On 05/13/2009 07:41 AM, Shintaro Fujiwara wrote:
Well, I've been writing a policy to add user from certain
domain.
I wrote a policy including these interfaces,
auth_domtrans_chk_passwd(segatex_t)
auth_manage_shadow(segatex_t)
auth_rw_shadow(segatex_t)
files_manage_etc_files(segatex_t)
and still I can't add user from certain domain and when I look into
log, I have two denied messages,
etc_t file create
shadow_t file create
So I wrote exactly same thing to allow create these but sill I can't
add user nor delete user.
I feel numb.
You are fighting constraints.
If your tool is relabeling you probably need,
domain_subj_id_change_exemption(segatex_t)
To allow you to change the user component.
audit2allow -w (audit2why) will tell you if you are failing a constraint.