> xdm_t uses /sbin/unix_chkpwd to read the shadow file. > The pam stack will execute this program if it can not > read shadow directly. In Fedora and RHEL products we > now attempt to execute /sbin/unix_chkpwd first and then > fail over to trying to read the shadow file. I discovered this situation when I took some modules generated by audit2allow and added them as a layer inside the reference policy source tarball. The rpmbuild -bb <specfile> command reported a conflict between an allow rule (allow xdm_t shadow_t...) and a neverallow rule (a good thing!) What seems odd to me is that I can load that same module via semodule -i and it doesn't complain -- and access by xdm_t to shadow_t is allowed. Is that correct behavior for semodule -i? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
