Tighten auth_rw_shadow_lock permission

aerusso · aerusso · commit d81aaced8552 · 2026-01-11T05:29:21.000-07:00
There are no directories labeled shadow_lock_t, and therefore is no
reason to grant dir:search on shadow_lock_t.

Signed-off-by: Antonio Enrico Russo &lt;aerusso@aerusso.net&gt;
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
@@ -862,7 +862,7 @@ interface(`auth_rw_shadow_lock',`
 		type shadow_lock_t;
 	')
 
-	rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
+	allow $1 shadow_lock_t:file rw_file_perms;
 ')
 
 ########################################
