From: dominick.grift@gmail.com (Dominick Grift) Date: Sat, 9 Nov 2013 10:44:54 +0100 Subject: [refpolicy] [PATCH 13/39] usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian In-Reply-To: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> References: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> Message-ID: <1383990320-3340-13-git-send-email-dominick.grift@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Dominick Grift --- policy/modules/admin/usermanage.fc | 4 ++++ policy/modules/admin/usermanage.te | 3 +++ 2 files changed, 7 insertions(+) diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc index f82f0ce..4b7737e 100644 --- a/policy/modules/admin/usermanage.fc +++ b/policy/modules/admin/usermanage.fc @@ -2,6 +2,10 @@ ifdef(`distro_gentoo',` /bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) ') +ifdef(`distro_debian',` +/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) +') + /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 1d732f1..471d4a7 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -171,10 +171,13 @@ logging_send_syslog_msg(crack_t) userdom_dontaudit_search_user_home_dirs(crack_t) ifdef(`distro_debian',` + allow crack_t self:process getsched; # the package cracklib-runtime on Debian contains a daily maintenance # script /etc/cron.daily/cracklib-runtime, that calls # update-cracklib and that calls crack_mkdict, which is a shell script. corecmd_exec_shell(crack_t) + dev_search_sysfs(crack_t) + miscfiles_read_localization(crack_t) ') optional_policy(` -- 1.8.3.1