On Wed, 2004-11-10 at 10:40, Tom London wrote: > Suggest the following: > > --- SAVE/chkpwd_macros.te 2004-11-10 07:37:22.098409600 -0800 > +++ ./chkpwd_macros.te 2004-11-10 07:38:32.387484758 -0800 > @@ -67,6 +67,8 @@ > > # for nscd > dontaudit $1_chkpwd_t var_t:dir search; > +dontaudit $1_chkpwd_t var_run_t:dir search; > +dontaudit $1_chkpwd_t nscd_var_run_t:dir search; > > dontaudit $1_chkpwd_t fs_t:filesystem getattr; > ') Hmmm...shouldn't $1_chkpwd_t by a nscd_client_domain? It seems legitimate for it to perform passwd lookups via nscd. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
