Using the RHEL5.3 strict policy I am trying to allow a custom selinux user permission to use the passwd and chage commands to get the status of a local user.
With selinux in permissive it works as expected, with selinux in enforcing, all I get are cryptic error messages. I installed the enableaudit.pp base policy module, still no denials.
Does anyone know what permissions I need to add or what I could be doing wrong? Is this even possible?
Thank you,
Larry
[secadm@newhost ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: permissive
Policy version: 21
Policy from config file: strict
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: permissive
Policy version: 21
Policy from config file: strict
[secadm@newhost ~]$ sudo chage -l user
chage: Permission denied.
[secadm@newhost ~]$ sudo /usr/bin/passwd -S user
Only root can do that.
[secadm@newhost ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: strict
[secadm@newhost ~]$ sudo chage -l user
Last password change : May 14, 2009
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
[secadm@newhost ~]$ sudo /usr/bin/passwd -S user
user PS 2009-05-13 0 99999 7 -1 (Password set, unknown crypt variant.)
[secadm@newhost ~]$
