How should I allow salsauthd access to shadow?

[Charles Bradshaw]

Hi Danial, Thanks for the quick reply.

Using SELinux Administration under Boolean reveals:
Active Module Description
       sasl   Allow sasl to read shadow
I check Active for the above, restart saslauthd, but NO change: 
# testsalsauthd -u foo -p foospw
0: NO "authentication failed"

Your sugestioh:
# sesearch -A -C | grep saslauthd_read
ET allow saslauthd_t shadow_t : file { ioctl read getattr lock open } ; [
allow_saslauthd_read_shadow ]
ET allow saslauthd_t etc_t : dir { ioctl read getattr lock search open } ; [
allow_saslauthd_read_shadow ]

My problem is essentially that I don't understand SELinux Administration GUI
or the output from sesearch!

Why is the boolean not called allow_saslauthd_read_shadow in the GUI?
Where is the doc for the meaning of output from sesearch?

On the other hand installing:
module saslpol 1.1;

require {
	type saslauthd_t, shadow_t;
	class capability { sys_nice dac_read_search dac_override };
	class process setsched;
	class file { read getattr open };
}

#============= saslauthd_t ==============
allow saslauthd_t self:capability { sys_nice dac_override dac_read_search };
allow saslauthd_t self:process setsched;
allow saslauthd_t shadow_t:file { read getattr open };

WORKS ( with the aforementioned sasl boolean unchecked).

BUT is this SAFE?
and is it the minimum necessary access permissions? 

I've added the last line in saslpol.te from examining audit.log and a second
run of audit2allow recommendation!
I got NO alerts in, either mode, using the version having no last line! Even
after SELinux Administration GUI, 'Enabled Audit' for additional audit rules,
that are normaly not reported in the log files.

Charles Bradshaw

###################################
On: Thu, 03 Jan 2013 10:59:16 -0500
Daniel J Walsh wrote:

>snippet:
>Have you tried the  saslauthd_read_shadow  boolean?