On Tue, 2008-06-17 at 20:36 +0200, Göran Uddeborg wrote:
Stephen Smalley writes:
> role unconfined_r types updpwd_exec_t;
Aha, now I get it! It's the role-type combination that is not
allowed, and thus "invalid". Thanks!
A little detail, though. It's the type updpwd_t, not updpwd_exec_t
that should be allowed, isn't it? Unless I'm mistaken, it's the file
that has the *_exec_t type, but the resulting process domain is *_t.
I did create my module following your pattern, but using updpwd_t, and
the crontab command works again. So it seems it was the right thing
to do. Or have I done something I shouldn't do after all?
Oops, my mistake - yes, you wanted the domain type, not the executable
type there.
audit2allow is actually supposed to handle those errors too, but it
seems to be broken at the moment for them.
--
Stephen Smalley
National Security Agency