From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 22 Feb 2011 10:55:50 -0500
Subject: [refpolicy] [PATCH 3/34]: patch to use pam instead of nsswitch
 in the usermanage module
In-Reply-To: <1297836053.3205.32.camel@tesla.lan>
References: <1297836053.3205.32.camel@tesla.lan>
Message-ID: <4D63DC86.7070907@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/16/11 01:00, Guido Trentalancia wrote:
> This patch allows to use pam instead of nsswitch in
> policy/modules/admin/usermanage.te.

Do you have more of an explanation?  auth_use_pam() is much more than
the rules you're removing.

> --- refpolicy-git-02022011-test-apply/policy/modules/admin/usermanage.te	2011-02-07 00:35:04.530712150 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/admin/usermanage.te	2011-02-07 00:38:27.175347975 +0100
> @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
>  # for SSP
>  dev_read_urand(chfn_t)
>  
> -auth_domtrans_chk_passwd(chfn_t)
> -auth_dontaudit_read_shadow(chfn_t)
> -auth_use_nsswitch(chfn_t)
> +auth_use_pam(chfn_t)
>  
>  # allow checking if a shell is executable
>  corecmd_check_exec_shell(chfn_t)
> @@ -294,11 +292,10 @@ selinux_compute_user_contexts(passwd_t)
>  
>  term_use_all_terms(passwd_t)
>  
> -auth_domtrans_chk_passwd(passwd_t)
>  auth_manage_shadow(passwd_t)
>  auth_relabel_shadow(passwd_t)
>  auth_etc_filetrans_shadow(passwd_t)
> -auth_use_nsswitch(passwd_t)
> +auth_use_pam(passwd_t)
>  
>  # allow checking if a shell is executable
>  corecmd_check_exec_shell(passwd_t)
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com