From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 30 Dec 2014 21:21:36 +0100
Subject: [refpolicy] [PATCH 3/6] Allow authdaemon to access selinux fs to
	check SELinux state
In-Reply-To: <1419970899-19892-1-git-send-email-sven.vermeulen@siphos.be>
References: <1419970899-19892-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1419970899-19892-4-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When attempting to authenticate, the PAM module checks if SELinux is
enabled (pam_unix, in order to verify if the chkpwd helper utility needs
to be called). If it fails to check the SELinux state, then authdaemon
will try to access shadow directly (again, through pam_unix).

This only occurs when a user tries to log on as root (on IMAP server) as
non-root users automatically have chkpwd executed.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/courier.te b/courier.te
index c4ab936..07752c2 100644
--- a/courier.te
+++ b/courier.te
@@ -114,6 +114,8 @@ libs_read_lib_files(courier_authdaemon_t)
 
 miscfiles_read_localization(courier_authdaemon_t)
 
+selinux_getattr_fs(courier_authdaemon_t)
+
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
 ########################################
-- 
2.0.5