read_crack_db($1_su_t) + ') domain_use_interactive_fds($1_su_t) @@ -204,6 +207,9 @@ auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) auth_rw_faillog($1_su_t) + optional_policy(` + usermanage_read_crack_db($1_su_t) + ') corecmd_search_bin($1_su_t)