diff options
| author |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2014-12-31 17:09:55 +0100 |
|---|---|---|
| committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2015-01-02 18:18:08 +0100 |
| commit | 476ebba0a98c5dddd8e22ce418e9e42017909dff (patch) | |
| tree | 80efbede297643d026ea33ba8ea9a3a71117d654 | |
| parent | Locate authdaemon socket and communicate with authdaemon (diff) | |
| download | hardened-refpolicy-476ebba0a98c5dddd8e22ce418e9e42017909dff.tar.gz hardened-refpolicy-476ebba0a98c5dddd8e22ce418e9e42017909dff.tar.bz2 hardened-refpolicy-476ebba0a98c5dddd8e22ce418e9e42017909dff.zip | |
Allow authdaemon to access selinux fs to check SELinux state
When attempting to authenticate, the PAM module checks if SELinux is
enabled (pam_unix, in order to verify if the chkpwd helper utility needs
to be called). If it fails to check the SELinux state, then authdaemon
will try to access shadow directly (again, through pam_unix).
This only occurs when a user tries to log on as root (on IMAP server) as
non-root users automatically have chkpwd executed.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
| -rw-r--r-- | policy/modules/contrib/courier.te | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index e2b0c0d5f..bcfb4b2ce 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -114,6 +114,8 @@ libs_read_lib_files(courier_authdaemon_t) miscfiles_read_localization(courier_authdaemon_t) +selinux_getattr_fs(courier_authdaemon_t) + userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) ######################################## |