On 05/13/2009 07:41 AM, Shintaro Fujiwara wrote:
Well, I've been writing a policy to add user from certain domain. I wrote a policy including these interfaces, auth_domtrans_chk_passwd(segatex_t) auth_manage_shadow(segatex_t) auth_rw_shadow(segatex_t) files_manage_etc_files(segatex_t) and still I can't add user from certain domain and when I look into log, I have two denied messages, etc_t file create shadow_t file create So I wrote exactly same thing to allow create these but sill I can't add user nor delete user. I feel numb.
You are fighting constraints. If your tool is relabeling you probably need, domain_subj_id_change_exemption(segatex_t) To allow you to change the user component. audit2allow -w (audit2why) will tell you if you are failing a constraint.