From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 31 Dec 2014 17:09:55 +0100
Subject: [refpolicy] [PATCH v2 3/6] Allow authdaemon to access selinux fs to
	check SELinux state
In-Reply-To: <1420042198-4676-1-git-send-email-sven.vermeulen@siphos.be>
References: <1420042198-4676-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1420042198-4676-4-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When attempting to authenticate, the PAM module checks if SELinux is
enabled (pam_unix, in order to verify if the chkpwd helper utility needs
to be called). If it fails to check the SELinux state, then authdaemon
will try to access shadow directly (again, through pam_unix).

This only occurs when a user tries to log on as root (on IMAP server) as
non-root users automatically have chkpwd executed.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/courier.te b/courier.te
index b12dd7f..b46eada 100644
--- a/courier.te
+++ b/courier.te
@@ -114,6 +114,8 @@ libs_read_lib_files(courier_authdaemon_t)
 
 miscfiles_read_localization(courier_authdaemon_t)
 
+selinux_getattr_fs(courier_authdaemon_t)
+
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
 ########################################
-- 
2.0.5