From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Wed, 28 Mar 2012 18:52:45 +0200 Subject: [refpolicy] chsh (chfn_t) to access /etc/.pwd.lock (shadow_t) ? In-Reply-To: <4F7223A3.9090409@redhat.com> References: <20120327192447.GA2101@siphos.be> <4F7223A3.9090409@redhat.com> Message-ID: <20120328165245.GA3116@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Mar 27, 2012 at 04:31:31PM -0400, Daniel J Walsh wrote: > Being able to write to etc_t is basically the same as being able to write to shadow_t, if /etc/passwd is labeled as etc_t. How's that? The passwd file is labeled as etc_t, shadow is labeled as shadow_t. And apparently, .pwd.lock is labeled as shadow_t as well currently. I'm pretty sure domains with write privileges to etc_t cannot write to shadow_t... Wkr, Sven Vermeulen