commit: 476ebba0a98c5dddd8e22ce418e9e42017909dff Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Wed Dec 31 16:09:55 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Fri Jan 2 17:18:08 2015 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=476ebba0
Allow authdaemon to access selinux fs to check SELinux state When attempting to authenticate, the PAM module checks if SELinux is enabled (pam_unix, in order to verify if the chkpwd helper utility needs to be called). If it fails to check the SELinux state, then authdaemon will try to access shadow directly (again, through pam_unix). This only occurs when a user tries to log on as root (on IMAP server) as non-root users automatically have chkpwd executed. Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> --- policy/modules/contrib/courier.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index e2b0c0d..bcfb4b2 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -114,6 +114,8 @@ libs_read_lib_files(courier_authdaemon_t) miscfiles_read_localization(courier_authdaemon_t) +selinux_getattr_fs(courier_authdaemon_t) + userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) ########################################
