10feb47e55
Allow newrole to search the /run/faillock directory, otherwise the
faillock mechanism will not work for neworle.
Before the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
After the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
The account is locked due to 3 failed logins.
(1 minute left to unlock)
Password:
Fixes:
avc: denied { search } for pid=508 comm="newrole" name="faillock"
dev="tmpfs" ino=582 scontext=root:sysadm_r:newrole_t:s0-s15:c0.c1023
tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||
|---|---|---|
| .. | ||
| flask | ||
| modules | ||
| support | ||
| constraints | ||
| context_defaults | ||
| global_booleans | ||
| global_tunables | ||
| mcs | ||
| mls | ||
| policy_capabilities | ||
| users | ||