On Tue, 2008-06-17 at 20:36 +0200, Göran Uddeborg wrote: > Stephen Smalley writes: > > role unconfined_r types updpwd_exec_t; > > Aha, now I get it! It's the role-type combination that is not > allowed, and thus "invalid". Thanks! > > A little detail, though. It's the type updpwd_t, not updpwd_exec_t > that should be allowed, isn't it? Unless I'm mistaken, it's the file > that has the *_exec_t type, but the resulting process domain is *_t. > > I did create my module following your pattern, but using updpwd_t, and > the crontab command works again. So it seems it was the right thing > to do. Or have I done something I shouldn't do after all? Oops, my mistake - yes, you wanted the domain type, not the executable type there. audit2allow is actually supposed to handle those errors too, but it seems to be broken at the moment for them. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
