On Mon, Aug 17, 2009 at 7:47 AM, Larry Ross <selinux.larry@xxxxxxxxx> wrote:
On Mon, Aug 17, 2009 at 5:29 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Sun, 2009-08-16 at 11:53 -0700, Larry Ross wrote:
> Using the RHEL5.3 strict policy I am trying to allow a custom selinux
> user permission to use the passwd and chage commands to get the status
> of a local user.
>
> With selinux in permissive it works as expected, with selinux in
> enforcing, all I get are cryptic error messages. I installed the
> enableaudit.pp base policy module, still no denials.
>
> Does anyone know what permissions I need to add or what I could
> be doing wrong? Is this even possible?Stephen,Thank you for your response.
Did you allow the :passwd permission to the custom selinux user's
domain?
allow <userdomain> self:passwd { passwd };I would have if I had know about it, is this documented somewhere?.That worked for "passwd -S", is there something similar to allow a user to use the chage command?
Stephen,
Sorry for the off list reply. I think I found it: "rootok". It works, but I'm not sure what it means. Could you explain what the rootok permission means? Is it intended for this use?
Thank you,
Larry
Thank you,Larry
--
Stephen Smalley
National Security Agency
