| Main Archive Page > Month Archives > selinux archives |
checking user status
From: Larry Ross <selinux.larry_at_nospam>Date: Sun Aug 16 2009 - 18:53:48 GMT
To: selinux@tycho.nsa.gov
Using the RHEL5.3 strict policy I am trying to allow a custom selinux user
permission to use the passwd and chage commands to get the status of a local
user.
With selinux in permissive it works as expected, with selinux in enforcing, all I get are cryptic error messages. I installed the enableaudit.pp base policy module, still no denials.
Does anyone know what permissions I need to add or what I could be doing wrong? Is this even possible?
Thank you,
Larry
[secadm@newhost ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: permissive
Policy version: 21
Policy from config file: strict
[secadm@newhost ~]$ sudo chage -l user
chage: Permission denied.
[secadm@newhost ~]$ sudo /usr/bin/passwd -S user
Only root can do that.
[secadm@newhost ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: strict
[secadm@newhost ~]$ sudo chage -l user
Last password change : May 14, 2009
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
[secadm@newhost ~]$ sudo /usr/bin/passwd -S user
user PS 2009-05-13 0 99999 7 -1 (Password set, unknown crypt variant.)
[secadm@newhost ~]$
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.