From c7dc1c72227c759716bae80ae89c8692ab7af61d Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 18 Jun 2009 13:57:26 +0000
Subject: [PATCH] trunk: Allow unix_update to change the security attributes
 associate with files so that it can properly create the shadow file. Also
 allow it to read from urandom so that it can add salt to the password hash.

---
 Changelog                  |  1 +
 policy/modules/admin/su.if | 10 ++++++++++
 policy/modules/admin/su.te |  2 +-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/Changelog b/Changelog
index 440eb512..2e911137 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Crack db access for su to handle password expiration, from Brandon Whalen.
 - Misc fixes for unix_update from Brandon Whalen.
 - Add x_device permissions for XI2 functions, from Eamon Walsh.
 - MLS constraints for the x_selection class, from Eamon Walsh.
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 4be14a3c..6c82b49f 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -126,6 +126,11 @@ template(`su_restricted_domain_template', `
 		kerberos_use($1_su_t)
 	')
 
+	optional_policy(`
+		# used when the password has expired
+		usermanage_read_crack_db($1_su_t)
+	')
+
 	ifdef(`TODO',`
 	# Caused by su - init scripts
 	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
@@ -292,6 +297,11 @@ template(`su_role_template',`
 		kerberos_use($1_su_t)
 	')
 
+	optional_policy(`
+		# used when the password has expired
+		usermanage_read_crack_db($1_su_t)
+	')
+
 	# Modify .Xauthority file (via xauth program).
 	optional_policy(`
 		xserver_user_home_dir_filetrans_user_xauth($1_su_t)
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index ab532d3f..97c4c339 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
 
-policy_module(su, 1.9.1)
+policy_module(su, 1.9.2)
 
 ########################################
 #