[selinux] Allowing not sysadm_t access to change root password
David A. Cafaro
dac at cafaro.net
Tue Oct 18 00:26:07 UTC 2011
On Oct 17, 2011, at 5:16 PM, Robin Lee Powell wrote:
> On Mon, Oct 17, 2011 at 04:55:50PM -0400, David A. Cafaro wrote:
>>
>> Permissive mode reports no selinux errors and the password change
>> works (I'm assuming that passwd is detecting permissive mode).
>
> Make sure you have "semanage dontaudit off".
Yeah, was trying semanage -DB, but I didn't catch the passwd perms in it, may have gotten lost in the storm.
>
> Also look for things besides AVCs; if you're grepping the audit log,
> include SELINUX in what you check for.
Thanks, I usually give both a check for "AVC" and "invalid" to try and find items. I'll also give audit2allow/why a chance to gather up what's been going on as well.
Cheers,
David
More information about the selinux
mailing list