1 files changed, 34 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-authlogin-allow-chkpwd_t-to-ma.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-authlogin-allow-chkpwd_t-to-ma.patch
new file mode 100644
index 0000000..f929df2
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-authlogin-allow-chkpwd_t-to-ma.patch
@@ -0,0 +1,34 @@
+From 0e3199f243a47853452a877ebad5360bc8c1f2f1 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Thu, 21 Nov 2019 13:58:28 +0800
+Subject: [PATCH] policy/modules/system/authlogin: allow chkpwd_t to map
+ shadow_t
+Fixes:
+avc:  denied  { map } for  pid=244 comm="unix_chkpwd" path="/etc/shadow"
+dev="vda" ino=443 scontext=system_u:system_r:chkpwd_t
+tcontext=system_u:object_r:shadow_t tclass=file permissive=0
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/authlogin.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index 0fc5951e9..e999fa798 100644
+--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
+@@ -100,7 +100,7 @@ allow chkpwd_t self:capability { dac_override setuid };
+ dontaudit chkpwd_t self:capability sys_tty_config;
+ allow chkpwd_t self:process { getattr signal };
+ 
+-allow chkpwd_t shadow_t:file read_file_perms;
+allow chkpwd_t shadow_t:file { read_file_perms map };
+ files_list_etc(chkpwd_t)
+ 
+ kernel_read_crypto_sysctls(chkpwd_t)
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-authlogin-allow-chkpwd_t-to-ma.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-authlogin-allow-chkpwd_t-to-ma.patch new file mode 100644 index 0000000..f929df2 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-system-authlogin-allow-chkpwd_t-to-ma.patch
@@ -0,0 +1,34 @@
	1	From 0e3199f243a47853452a877ebad5360bc8c1f2f1 Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Thu, 21 Nov 2019 13:58:28 +0800
	4	Subject: [PATCH] policy/modules/system/authlogin: allow chkpwd_t to map
	5	shadow_t
	6
	7	Fixes:
	8	avc: denied { map } for pid=244 comm="unix_chkpwd" path="/etc/shadow"
	9	dev="vda" ino=443 scontext=system_u:system_r:chkpwd_t
	10	tcontext=system_u:object_r:shadow_t tclass=file permissive=0
	11
	12	Upstream-Status: Inappropriate [embedded specific]
	13
	14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	15	---
	16	policy/modules/system/authlogin.te \| 2 +-
	17	1 file changed, 1 insertion(+), 1 deletion(-)
	18
	19	diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
	20	index 0fc5951e9..e999fa798 100644
	21	--- a/policy/modules/system/authlogin.te
	22	+++ b/policy/modules/system/authlogin.te
	23	@@ -100,7 +100,7 @@ allow chkpwd_t self:capability { dac_override setuid };
	24	dontaudit chkpwd_t self:capability sys_tty_config;
	25	allow chkpwd_t self:process { getattr signal };
	26
	27	-allow chkpwd_t shadow_t:file read_file_perms;
	28	+allow chkpwd_t shadow_t:file { read_file_perms map };
	29	files_list_etc(chkpwd_t)
	30
	31	kernel_read_crypto_sysctls(chkpwd_t)
	32	--
	33	2.17.1
	34