What to do about "invalid context"
Stephen Smalley
sds at tycho.nsa.gov
Tue Jun 17 18:44:39 UTC 2008
On Tue, 2008-06-17 at 20:36 +0200, Göran Uddeborg wrote:
> Stephen Smalley writes:
> > role unconfined_r types updpwd_exec_t;
>
> Aha, now I get it! It's the role-type combination that is not
> allowed, and thus "invalid". Thanks!
>
> A little detail, though. It's the type updpwd_t, not updpwd_exec_t
> that should be allowed, isn't it? Unless I'm mistaken, it's the file
> that has the *_exec_t type, but the resulting process domain is *_t.
>
> I did create my module following your pattern, but using updpwd_t, and
> the crontab command works again. So it seems it was the right thing
> to do. Or have I done something I shouldn't do after all?
Oops, my mistake - yes, you wanted the domain type, not the executable
type there.
audit2allow is actually supposed to handle those errors too, but it
seems to be broken at the moment for them.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list