[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     cae882486fe3e6e942c63c1d3781634076020e1a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 22 12:39:51 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 22 12:39:51 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cae88248

Allow shadow utils to read selinux context information

Recent shadow utilities, like groupadd and passwd, are now linked with libselinux and require additional privileges for
accessing the context information provided by SELinux.

This fixes bugs #413065 and #413061

---
 policy/modules/admin/usermanage.te |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 7cac66f..07a99a6 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -241,6 +241,7 @@ auth_relabel_shadow(groupadd_t)
 auth_etc_filetrans_shadow(groupadd_t)
 
 seutil_read_config(groupadd_t)
+seutil_read_file_contexts(groupadd_t)
 
 userdom_use_unpriv_users_fds(groupadd_t)
 # for when /root is the cwd
@@ -336,7 +337,8 @@ logging_send_syslog_msg(passwd_t)
 
 miscfiles_read_localization(passwd_t)
 
-seutil_dontaudit_search_config(passwd_t)
+seutil_read_config(groupadd_t)
+seutil_read_file_contexts(groupadd_t)
 
 userdom_use_user_terminals(passwd_t)
 userdom_use_unpriv_users_fds(passwd_t)