[selinux-policy: 2128/3172] trunk: Misc fixes for unix_update from Brandon Whalen.

[Daniel J Walsh]

commit df28a0c44482c5654973504a3ce48f9912be4827
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jun 18 13:36:40 2009 +0000

    trunk: Misc fixes for unix_update from Brandon Whalen.

 Changelog                          |    1 +
 policy/modules/system/authlogin.te |    6 +++++-
 2 files changed, 6 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 4413bd1..440eb51 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Misc fixes for unix_update from Brandon Whalen.
 - Add x_device permissions for XI2 functions, from Eamon Walsh.
 - MLS constraints for the x_selection class, from Eamon Walsh.
 - Postgresql updates from KaiGai Kohei.
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 2f71040..7542302 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin, 2.0.1)
+policy_module(authlogin, 2.0.2)
 
 ########################################
 #
@@ -60,6 +60,7 @@ type updpwd_t;
 type updpwd_exec_t;
 domain_type(updpwd_t)
 domain_entry_file(updpwd_t,updpwd_exec_t)
+domain_obj_id_change_exemption(updpwd_t)
 role system_r types updpwd_t;
 
 type utempter_t;
@@ -309,6 +310,7 @@ optional_policy(`
 # updpwd local policy
 #
 
+allow updpwd_t self:capability { chown dac_override };
 allow updpwd_t self:process setfscreate;
 allow updpwd_t self:fifo_file rw_fifo_file_perms;
 allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
@@ -316,6 +318,8 @@ allow updpwd_t self:unix_dgram_socket create_socket_perms;
 
 kernel_read_system_state(updpwd_t)
 
+dev_read_urand(updpwd_t)
+
 files_manage_etc_files(updpwd_t)
 
 term_dontaudit_use_console(updpwd_t)