On Mon, 2011-10-17 at 16:55 -0400, David A. Cafaro wrote:
> Hello All,
>
> I've been beating my head into a wall on this issue and was hoping
> someone else might have a clue.
>
> I have a new domain call it "mytool_t" that needs to be able to change
> the roots password. Problem is I just can't seem to find the right
> rules/macros for the job.
>
> The source context will be root:system_r:mytoolt_t
>
> It will be running the passwd command and transitioning to
> root:system_r:passwd_t. That is if I can get it past the only root user
> is allowed to change root's password. Here's the command line error:
>
> passwd: root:system_r:mytool_t:s0-s0:c0.c1023 is not authorized to
> change the password of root.
>
> UID, gid, groups, etc in the DAC side of things are 0.
>
> Permissive mode reports no selinux errors and the password change works
> (I'm assuming that passwd is detecting permissive mode).
>
> But enforcing stops it cold.
>
> Here's some example of the relevant policy I've used to try and get this
> to work:
>
> # For access to passwd program
> type_transition mytool_t passwd_exec_t:process passwd_t;
> domain_auto_trans(mytool_t,passwd_exec_t,passwd_t);
> usermanage_run_admin_passwd(mytool_t,system_r)
> allow mytool_t passwd_exec_t:file { read getattr open execute };
You want:
allow mytool_t self:passwd passwd;
passwd applies SELinux permission checks of its own.
Lack of AVC messages on such denials has been noted previously, but not
fixed:
https://bugzilla.redhat.com/show_bug.cgi?id=518268
--
Stephen Smalley
National Security Agency
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
