[refpolicy] chsh (chfn_t) to access /etc/.pwd.lock (shadow_t) ?

Sven Vermeulen sven.vermeulen at siphos.be
Wed Mar 28 11:52:45 CDT 2012

On Tue, Mar 27, 2012 at 04:31:31PM -0400, Daniel J Walsh wrote:
> Being able to write to etc_t is basically the same as being able to write to shadow_t, if /etc/passwd is labeled as etc_t.

How's that? The passwd file is labeled as etc_t, shadow is labeled as
shadow_t. And apparently, .pwd.lock is labeled as shadow_t as well

I'm pretty sure domains with write privileges to etc_t cannot write to

	Sven Vermeulen

More information about the refpolicy mailing list