Written by: Martin Orr

Allow adduser to work when run by dpkg (as dpkg_t)
adduser runs chage and chfn, which need passwd access
These stay as dpkg_t - we don't want to give passwd_t passwd access
userdel runs semanage, so let semanage_t use dpkg pipes

Index: policy/modules/system/selinuxutil.te
===================================================================
--- policy/modules/system/selinuxutil.te.orig
+++ policy/modules/system/selinuxutil.te
@@ -486,6 +486,10 @@
 userdom_read_user_home_content_files(semanage_t)
 userdom_read_user_tmp_files(semanage_t)
 
+optional_policy(`
+	dpkg_rw_pipes(semanage_t)
+')
+
 ifdef(`distro_debian',`
 	files_read_var_lib_files(semanage_t)
 	files_read_var_lib_symlinks(semanage_t)
Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig
+++ policy/modules/admin/dpkg.te
@@ -65,6 +65,7 @@
 allow dpkg_t self:sem create_sem_perms;
 allow dpkg_t self:msgq create_msgq_perms;
 allow dpkg_t self:msg { send receive };
+allow dpkg_t self:passwd { chfn rootok };
 
 allow dpkg_t dpkg_lock_t:file manage_file_perms;