From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 7 May 2012 20:47:35 +0200
Subject: [refpolicy] [PATCH v2 1/1] Allow groupadd/passwd to read selinux
 config and context files
Message-ID: <20120507184734.GB5410@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Recent shadow utils require listing of SELinux config as well as read the file context information.

See also
- https://bugs.gentoo.org/show_bug.cgi?id=413061
- https://bugs.gentoo.org/show_bug.cgi?id=413065

Changes since v1
- use correct domain (passwd_t)

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/usermanage.te |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 3e144b9..c822dcb 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -241,6 +241,7 @@ auth_relabel_shadow(groupadd_t)
 auth_etc_filetrans_shadow(groupadd_t)
 
 seutil_read_config(groupadd_t)
+seutil_read_file_contexts(groupadd_t)
 
 userdom_use_unpriv_users_fds(groupadd_t)
 # for when /root is the cwd
@@ -336,7 +337,8 @@ logging_send_syslog_msg(passwd_t)
 
 miscfiles_read_localization(passwd_t)
 
-seutil_dontaudit_search_config(passwd_t)
+seutil_read_config(passwd_t)
+seutil_read_file_contexts(passwd_t)
 
 userdom_use_user_terminals(passwd_t)
 userdom_use_unpriv_users_fds(passwd_t)
-- 
1.7.3.4