From 8bf6f58e760b42e12e61878bf99575ddbd2a6315 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 3 May 2006 20:29:14 +0000
Subject: [PATCH] split type transition from auth_manage_shadow

---
 refpolicy/policy/modules/admin/usermanage.te |  6 +++++-
 refpolicy/policy/modules/services/nis.te     |  3 ++-
 refpolicy/policy/modules/system/authlogin.if | 20 ++++++++++++++++++--
 refpolicy/policy/modules/system/authlogin.te |  2 +-
 4 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 27425091..8c3897a4 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.3.4)
+policy_module(usermanage,1.3.5)
 
 ########################################
 #
@@ -240,6 +240,7 @@ miscfiles_read_localization(groupadd_t)
 
 auth_manage_shadow(groupadd_t)
 auth_relabel_shadow(groupadd_t)
+auth_etc_filetrans_shadow(groupadd_t)
 auth_rw_lastlog(groupadd_t)
 auth_use_nsswitch(groupadd_t)
 
@@ -314,6 +315,7 @@ term_use_all_user_ptys(passwd_t)
 
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
+auth_etc_filetrans_shadow(passwd_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(passwd_t)
@@ -403,6 +405,7 @@ term_use_all_user_ptys(sysadm_passwd_t)
 
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
+auth_etc_filetrans_shadow(sysadm_passwd_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(sysadm_passwd_t)
@@ -480,6 +483,7 @@ term_use_all_user_ptys(useradd_t)
 
 auth_manage_shadow(useradd_t)
 auth_relabel_shadow(useradd_t)
+auth_etc_filetrans_shadow(useradd_t)
 auth_rw_lastlog(useradd_t)
 auth_use_nsswitch(useradd_t)
 
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index 137b5f11..98cbbc79 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -1,5 +1,5 @@
 
-policy_module(nis,1.1.1)
+policy_module(nis,1.1.2)
 
 ########################################
 #
@@ -193,6 +193,7 @@ term_dontaudit_use_console(yppasswdd_t)
 
 auth_manage_shadow(yppasswdd_t)
 auth_relabel_shadow(yppasswdd_t)
+auth_etc_filetrans_shadow(yppasswdd_t)
 
 corecmd_exec_bin(yppasswdd_t)
 corecmd_exec_shell(yppasswdd_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index dddd3668..4c4e40be 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -413,11 +413,27 @@ interface(`auth_manage_shadow',`
 	')
 
 	allow $1 shadow_t:file create_file_perms;
-	files_etc_filetrans($1,shadow_t,file)
-
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
 
+#######################################
+## <summary>
+##	Automatic transition to shadow from etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_etc_filetrans_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	files_etc_filetrans($1,shadow_t,file)
+')
+
 #######################################
 ## <summary>
 ##	Relabel to the shadow
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index ee058836..5bcf97f7 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.3.3)
+policy_module(authlogin,1.3.4)
 
 ########################################
 #