Re: checking user status

On Mon, 2009-08-17 at 08:42 -0400, Christopher J. PeBenito wrote:
> On Mon, 2009-08-17 at 08:29 -0400, Stephen Smalley wrote:
> > On Sun, 2009-08-16 at 11:53 -0700, Larry Ross wrote:
> > > Using the RHEL5.3 strict policy I am trying to allow a custom selinux
> > > user permission to use the passwd and chage commands to get the status
> > > of a local user.
> > >
> > > With selinux in permissive it works as expected, with selinux in
> > > enforcing, all I get are cryptic error messages. I installed the
> > > enableaudit.pp base policy module, still no denials.
> > >
> > > Does anyone know what permissions I need to add or what I could
> > > be doing wrong? Is this even possible?
> >
> > Did you allow the :passwd permission to the custom selinux user's
> > domain?
> >
> > allow <userdomain> self:passwd { passwd };
>
> Perhaps a denial message should be emitted from
> selinux_check_passwd_access() so people know when this perm check is
> denied.

Ideally we'd convert the callers of this function and all direct callers of security_compute_av() to using the userspace AVC. The userspace AVC just didn't exist when passwd and friends (and crond) were originally instrumented for SELinux. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

• This message: [ Message body ]
• Next message: Larry Ross: "Re: checking user status"
• Previous message: Christopher J. PeBenito: "Re: checking user status"
• In reply to: Christopher J. PeBenito: "Re: checking user status"
• Next in thread: Daniel J Walsh: "Re: checking user status"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]