From: bwhalen@tresys.com (Brandon Whalen) Date: Fri, 22 May 2009 13:40:12 -0400 Subject: [refpolicy] authlogin patch Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Allow unix_update to change the security attributes associate with files so that it can properly create the shadow file. Also allow it to read from urandom so that it can add salt to the password hash. Index: policy/modules/system/authlogin.te =================================================================== --- policy/modules/system/authlogin.te (revision 2987) +++ policy/modules/system/authlogin.te (working copy) @@ -57,6 +57,7 @@ type updpwd_exec_t; domain_type(updpwd_t) domain_entry_file(updpwd_t,updpwd_exec_t) +domain_obj_id_change_exemption(updpwd_t) role system_r types updpwd_t; type utempter_t; @@ -307,6 +308,7 @@ # allow updpwd_t self:process setfscreate; +allow updpwd_t self:capability { chown dac_override }; allow updpwd_t self:fifo_file rw_fifo_file_perms; allow updpwd_t self:unix_stream_socket create_stream_socket_perms; allow updpwd_t self:unix_dgram_socket create_socket_perms; @@ -318,6 +320,8 @@ term_dontaudit_use_console(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) +dev_read_urand(updpwd_t) + auth_manage_shadow(updpwd_t) auth_use_nsswitch(updpwd_t)