policy to allow myapp to exec chfn

Brian Ginn BGinn at symark.com
Sat May 30 01:10:29 UTC 2009 

Ok, Thanks!
In flask/security_classes I see that class passwd is commented to be # userspace.
In flask/access_vectors I see the chfn permission for class passwd.
... So maybe next time I get a similar problem, I'll be able to solve it myself.

Is https://bugzilla.redhat.com/ the appropriate place to submit a bug report for chfn ?



-Brian



-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh at redhat.com] 
Sent: Thursday, May 28, 2009 6:49 PM
To: Brian Ginn
Cc: 'fedora-selinux-list at redhat.com'
Subject: Re: policy to allow myapp to exec chfn

On 05/28/2009 09:03 PM, Brian Ginn wrote:
> I have an app which runs from xinetd in the myapp_t domain:
>
>          system_u:system_r:myapp_t
>
>
>
> I am attempting to get myapp to exec the chfn program
>
> however it reports:
>
> chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5
>

This means the transition did not happen.
>
>
> I have tried these macros from the reference policy:
>
> usermanage_run_chfn(myapp_t,system_r,devpts_t )
>
> type myapp_devpts_t;
>
> type myapp_tty_device_t;
>
> userdom_change_password_template(myapp)
>
> usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t })
>
>
>
> but things still don't work.
>
>
>
> SELinux is not reporting denials in audit.log, presumably because
>
> chfn calls security_compute_av() and reports the "denial" itself.
>
>

>
>
>
> Is there policy I can write that will allow myapp to exec chfn?
>
>
>
>
>
> Thanks,
> Brian
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If myapp_t needs to have the ability to change a passwd of another user.

allow myapp_t self:passwd chfn;

chfn and others should report this error as an AVC rater then just an 
error message so the tools would be able to generate appropriate policy.

Report this as a bug and cc me on the bug report.

passwd, chfn, chsh  are all accesses required for root programs to 
change the passwd, finger info or shell of oher UIDS.

More information about the fedora-selinux-list mailing list