Re: checking user status

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Aug 17, 2009 at 7:55 AM, Larry Ross <selinux.larry@xxxxxxxxx> wrote:
On Mon, Aug 17, 2009 at 7:57 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Mon, 2009-08-17 at 07:47 -0700, Larry Ross wrote:
> On Mon, Aug 17, 2009 at 5:29 AM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
>         On Sun, 2009-08-16 at 11:53 -0700, Larry Ross wrote:
>         > Using the RHEL5.3 strict policy I am trying to allow a
>         custom selinux
>         > user permission to use the passwd and chage commands to get
>         the status
>         > of a local user.
>         >
>         > With selinux in permissive it works as expected, with
>         selinux in
>         > enforcing, all I get are cryptic error messages.  I
>         installed the
>         > enableaudit.pp base policy module, still no denials.
>         >
>         > Does anyone know what permissions I need to add or what I
>         could
>         > be doing wrong?  Is this even possible?
>
> Stephen,
> Thank you for your response.
>
>
>         Did you allow the :passwd permission to the custom selinux
>         user's
>         domain?
>
>         allow <userdomain> self:passwd { passwd };
>
> I would have if I had know about it, is this documented somewhere?.
>
> That worked for "passwd -S", is there something similar to allow a
> user to use the chage command?

Looks like that is using rootok, although it ought to use a permission
of its own rather than overlapping with pam_rootok.

So:
       allow <userdomain> self:passwd { passwd rootok };
 
Similar issue.  I have created a new user and used chage to expire their password so they are required to create a new one on their first login.   
 
Logging in to the Gnome Greeter, with SELinux permissive, there is no issue, with SELinux enforcing (still the strict policy, a custom user), I get a message that says "The change of the authentication token failed.  Please try again later or contact the system administrator."
 
No SELinux denials.
 
Two questions:
1. Anyone know what permission or permissions are required so this works and which domain or domains need it?
2. Anyone have any direction on how I can answer these questions for myself?
 
  Thank you,
  Larry
 
 
 
 


These programs ought to be converted to using the userspace AVC so that
they emit proper avc messages on denials.
 
I will agree with that.  Thank you for your help.
 
  -- Larry
 


--
Stephen Smalley
National Security Agency



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux