Hi,
I am working to migrate src:shadow to today's SELinux api as
previously mentioned.
Currently there is a shortcut in the passwd check:
If user root tries to change a password for another user AND the
user-identity part (before first colon) of the previous (exec-wise)
context equals the username in question, no SELinux check is
performed.
Stephen suggested to drop this logic as nowadays SELinux
user-identities rarely matches usernames and we only skip is simple
passwd:passwd check.
So I'd like to announce that this logic is probably going to be removed.
Kind regards,
Christian Göttsche
p.s.:
in fedoras passwd, the logic does not exist:
https://pagure.io/passwd/blob/master/f/selinux_utils.c
