I have an app which runs from xinetd in the myapp_t domain:
system_u:system_r:myapp_t
I am attempting to get myapp to exec the chfn program
however it reports:
chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5
I have tried these macros from the reference policy:
usermanage_run_chfn(myapp_t,system_r,devpts_t )
type myapp_devpts_t;
type myapp_tty_device_t;
userdom_change_password_template(myapp)
usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t })
but things still don't work.
SELinux is not reporting denials in audit.log, presumably because
chfn calls security_compute_av() and reports the "denial" itself.
Is there policy I can write that will allow myapp to exec chfn?
Thanks, Brian
On 05/28/2009 09:03 PM, Brian Ginn wrote:
I have an app which runs from xinetd in the myapp_t domain:
system_u:system_r:myapp_t
I am attempting to get myapp to exec the chfn program
however it reports:
chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5
This means the transition did not happen.
I have tried these macros from the reference policy:
usermanage_run_chfn(myapp_t,system_r,devpts_t )
type myapp_devpts_t;
type myapp_tty_device_t;
userdom_change_password_template(myapp)
usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t })
but things still don't work.
SELinux is not reporting denials in audit.log, presumably because
chfn calls security_compute_av() and reports the "denial" itself.
Is there policy I can write that will allow myapp to exec chfn?
Thanks, Brian
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If myapp_t needs to have the ability to change a passwd of another user.
allow myapp_t self:passwd chfn;
chfn and others should report this error as an AVC rater then just an error message so the tools would be able to generate appropriate policy.
Report this as a bug and cc me on the bug report.
passwd, chfn, chsh are all accesses required for root programs to change the passwd, finger info or shell of oher UIDS.
Ok, Thanks! In flask/security_classes I see that class passwd is commented to be # userspace. In flask/access_vectors I see the chfn permission for class passwd. ... So maybe next time I get a similar problem, I'll be able to solve it myself.
Is https://bugzilla.redhat.com/ the appropriate place to submit a bug report for chfn ?
-Brian
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Thursday, May 28, 2009 6:49 PM To: Brian Ginn Cc: 'fedora-selinux-list@redhat.com' Subject: Re: policy to allow myapp to exec chfn
On 05/28/2009 09:03 PM, Brian Ginn wrote:
I have an app which runs from xinetd in the myapp_t domain:
system_u:system_r:myapp_t
I am attempting to get myapp to exec the chfn program
however it reports:
chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5
This means the transition did not happen.
I have tried these macros from the reference policy:
usermanage_run_chfn(myapp_t,system_r,devpts_t )
type myapp_devpts_t;
type myapp_tty_device_t;
userdom_change_password_template(myapp)
usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t })
but things still don't work.
SELinux is not reporting denials in audit.log, presumably because
chfn calls security_compute_av() and reports the "denial" itself.
Is there policy I can write that will allow myapp to exec chfn?
Thanks, Brian
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If myapp_t needs to have the ability to change a passwd of another user.
allow myapp_t self:passwd chfn;
chfn and others should report this error as an AVC rater then just an error message so the tools would be able to generate appropriate policy.
Report this as a bug and cc me on the bug report.
passwd, chfn, chsh are all accesses required for root programs to change the passwd, finger info or shell of oher UIDS.
On 05/29/2009 09:10 PM, Brian Ginn wrote:
Ok, Thanks! In flask/security_classes I see that class passwd is commented to be # userspace. In flask/access_vectors I see the chfn permission for class passwd. ... So maybe next time I get a similar problem, I'll be able to solve it myself.
Is https://bugzilla.redhat.com/ the appropriate place to submit a bug report for chfn ?
Yes
-Brian
selinux@lists.fedoraproject.org