From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 18 Jun 2009 09:37:28 -0400
Subject: [refpolicy] authlogin patch
In-Reply-To: <C63C5BBC.1E64E%bwhalen@tresys.com>
References: <C63C5BBC.1E64E%bwhalen@tresys.com>
Message-ID: <1245332250.4230.576.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2009-05-22 at 13:40 -0400, Brandon Whalen wrote:
> Allow unix_update to change the security attributes associate with files so
> that it can properly create the shadow file. Also allow it to read from
> urandom so that it can add salt to the password hash.

Merged.

> Index: policy/modules/system/authlogin.te
> ===================================================================
> --- policy/modules/system/authlogin.te    (revision 2987)
> +++ policy/modules/system/authlogin.te    (working copy)
> @@ -57,6 +57,7 @@
>  type updpwd_exec_t;
>  domain_type(updpwd_t)
>  domain_entry_file(updpwd_t,updpwd_exec_t)
> +domain_obj_id_change_exemption(updpwd_t)
>  role system_r types updpwd_t;
>  
>  type utempter_t;
> @@ -307,6 +308,7 @@
>  #
>  
>  allow updpwd_t self:process setfscreate;
> +allow updpwd_t self:capability { chown dac_override };
>  allow updpwd_t self:fifo_file rw_fifo_file_perms;
>  allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
>  allow updpwd_t self:unix_dgram_socket create_socket_perms;
> @@ -318,6 +320,8 @@
>  term_dontaudit_use_console(updpwd_t)
>  term_dontaudit_use_unallocated_ttys(updpwd_t)
>  
> +dev_read_urand(updpwd_t)
> +
>  auth_manage_shadow(updpwd_t)
>  auth_use_nsswitch(updpwd_t)
>  
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150