From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 18 Jun 2009 09:37:28 -0400 Subject: [refpolicy] authlogin patch In-Reply-To: References: Message-ID: <1245332250.4230.576.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2009-05-22 at 13:40 -0400, Brandon Whalen wrote: > Allow unix_update to change the security attributes associate with files so > that it can properly create the shadow file. Also allow it to read from > urandom so that it can add salt to the password hash. Merged. > Index: policy/modules/system/authlogin.te > =================================================================== > --- policy/modules/system/authlogin.te (revision 2987) > +++ policy/modules/system/authlogin.te (working copy) > @@ -57,6 +57,7 @@ > type updpwd_exec_t; > domain_type(updpwd_t) > domain_entry_file(updpwd_t,updpwd_exec_t) > +domain_obj_id_change_exemption(updpwd_t) > role system_r types updpwd_t; > > type utempter_t; > @@ -307,6 +308,7 @@ > # > > allow updpwd_t self:process setfscreate; > +allow updpwd_t self:capability { chown dac_override }; > allow updpwd_t self:fifo_file rw_fifo_file_perms; > allow updpwd_t self:unix_stream_socket create_stream_socket_perms; > allow updpwd_t self:unix_dgram_socket create_socket_perms; > @@ -318,6 +320,8 @@ > term_dontaudit_use_console(updpwd_t) > term_dontaudit_use_unallocated_ttys(updpwd_t) > > +dev_read_urand(updpwd_t) > + > auth_manage_shadow(updpwd_t) > auth_use_nsswitch(updpwd_t) > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150