1 |
commit: ba216ef241d5520f914fbe8a0ba06a966eea5709 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sat Nov 9 09:44:54 2013 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Dec 6 17:31:12 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ba216ef2 |
7 |
|
8 |
usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian |
9 |
|
10 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
11 |
|
12 |
--- |
13 |
policy/modules/admin/usermanage.fc | 4 ++++ |
14 |
policy/modules/admin/usermanage.te | 3 +++ |
15 |
2 files changed, 7 insertions(+) |
16 |
|
17 |
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc |
18 |
index f82f0ce..4b7737e 100644 |
19 |
--- a/policy/modules/admin/usermanage.fc |
20 |
+++ b/policy/modules/admin/usermanage.fc |
21 |
@@ -2,6 +2,10 @@ ifdef(`distro_gentoo',` |
22 |
/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0) |
23 |
') |
24 |
|
25 |
+ifdef(`distro_debian',` |
26 |
+/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0) |
27 |
+') |
28 |
+ |
29 |
/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0) |
30 |
/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0) |
31 |
/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0) |
32 |
|
33 |
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te |
34 |
index 1d732f1..471d4a7 100644 |
35 |
--- a/policy/modules/admin/usermanage.te |
36 |
+++ b/policy/modules/admin/usermanage.te |
37 |
@@ -171,10 +171,13 @@ logging_send_syslog_msg(crack_t) |
38 |
userdom_dontaudit_search_user_home_dirs(crack_t) |
39 |
|
40 |
ifdef(`distro_debian',` |
41 |
+ allow crack_t self:process getsched; |
42 |
# the package cracklib-runtime on Debian contains a daily maintenance |
43 |
# script /etc/cron.daily/cracklib-runtime, that calls |
44 |
# update-cracklib and that calls crack_mkdict, which is a shell script. |
45 |
corecmd_exec_shell(crack_t) |
46 |
+ dev_search_sysfs(crack_t) |
47 |
+ miscfiles_read_localization(crack_t) |
48 |
') |
49 |
|
50 |
optional_policy(` |