diff --git a/Changelog b/Changelog index 440eb51..2e91113 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Crack db access for su to handle password expiration, from Brandon Whalen. - Misc fixes for unix_update from Brandon Whalen. - Add x_device permissions for XI2 functions, from Eamon Walsh. - MLS constraints for the x_selection class, from Eamon Walsh. diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 4be14a3..6c82b49 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -126,6 +126,11 @@ template(`su_restricted_domain_template', ` kerberos_use($1_su_t) ') + optional_policy(` + # used when the password has expired + usermanage_read_crack_db($1_su_t) + ') + ifdef(`TODO',` # Caused by su - init scripts dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; @@ -292,6 +297,11 @@ template(`su_role_template',` kerberos_use($1_su_t) ') + optional_policy(` + # used when the password has expired + usermanage_read_crack_db($1_su_t) + ') + # Modify .Xauthority file (via xauth program). optional_policy(` xserver_user_home_dir_filetrans_user_xauth($1_su_t) diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index ab532d3..97c4c33 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -1,5 +1,5 @@ -policy_module(su, 1.9.1) +policy_module(su, 1.9.2) ######################################## #