policy to allow myapp to exec chfn
Brian Ginn
BGinn at symark.com
Sat May 30 01:10:29 UTC 2009
Ok, Thanks!
In flask/security_classes I see that class passwd is commented to be # userspace.
In flask/access_vectors I see the chfn permission for class passwd.
... So maybe next time I get a similar problem, I'll be able to solve it myself.
Is https://bugzilla.redhat.com/ the appropriate place to submit a bug report for chfn ?
-Brian
-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh at redhat.com]
Sent: Thursday, May 28, 2009 6:49 PM
To: Brian Ginn
Cc: 'fedora-selinux-list at redhat.com'
Subject: Re: policy to allow myapp to exec chfn
On 05/28/2009 09:03 PM, Brian Ginn wrote:
> I have an app which runs from xinetd in the myapp_t domain:
>
> system_u:system_r:myapp_t
>
>
>
> I am attempting to get myapp to exec the chfn program
>
> however it reports:
>
> chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5
>
This means the transition did not happen.
>
>
> I have tried these macros from the reference policy:
>
> usermanage_run_chfn(myapp_t,system_r,devpts_t )
>
> type myapp_devpts_t;
>
> type myapp_tty_device_t;
>
> userdom_change_password_template(myapp)
>
> usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t })
>
>
>
> but things still don't work.
>
>
>
> SELinux is not reporting denials in audit.log, presumably because
>
> chfn calls security_compute_av() and reports the "denial" itself.
>
>
>
>
>
> Is there policy I can write that will allow myapp to exec chfn?
>
>
>
>
>
> Thanks,
> Brian
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If myapp_t needs to have the ability to change a passwd of another user.
allow myapp_t self:passwd chfn;
chfn and others should report this error as an AVC rater then just an
error message so the tools would be able to generate appropriate policy.
Report this as a bug and cc me on the bug report.
passwd, chfn, chsh are all accesses required for root programs to
change the passwd, finger info or shell of oher UIDS.
More information about the fedora-selinux-list
mailing list