The built-in ACL prevents the gradm binary from loading dynamic
libraries from the Nix store. Thus, once the RBAC system is activated,
the gradm binary cannot be used.
Fix by patching in rules to allow references to the Nix store where
appropriate.
This is necessary for gradm's learning mode to work, as otherwise the
/nix/store directory is marked hidden, which causes the kernel to reject
the linker loading ld-linux.so
Signed-off-by: Austin Seipp <aseipp@pobox.com>
We alredy rewrote /sbin/gradm, which technically matches
/sbin/gradm_pam, so this ends up working exactly as we want. Otherwise
we rewrite twice and gradm can't execute the PAM module with '-p'
Signed-off-by: Austin Seipp <aseipp@pobox.com>