From: dominick.grift@gmail.com (Dominick Grift)
Date: Sat,  9 Nov 2013 10:44:54 +0100
Subject: [refpolicy] [PATCH 13/39] usermanage: Run
	/etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian
In-Reply-To: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com>
References: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <1383990320-3340-13-git-send-email-dominick.grift@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/admin/usermanage.fc | 4 ++++
 policy/modules/admin/usermanage.te | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index f82f0ce..4b7737e 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -2,6 +2,10 @@ ifdef(`distro_gentoo',`
 /bin/passwd		--	gen_context(system_u:object_r:passwd_exec_t,s0)
 ')
 
+ifdef(`distro_debian',`
+/etc/cron\.daily/cracklib-runtime	--	gen_context(system_u:object_r:crack_exec_t,s0)
+')
+
 /usr/bin/chage		--	gen_context(system_u:object_r:passwd_exec_t,s0)
 /usr/bin/chfn		--	gen_context(system_u:object_r:chfn_exec_t,s0)
 /usr/bin/chsh		--	gen_context(system_u:object_r:chfn_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1..471d4a7 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -171,10 +171,13 @@ logging_send_syslog_msg(crack_t)
 userdom_dontaudit_search_user_home_dirs(crack_t)
 
 ifdef(`distro_debian',`
+	allow crack_t self:process getsched;
 	# the package cracklib-runtime on Debian contains a daily maintenance
 	# script /etc/cron.daily/cracklib-runtime, that calls
 	# update-cracklib and that calls crack_mkdict, which is a shell script.
 	corecmd_exec_shell(crack_t)
+	dev_search_sysfs(crack_t)
+	miscfiles_read_localization(crack_t)
 ')
 
 optional_policy(`
-- 
1.8.3.1