diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 7436292dfb..8fc9028f5d 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -246,7 +246,7 @@ auth_use_nsswitch(groupadd_t)
# domtrans_chk_passwd() call.
auth_manage_shadow(groupadd_t)
auth_relabel_shadow(groupadd_t)
-auth_etc_filetrans_shadow(groupadd_t)
+auth_filetrans_shadow(groupadd_t)
seutil_read_config(groupadd_t)
seutil_read_file_contexts(groupadd_t)
@@ -346,7 +346,7 @@ auth_run_chk_passwd(passwd_t, passwd_roles)
auth_run_upd_passwd(passwd_t, passwd_roles)
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
-auth_etc_filetrans_shadow(passwd_t)
+auth_filetrans_shadow(passwd_t)
auth_use_nsswitch(passwd_t)
# allow checking if a shell is executable
@@ -435,7 +435,7 @@ term_use_all_ptys(sysadm_passwd_t)
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
-auth_etc_filetrans_shadow(sysadm_passwd_t)
+auth_filetrans_shadow(sysadm_passwd_t)
auth_use_nsswitch(sysadm_passwd_t)
# allow vipw to exec the editor
@@ -531,7 +531,7 @@ auth_use_nsswitch(useradd_t)
# domtrans_chk_passwd() call.
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
-auth_etc_filetrans_shadow(useradd_t)
+auth_filetrans_shadow(useradd_t)
init_use_fds(useradd_t)
init_rw_utmp(useradd_t)
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index 7f920012f0..99a52bbdd6 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -199,7 +199,7 @@ selinux_get_fs_mount(yppasswdd_t)
auth_manage_shadow(yppasswdd_t)
auth_relabel_shadow(yppasswdd_t)
-auth_etc_filetrans_shadow(yppasswdd_t)
+auth_filetrans_shadow(yppasswdd_t)
logging_send_syslog_msg(yppasswdd_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 7ab456621d..12a5456ea9 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -847,6 +847,23 @@ interface(`auth_relabel_shadow',`
typeattribute $1 can_relabelto_shadow_passwords;
')
+########################################
+##
+## File transitions for shadow files.
+##
+##
+##
+## Domain with file transition.
+##
+##
+#
+interface(`auth_filetrans_shadow',`
+ auth_etc_filetrans_shadow($1, "shadow")
+ auth_etc_filetrans_shadow($1, "gshadow")
+ auth_etc_filetrans_shadow($1, "shadow-")
+ auth_etc_filetrans_shadow($1, "gshadow-")
+')
+
########################################
##
## Read/Write shadow lock files.
@@ -860,9 +877,18 @@ interface(`auth_relabel_shadow',`
interface(`auth_rw_shadow_lock',`
gen_require(`
type shadow_lock_t;
+ type shadow_t;
')
- rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
+ allow $1 shadow_lock_t:file rw_file_perms;
+ ifelse(`$2',`',`
+ files_etc_filetrans($1, shadow_lock_t, file, ".pwd.lock")
+ files_etc_filetrans($1, shadow_lock_t, file, "passwd.lock")
+ files_etc_filetrans($1, shadow_lock_t, file, "group.lock")
+ ',`
+ refpolicywarn(`$0($*) second parameter is deprecated.')
+ files_etc_filetrans($1, shadow_t, file, $2)
+ ')
')
########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 7587fd4b50..89fb0d421b 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -412,6 +412,7 @@ term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
auth_manage_shadow(updpwd_t)
+auth_filetrans_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
logging_send_syslog_msg(updpwd_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 97bf01216c..7015d9af99 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -2077,7 +2077,7 @@ kernel_read_kernel_sysctls(systemd_sysusers_t)
selinux_use_status_page(systemd_sysusers_t)
auth_manage_shadow(systemd_sysusers_t)
-auth_etc_filetrans_shadow(systemd_sysusers_t)
+auth_filetrans_shadow(systemd_sysusers_t)
auth_use_nsswitch(systemd_sysusers_t)
seutil_libselinux_linked(systemd_sysusers_t)