[refpolicy] chsh (chfn_t) to access /etc/.pwd.lock (shadow_t) ?

Sven Vermeulen sven.vermeulen at siphos.be
Wed Mar 28 11:52:45 CDT 2012


On Tue, Mar 27, 2012 at 04:31:31PM -0400, Daniel J Walsh wrote:
> Being able to write to etc_t is basically the same as being able to write to shadow_t, if /etc/passwd is labeled as etc_t.

How's that? The passwd file is labeled as etc_t, shadow is labeled as
shadow_t. And apparently, .pwd.lock is labeled as shadow_t as well
currently.

I'm pretty sure domains with write privileges to etc_t cannot write to
shadow_t...

Wkr,
	Sven Vermeulen


More information about the refpolicy mailing list