Hello All,
I've been beating my head into a wall on this issue and was hoping
someone else might have a clue.
I have a new domain call it "mytool_t" that needs to be able to change
the roots password. Problem is I just can't seem to find the right
rules/macros for the job.
The source context will be root:system_r:mytoolt_t
It will be running the passwd command and transitioning to
root:system_r:passwd_t. That is if I can get it past the only root user
is allowed to change root's password. Here's the command line error:
passwd: root:system_r:mytool_t:s0-s0:c0.c1023 is not authorized to
change the password of root.
UID, gid, groups, etc in the DAC side of things are 0.
Permissive mode reports no selinux errors and the password change works
(I'm assuming that passwd is detecting permissive mode).
But enforcing stops it cold.
Here's some example of the relevant policy I've used to try and get this
to work:
# For access to passwd program
type_transition mytool_t passwd_exec_t:process passwd_t;
domain_auto_trans(mytool_t,passwd_exec_t,passwd_t);
usermanage_run_admin_passwd(mytool_t,system_r)
allow mytool_t passwd_exec_t:file { read getattr open execute };
Any thanks is appreciated.
David
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
