From c7dc1c72227c759716bae80ae89c8692ab7af61d Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Jun 18 2009 13:57:26 +0000
Subject: trunk: Allow unix_update to change the security attributes associate with files so

that it can properly create the shadow file. Also allow it to read from
urandom so that it can add salt to the password hash.


---

diff --git a/Changelog b/Changelog
index 440eb51..2e91113 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Crack db access for su to handle password expiration, from Brandon Whalen.
 - Misc fixes for unix_update from Brandon Whalen.
 - Add x_device permissions for XI2 functions, from Eamon Walsh.
 - MLS constraints for the x_selection class, from Eamon Walsh.
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 4be14a3..6c82b49 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -126,6 +126,11 @@ template(`su_restricted_domain_template', `
 		kerberos_use($1_su_t)
 	')
 
+	optional_policy(`
+		# used when the password has expired
+		usermanage_read_crack_db($1_su_t)
+	')
+
 	ifdef(`TODO',`
 	# Caused by su - init scripts
 	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
@@ -292,6 +297,11 @@ template(`su_role_template',`
 		kerberos_use($1_su_t)
 	')
 
+	optional_policy(`
+		# used when the password has expired
+		usermanage_read_crack_db($1_su_t)
+	')
+
 	# Modify .Xauthority file (via xauth program).
 	optional_policy(`
 		xserver_user_home_dir_filetrans_user_xauth($1_su_t)
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index ab532d3..97c4c33 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
 
-policy_module(su, 1.9.1)
+policy_module(su, 1.9.2)
 
 ########################################
 #