Hi,
the package cracklib-runtime on Debian contains a daily maintenance script
/etc/cron.daily/cracklib-runtime, that calls
update-cracklib and that calls
crack_mkdict, witch is a shell script. :)
Run of the job daily cron job emits:
audit(1203412448.496:30): avc: denied { execute } for pid=1961 comm="crack_mkdict" name="bash" dev=sda1 ino=81922 scontext=system_u:system_r:crack_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
audit(1203412448.496:31): avc: denied { read } for pid=1961 comm="crack_mkdict" name="bash" dev=sda1 ino=81922 scontext=system_u:system_r:crack_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
A patch is attached that suppresses these two denials.
Thanks.
Regards
--
Zito
Index: policy/modules/admin/usermanage.te
===================================================================
--- policy/modules/admin/usermanage.te (revision 2610)
+++ policy/modules/admin/usermanage.te (working copy)
@@ -153,6 +153,7 @@
files_read_usr_files(crack_t)
corecmd_exec_bin(crack_t)
+corecmd_exec_shell(crack_t)
libs_use_ld_so(crack_t)
libs_use_shared_libs(crack_t)
