How can I create shadow_t file ?
Shintaro Fujiwara
shintaro.fujiwara at gmail.com
Wed May 13 14:01:00 UTC 2009
Thank you.
I updated my tool's policy including 2 interfaces you guys introduced.
Still I can't add user from my tool and strangely, no AVC messages now
even I setSELinux permissive.
Of course when I set permissive, I can add user.
But, I don't have any denied logs now...
No way out ?
2009/5/13 Daniel J Walsh <dwalsh at redhat.com>:
> On 05/13/2009 07:41 AM, Shintaro Fujiwara wrote:
>>
>> Well, I've been writing a policy to add user from certain domain.
>>
>> I wrote a policy including these interfaces,
>>
>> auth_domtrans_chk_passwd(segatex_t)
>> auth_manage_shadow(segatex_t)
>> auth_rw_shadow(segatex_t)
>> files_manage_etc_files(segatex_t)
>>
>> and still I can't add user from certain domain and when I look into
>> log, I have two denied messages,
>>
>> etc_t file create
>> shadow_t file create
>>
>> So I wrote exactly same thing to allow create these but sill I can't
>> add user nor delete user.
>>
>> I feel numb.
>>
>>
> You are fighting constraints.
>
> If your tool is relabeling you probably need,
> domain_subj_id_change_exemption(segatex_t)
> To allow you to change the user component.
>
> audit2allow -w (audit2why) will tell you if you are failing a constraint.
>
--
http://intrajp.no-ip.com/ Home Page
More information about the fedora-selinux-list
mailing list