From c9817d2b4756551b083ab95e13542ece198ce79a Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 12 Dec 2017 15:42:02 +0000 Subject: [PATCH] Add selinux to allow map for pamdatabase from unix_chkpwd Signed-off-by: Patrick Uiterwijk --- roles/base/files/selinux/mapchkpwd.pp | Bin 0 -> 930 bytes roles/base/files/selinux/mapchkpwd.te | 11 +++++++++++ roles/base/tasks/main.yml | 17 +++++++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 roles/base/files/selinux/mapchkpwd.pp create mode 100644 roles/base/files/selinux/mapchkpwd.te diff --git a/roles/base/files/selinux/mapchkpwd.pp b/roles/base/files/selinux/mapchkpwd.pp new file mode 100644 index 0000000000000000000000000000000000000000..09d3ad943264206b4a909be67d46ef01007eb3da GIT binary patch literal 930 zcmb_aNeaS15G zW$NXE>a_(~lSIxit{{rWw Zd?{7ltx+q|r`4A9CQY?#q#^77hBr!oF$w?x literal 0 HcmV?d00001 diff --git a/roles/base/files/selinux/mapchkpwd.te b/roles/base/files/selinux/mapchkpwd.te new file mode 100644 index 0000000000..c53be11145 --- /dev/null +++ b/roles/base/files/selinux/mapchkpwd.te @@ -0,0 +1,11 @@ + +module mapchkpwd 1.0; + +require { + type chkpwd_t; + type shadow_t; + class file map; +} + +#============= chkpwd_t ============== +allow chkpwd_t shadow_t:file map; diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 45f80a8091..c950be9d61 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -334,6 +334,23 @@ - config - rsyslog-audit +# Custom selinux policy to allow unix_chkpwd to map PAM database +- name: copy over our custom selinux module + copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp + register: selinux_module + when: ansible_distribution_major_version|int >= 27 + tags: + - config + - selinux + +- name: install our custom selinux module + command: semodule -i /usr/local/share/mapchkpwd.pp + when: selinux_module|changed + when: ansible_distribution_major_version|int >= 27 + tags: + - selinux + - config + - name: Setup postfix import_tasks: postfix.yml