trunk: Allow unix_update to change the security attributes associate with files so

that it can properly create the shadow file. Also allow it to read from
urandom so that it can add salt to the password hash.

Changelog

@@ -1,3 +1,4 @@
+- Crack db access for su to handle password expiration, from Brandon Whalen.
 - Misc fixes for unix_update from Brandon Whalen.
 - Add x_device permissions for XI2 functions, from Eamon Walsh.
 - MLS constraints for the x_selection class, from Eamon Walsh.

policy/modules/admin/su.if

@@ -126,6 +126,11 @@ template(`su_restricted_domain_template', `
 		kerberos_use($1_su_t)
 	')
 
+	optional_policy(`
+		# used when the password has expired
+		usermanage_read_crack_db($1_su_t)
+	')
+
 	ifdef(`TODO',`
 	# Caused by su - init scripts
 	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
@@ -292,6 +297,11 @@ template(`su_role_template',`
 		kerberos_use($1_su_t)
 	')
 
+	optional_policy(`
+		# used when the password has expired
+		usermanage_read_crack_db($1_su_t)
+	')
+
 	# Modify .Xauthority file (via xauth program).
 	optional_policy(`
 		xserver_user_home_dir_filetrans_user_xauth($1_su_t)

policy/modules/admin/su.te

@@ -1,5 +1,5 @@
 
-policy_module(su, 1.9.1)
+policy_module(su, 1.9.2)
 
 ########################################
 #