diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 56a7b51..e1d1da5 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -53,9 +53,6 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; -authlogin_common_auth_domain_template(system) -role system_r types system_chkpwd_t; - type utempter_t; domain_type(utempter_t) @@ -72,6 +69,10 @@ files_type(var_auth_t) type wtmp_t; logging_log_file(wtmp_t) +# reorder to work around require-then-decare bug +authlogin_common_auth_domain_template(system) +role system_r types system_chkpwd_t; + ######################################## # # PAM local policy