[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Sven Vermeulen Sun, 02 Nov 2014 07:09:06 -0800

commit:     ef453666f30146da245ea98fe97f4548b1fb5166
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov  2 15:08:33 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov  2 15:08:33 2014 +0000
URL:        
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ef453666


Add auth_read_shadow for run_init_t to support pam-less openrc

---
 policy/modules/system/selinuxutil.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te 
b/policy/modules/system/selinuxutil.te
index 0ad0479..1ba9d3c 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -655,6 +655,10 @@ ifdef(`distro_gentoo',`
        allow run_init_t self:process signal;
        allow run_init_t self:netlink_selinux_socket { create bind };
 
+       # Needed to support openrc with USE="-pam"
+       # TODO can we make this optional? is this a bad thing?
+       auth_read_shadow(run_init_t)
+
        # Denials upon loading policy
        fs_getattr_tmpfs(setfiles_t)
        dev_getattr_fs(setfiles_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

Reply via email to