On Mon, Aug 17, 2009 at 7:57 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
Looks like that is using rootok, although it ought to use a permissionOn Mon, 2009-08-17 at 07:47 -0700, Larry Ross wrote:
> On Mon, Aug 17, 2009 at 5:29 AM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
> On Sun, 2009-08-16 at 11:53 -0700, Larry Ross wrote:
> > Using the RHEL5.3 strict policy I am trying to allow a
> custom selinux
> > user permission to use the passwd and chage commands to get
> the status
> > of a local user.
> >
> > With selinux in permissive it works as expected, with
> selinux in
> > enforcing, all I get are cryptic error messages. I
> installed the
> > enableaudit.pp base policy module, still no denials.
> >
> > Does anyone know what permissions I need to add or what I
> could
> > be doing wrong? Is this even possible?
>
> Stephen,
> Thank you for your response.
>
>
> Did you allow the :passwd permission to the custom selinux
> user's
> domain?
>
> allow <userdomain> self:passwd { passwd };
>
> I would have if I had know about it, is this documented somewhere?.
>
> That worked for "passwd -S", is there something similar to allow a
> user to use the chage command?
of its own rather than overlapping with pam_rootok.
So:
allow <userdomain> self:passwd { passwd rootok };
These programs ought to be converted to using the userspace AVC so that
they emit proper avc messages on denials.
I will agree with that. Thank you for your help.
-- Larry
--
Stephen Smalley
National Security Agency
