From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9A75F138A1A for ; Fri, 2 Jan 2015 17:22:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 42FC2E077B; Fri, 2 Jan 2015 17:22:34 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 968BBE077F for ; Fri, 2 Jan 2015 17:22:33 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7F9AC3406E7 for ; Fri, 2 Jan 2015 17:22:32 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 26A74EBAD for ; Fri, 2 Jan 2015 17:22:31 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1420219088.476ebba0a98c5dddd8e22ce418e9e42017909dff.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/courier.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 476ebba0a98c5dddd8e22ce418e9e42017909dff X-VCS-Branch: master Date: Fri, 2 Jan 2015 17:22:31 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 2e2e5ba8-c720-4a76-921e-c48b51bb5956 X-Archives-Hash: 87532e0938f80f273f3055862c5331d4 commit: 476ebba0a98c5dddd8e22ce418e9e42017909dff Author: Sven Vermeulen siphos be> AuthorDate: Wed Dec 31 16:09:55 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Fri Jan 2 17:18:08 2015 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=476ebba0 Allow authdaemon to access selinux fs to check SELinux state When attempting to authenticate, the PAM module checks if SELinux is enabled (pam_unix, in order to verify if the chkpwd helper utility needs to be called). If it fails to check the SELinux state, then authdaemon will try to access shadow directly (again, through pam_unix). This only occurs when a user tries to log on as root (on IMAP server) as non-root users automatically have chkpwd executed. Signed-off-by: Sven Vermeulen siphos.be> --- policy/modules/contrib/courier.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index e2b0c0d..bcfb4b2 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -114,6 +114,8 @@ libs_read_lib_files(courier_authdaemon_t) miscfiles_read_localization(courier_authdaemon_t) +selinux_getattr_fs(courier_authdaemon_t) + userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) ########################################