8:03 p.m.
I have an app which runs from xinetd in the myapp_t domain:
system_u:system_r:myapp_t
I am attempting to get myapp to exec the chfn program
however it reports:
chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the
finger info of test5
I have tried these macros from the reference policy:
usermanage_run_chfn(myapp_t,system_r,devpts_t )
type myapp_devpts_t;
type myapp_tty_device_t;
userdom_change_password_template(myapp)
usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t })
but things still don't work.
SELinux is not reporting denials in audit.log, presumably because
chfn calls security_compute_av() and reports the "denial" itself.
Is there policy I can write that will allow myapp to exec chfn?
Thanks,
Brian
8:48 p.m.
On 05/28/2009 09:03 PM, Brian Ginn wrote:
I have an app which runs from xinetd in the myapp_t domain:
system_u:system_r:myapp_t
I am attempting to get myapp to exec the chfn program
however it reports:
chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the
finger info of test5
This means the transition did not happen.
I have tried these macros from the reference policy:
usermanage_run_chfn(myapp_t,system_r,devpts_t )
type myapp_devpts_t;
type myapp_tty_device_t;
userdom_change_password_template(myapp)
usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t })
but things still don't work.
SELinux is not reporting denials in audit.log, presumably because
chfn calls security_compute_av() and reports the "denial" itself.
Is there policy I can write that will allow myapp to exec chfn?
Thanks,
Brian
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If myapp_t needs to
have the ability to change a passwd of another user.
allow myapp_t self:passwd chfn;
chfn and others should report this error as an AVC rater then just an
error message so the tools would be able to generate appropriate policy.
Report this as a bug and cc me on the bug report.
passwd, chfn, chsh are all accesses required for root programs to
change the passwd, finger info or shell of oher UIDS.
8:10 p.m.
Ok, Thanks!
In flask/security_classes I see that class passwd is commented to be # userspace.
In flask/access_vectors I see the chfn permission for class passwd.
... So maybe next time I get a similar problem, I'll be able to solve it myself.
Is https://bugzilla.redhat.com/ the appropriate place to submit a bug report for chfn ?
-Brian
-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh@redhat.com]
Sent: Thursday, May 28, 2009 6:49 PM
To: Brian Ginn
Cc: 'fedora-selinux-list(a)redhat.com'
Subject: Re: policy to allow myapp to exec chfn
On 05/28/2009 09:03 PM, Brian Ginn wrote:
I have an app which runs from xinetd in the myapp_t domain:
system_u:system_r:myapp_t
I am attempting to get myapp to exec the chfn program
however it reports:
chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the
finger info of test5
This means the transition did not happen.
I have tried these macros from the reference policy:
usermanage_run_chfn(myapp_t,system_r,devpts_t )
type myapp_devpts_t;
type myapp_tty_device_t;
userdom_change_password_template(myapp)
usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t })
but things still don't work.
SELinux is not reporting denials in audit.log, presumably because
chfn calls security_compute_av() and reports the "denial" itself.
Is there policy I can write that will allow myapp to exec chfn?
Thanks,
Brian
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If myapp_t needs to
have the ability to change a passwd of another user.
allow myapp_t self:passwd chfn;
chfn and others should report this error as an AVC rater then just an
error message so the tools would be able to generate appropriate policy.
Report this as a bug and cc me on the bug report.
passwd, chfn, chsh are all accesses required for root programs to
change the passwd, finger info or shell of oher UIDS.
7:59 a.m.
On 05/29/2009 09:10 PM, Brian Ginn wrote:
Ok, Thanks!
In flask/security_classes I see that class passwd is commented to be # userspace.
In flask/access_vectors I see the chfn permission for class passwd.
... So maybe next time I get a similar problem, I'll be able to solve it myself.
Is https://bugzilla.redhat.com/ the appropriate place to submit a bug report for chfn ?
Yes
-Brian
5440
days inactive
5443
days old
selinux@lists.fedoraproject.org
3 comments
2 participants
participants (2)
-
Brian Ginn -
Daniel J Walsh