From df28a0c44482c5654973504a3ce48f9912be4827 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 18 Jun 2009 13:36:40 +0000
Subject: [PATCH] trunk: Misc fixes for unix_update from Brandon Whalen.

---
 Changelog                          | 1 +
 policy/modules/system/authlogin.te | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Changelog b/Changelog
index 4413bd13..440eb512 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Misc fixes for unix_update from Brandon Whalen.
 - Add x_device permissions for XI2 functions, from Eamon Walsh.
 - MLS constraints for the x_selection class, from Eamon Walsh.
 - Postgresql updates from KaiGai Kohei.
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 2f710405..75423022 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin, 2.0.1)
+policy_module(authlogin, 2.0.2)
 
 ########################################
 #
@@ -60,6 +60,7 @@ type updpwd_t;
 type updpwd_exec_t;
 domain_type(updpwd_t)
 domain_entry_file(updpwd_t,updpwd_exec_t)
+domain_obj_id_change_exemption(updpwd_t)
 role system_r types updpwd_t;
 
 type utempter_t;
@@ -309,6 +310,7 @@ optional_policy(`
 # updpwd local policy
 #
 
+allow updpwd_t self:capability { chown dac_override };
 allow updpwd_t self:process setfscreate;
 allow updpwd_t self:fifo_file rw_fifo_file_perms;
 allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
@@ -316,6 +318,8 @@ allow updpwd_t self:unix_dgram_socket create_socket_perms;
 
 kernel_read_system_state(updpwd_t)
 
+dev_read_urand(updpwd_t)
+
 files_manage_etc_files(updpwd_t)
 
 term_dontaudit_use_console(updpwd_t)