All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] authlogin patch
@ 2009-05-22 17:40 Brandon Whalen
  2009-06-18 13:37 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Brandon Whalen @ 2009-05-22 17:40 UTC (permalink / raw)
  To: refpolicy

Allow unix_update to change the security attributes associate with files so
that it can properly create the shadow file. Also allow it to read from
urandom so that it can add salt to the password hash.

Index: policy/modules/system/authlogin.te
===================================================================
--- policy/modules/system/authlogin.te    (revision 2987)
+++ policy/modules/system/authlogin.te    (working copy)
@@ -57,6 +57,7 @@
 type updpwd_exec_t;
 domain_type(updpwd_t)
 domain_entry_file(updpwd_t,updpwd_exec_t)
+domain_obj_id_change_exemption(updpwd_t)
 role system_r types updpwd_t;
 
 type utempter_t;
@@ -307,6 +308,7 @@
 #
 
 allow updpwd_t self:process setfscreate;
+allow updpwd_t self:capability { chown dac_override };
 allow updpwd_t self:fifo_file rw_fifo_file_perms;
 allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
 allow updpwd_t self:unix_dgram_socket create_socket_perms;
@@ -318,6 +320,8 @@
 term_dontaudit_use_console(updpwd_t)
 term_dontaudit_use_unallocated_ttys(updpwd_t)
 
+dev_read_urand(updpwd_t)
+
 auth_manage_shadow(updpwd_t)
 auth_use_nsswitch(updpwd_t)
 

^ permalink raw reply	[flat|nested] 2+ messages in thread
* [refpolicy] authlogin patch
  2009-05-22 17:40 [refpolicy] authlogin patch Brandon Whalen
@ 2009-06-18 13:37 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2009-06-18 13:37 UTC (permalink / raw)
  To: refpolicy

On Fri, 2009-05-22 at 13:40 -0400, Brandon Whalen wrote:
> Allow unix_update to change the security attributes associate with files so
> that it can properly create the shadow file. Also allow it to read from
> urandom so that it can add salt to the password hash.

Merged.

> Index: policy/modules/system/authlogin.te
> ===================================================================
> --- policy/modules/system/authlogin.te    (revision 2987)
> +++ policy/modules/system/authlogin.te    (working copy)
> @@ -57,6 +57,7 @@
>  type updpwd_exec_t;
>  domain_type(updpwd_t)
>  domain_entry_file(updpwd_t,updpwd_exec_t)
> +domain_obj_id_change_exemption(updpwd_t)
>  role system_r types updpwd_t;
>  
>  type utempter_t;
> @@ -307,6 +308,7 @@
>  #
>  
>  allow updpwd_t self:process setfscreate;
> +allow updpwd_t self:capability { chown dac_override };
>  allow updpwd_t self:fifo_file rw_fifo_file_perms;
>  allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
>  allow updpwd_t self:unix_dgram_socket create_socket_perms;
> @@ -318,6 +320,8 @@
>  term_dontaudit_use_console(updpwd_t)
>  term_dontaudit_use_unallocated_ttys(updpwd_t)
>  
> +dev_read_urand(updpwd_t)
> +
>  auth_manage_shadow(updpwd_t)
>  auth_use_nsswitch(updpwd_t)
>  
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-06-18 13:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-05-22 17:40 [refpolicy] authlogin patch Brandon Whalen
2009-06-18 13:37 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.