Ok, Thanks! In flask/security_classes I see that class passwd is commented to be # userspace. In flask/access_vectors I see the chfn permission for class passwd. ... So maybe next time I get a similar problem, I'll be able to solve it myself. Is https://bugzilla.redhat.com/ the appropriate place to submit a bug report for chfn ? -Brian -----Original Message----- From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] Sent: Thursday, May 28, 2009 6:49 PM To: Brian Ginn Cc: 'fedora-selinux-list@xxxxxxxxxx' Subject: Re: policy to allow myapp to exec chfn On 05/28/2009 09:03 PM, Brian Ginn wrote: > I have an app which runs from xinetd in the myapp_t domain: > > system_u:system_r:myapp_t > > > > I am attempting to get myapp to exec the chfn program > > however it reports: > > chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5 > This means the transition did not happen. > > > I have tried these macros from the reference policy: > > usermanage_run_chfn(myapp_t,system_r,devpts_t ) > > type myapp_devpts_t; > > type myapp_tty_device_t; > > userdom_change_password_template(myapp) > > usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t }) > > > > but things still don't work. > > > > SELinux is not reporting denials in audit.log, presumably because > > chfn calls security_compute_av() and reports the "denial" itself. > > > > > > Is there policy I can write that will allow myapp to exec chfn? > > > > > > Thanks, > Brian > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list If myapp_t needs to have the ability to change a passwd of another user. allow myapp_t self:passwd chfn; chfn and others should report this error as an AVC rater then just an error message so the tools would be able to generate appropriate policy. Report this as a bug and cc me on the bug report. passwd, chfn, chsh are all accesses required for root programs to change the passwd, finger info or shell of oher UIDS. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
