Add set-root-password command
The `set-root-password` command sets up an alternate mount namespace with a writable `/etc` directory and then runs `passwd` in it. This allows `passwd` to create its lock files and backup files, without requiring that the real `/etc` to be mutable. After `passwd` finishes and has updated its private copy of `/etc/shadow`, the script rewrites the real one with its contents.
This commit is contained in:
@@ -45,3 +45,91 @@ interface(`aimee_os_run_system_update',`
|
||||
aimee_os_system_update_domtrans($1)
|
||||
role $2 types aimee_sysupdate_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute set-root-password in the
|
||||
## aimee_set_root_password_t domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`aimee_os_set_root_password_domtrans',`
|
||||
gen_require(`
|
||||
type aimee_set_root_password_t, aimee_set_root_password_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, aimee_set_root_password_exec_t, aimee_set_root_password_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute set-root-password in the
|
||||
## aimee_set_root_password_t domain, and
|
||||
## allow the specified role the
|
||||
## aimee_set_root_password_t domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`aimee_os_run_set_root_password',`
|
||||
gen_require(`
|
||||
type aimee_set_root_password_t;
|
||||
')
|
||||
|
||||
aimee_os_set_root_password_domtrans($1)
|
||||
role $2 types aimee_set_root_password_t;
|
||||
mount_run(aimee_set_root_password_t, $2)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute set-root-password in the caller
|
||||
## domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`aimee_os_set_root_password_exec',`
|
||||
gen_require(`
|
||||
type aimee_set_root_password_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, aimee_set_root_password_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete temporary
|
||||
## files used by Aimee OS set-root-password.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`aimee_os_manage_set_root_password_tmp_files',`
|
||||
gen_require(`
|
||||
type aimee_set_root_password_tmp_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
|
||||
read_lnk_files_pattern($1, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
|
||||
')
|
||||
|
||||
Reference in New Issue
Block a user