From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 4 Apr 2013 08:09:43 -0400
Subject: [refpolicy] [PATCH 1/1] chfn_t reads in file context
 information and executes nscd
In-Reply-To: <20130320090317.GA12451@siphos.be>
References: <20130320090317.GA12451@siphos.be>
Message-ID: <515D6D87.7070508@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/20/13 05:03, Sven Vermeulen wrote:
> The chsh application (which runs in the chfn_t domain) requires read access on
> the file context definitions. If not, the following error occurs:
[...]
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -125,6 +125,7 @@ miscfiles_read_localization(chfn_t)
>  
>  logging_send_syslog_msg(chfn_t)
>  
> +seutil_read_file_contexts(chfn_t)
>  # uses unix_chkpwd for checking passwords
>  seutil_dontaudit_search_config(chfn_t)

Looks like this dontaudit should be removed.

> @@ -133,6 +134,10 @@ userdom_use_unpriv_users_fds(chfn_t)
>  # on user home dir
>  userdom_dontaudit_search_user_home_content(chfn_t)
>  
> +optional_policy(`
> +	nscd_run(chfn_t, chfn_roles)
> +')
> +
>  ########################################
>  #
>  # Crack local policy
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com