From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 6 Dec 2013 09:50:25 -0500 Subject: [refpolicy] [PATCH 13/39] usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian In-Reply-To: <1383990320-3340-13-git-send-email-dominick.grift@gmail.com> References: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> <1383990320-3340-13-git-send-email-dominick.grift@gmail.com> Message-ID: <52A1E431.1020007@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/09/13 04:44, Dominick Grift wrote: > Signed-off-by: Dominick Grift > --- > policy/modules/admin/usermanage.fc | 4 ++++ > policy/modules/admin/usermanage.te | 3 +++ > 2 files changed, 7 insertions(+) > > diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc > index f82f0ce..4b7737e 100644 > --- a/policy/modules/admin/usermanage.fc > +++ b/policy/modules/admin/usermanage.fc > @@ -2,6 +2,10 @@ ifdef(`distro_gentoo',` > /bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) > ') > > +ifdef(`distro_debian',` > +/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) > +') > + > /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) > /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) > /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) > diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te > index 1d732f1..471d4a7 100644 > --- a/policy/modules/admin/usermanage.te > +++ b/policy/modules/admin/usermanage.te > @@ -171,10 +171,13 @@ logging_send_syslog_msg(crack_t) > userdom_dontaudit_search_user_home_dirs(crack_t) > > ifdef(`distro_debian',` > + allow crack_t self:process getsched; > # the package cracklib-runtime on Debian contains a daily maintenance > # script /etc/cron.daily/cracklib-runtime, that calls > # update-cracklib and that calls crack_mkdict, which is a shell script. > corecmd_exec_shell(crack_t) > + dev_search_sysfs(crack_t) > + miscfiles_read_localization(crack_t) > ') > > optional_policy(` Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com