On Mon, 2009-08-17 at 08:42 -0400, Christopher J. PeBenito wrote:
> On Mon, 2009-08-17 at 08:29 -0400, Stephen Smalley wrote:
> > On Sun, 2009-08-16 at 11:53 -0700, Larry Ross wrote:
> > > Using the RHEL5.3 strict policy I am trying to allow a custom selinux
> > > user permission to use the passwd and chage commands to get the status
> > > of a local user.
> > >
> > > With selinux in permissive it works as expected, with selinux in
> > > enforcing, all I get are cryptic error messages. I installed the
> > > enableaudit.pp base policy module, still no denials.
> > >
> > > Does anyone know what permissions I need to add or what I could
> > > be doing wrong? Is this even possible?
> >
> > Did you allow the :passwd permission to the custom selinux user's
> > domain?
> >
> > allow <userdomain> self:passwd { passwd };
>
> Perhaps a denial message should be emitted from
> selinux_check_passwd_access() so people know when this perm check is
> denied.
Ideally we'd convert the callers of this function and all direct callers
of security_compute_av() to using the userspace AVC. The userspace AVC
just didn't exist when passwd and friends (and crond) were originally
instrumented for SELinux.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
