fedora-selinux May 2009 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: policy to allow myapp to exec chfn

policy to allow myapp to exec chfn

From: Brian Ginn <BGinn_at_nospam>
Date: Fri May 29 2009 - 01:03:32 GMT
To: "'fedora-selinux-list@redhat.com'" <fedora-selinux-list@redhat.com>


I have an app which runs from xinetd in the myapp_t domain:

        system_u:system_r:myapp_t

I am attempting to get myapp to exec the chfn program

however it reports:

chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5

I have tried these macros from the reference policy:

usermanage_run_chfn(myapp_t,system_r,devpts_t )

type myapp_devpts_t;

type myapp_tty_device_t;

userdom_change_password_template(myapp)

usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t })

but things still don't work.

SELinux is not reporting denials in audit.log, presumably because

chfn calls security_compute_av() and reports the "denial" itself.

Is there policy I can write that will allow myapp to exec chfn?

Thanks,
Brian

-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list