[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: What to do about "invalid context"

From: Stephen Smalley <sds tycho nsa gov>
To: Göran Uddeborg <goeran uddeborg se>
Cc: fedora-selinux-list redhat com
Subject: Re: What to do about "invalid context"
Date: Tue, 17 Jun 2008 14:44:39 -0400

On Tue, 2008-06-17 at 20:36 +0200, Göran Uddeborg wrote:
> Stephen Smalley writes:
> > role unconfined_r types updpwd_exec_t;
> 
> Aha, now I get it!  It's the role-type combination that is not
> allowed, and thus "invalid".  Thanks!
> 
> A little detail, though.  It's the type updpwd_t, not updpwd_exec_t
> that should be allowed, isn't it?  Unless I'm mistaken, it's the file
> that has the *_exec_t type, but the resulting process domain is *_t.
> 
> I did create my module following your pattern, but using updpwd_t, and
> the crontab command works again.  So it seems it was the right thing
> to do.  Or have I done something I shouldn't do after all?

Oops, my mistake - yes, you wanted the domain type, not the executable
type there.

audit2allow is actually supposed to handle those errors too, but it
seems to be broken at the moment for them.

-- 
Stephen Smalley
National Security Agency

References:
- What to do about "invalid context"
  - From: Göran Uddeborg
- Re: What to do about "invalid context"
  - From: Stephen Smalley
- Re: What to do about "invalid context"
  - From: Göran Uddeborg

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]