Thank you. I updated my tool's policy including 2 interfaces you guys introduced. Still I can't add user from my tool and strangely, no AVC messages now even I setSELinux permissive. Of course when I set permissive, I can add user. But, I don't have any denied logs now... No way out ? 2009/5/13 Daniel J Walsh <dwalsh@xxxxxxxxxx>: > On 05/13/2009 07:41 AM, Shintaro Fujiwara wrote: >> >> Well, I've been writing a policy to add user from certain domain. >> >> I wrote a policy including these interfaces, >> >> auth_domtrans_chk_passwd(segatex_t) >> auth_manage_shadow(segatex_t) >> auth_rw_shadow(segatex_t) >> files_manage_etc_files(segatex_t) >> >> and still I can't add user from certain domain and when I look into >> log, I have two denied messages, >> >> etc_t file create >> shadow_t file create >> >> So I wrote exactly same thing to allow create these but sill I can't >> add user nor delete user. >> >> I feel numb. >> >> > You are fighting constraints. > > If your tool is relabeling you probably need, > domain_subj_id_change_exemption(segatex_t) > To allow you to change the user component. > > audit2allow -w (audit2why) will tell you if you are failing a constraint. > -- http://intrajp.no-ip.com/ Home Page -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list