[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

RE: policy to allow myapp to exec chfn

From: Brian Ginn <BGinn symark com>
To: "'fedora-selinux-list redhat com'" <fedora-selinux-list redhat com>
Subject: RE: policy to allow myapp to exec chfn
Date: Fri, 29 May 2009 18:10:29 -0700

Ok, Thanks!
In flask/security_classes I see that class passwd is commented to be # userspace.
In flask/access_vectors I see the chfn permission for class passwd.
... So maybe next time I get a similar problem, I'll be able to solve it myself.

Is https://bugzilla.redhat.com/ the appropriate place to submit a bug report for chfn ?



-Brian



-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh redhat com] 
Sent: Thursday, May 28, 2009 6:49 PM
To: Brian Ginn
Cc: 'fedora-selinux-list redhat com'
Subject: Re: policy to allow myapp to exec chfn

On 05/28/2009 09:03 PM, Brian Ginn wrote:
> I have an app which runs from xinetd in the myapp_t domain:
>
>          system_u:system_r:myapp_t
>
>
>
> I am attempting to get myapp to exec the chfn program
>
> however it reports:
>
> chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of test5
>

This means the transition did not happen.
>
>
> I have tried these macros from the reference policy:
>
> usermanage_run_chfn(myapp_t,system_r,devpts_t )
>
> type myapp_devpts_t;
>
> type myapp_tty_device_t;
>
> userdom_change_password_template(myapp)
>
> usermanage_run_chfn(myapp_t,system_r,{ myapp_devpts_t myapp_tty_device_t })
>
>
>
> but things still don't work.
>
>
>
> SELinux is not reporting denials in audit.log, presumably because
>
> chfn calls security_compute_av() and reports the "denial" itself.
>
>

>
>
>
> Is there policy I can write that will allow myapp to exec chfn?
>
>
>
>
>
> Thanks,
> Brian
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If myapp_t needs to have the ability to change a passwd of another user.

allow myapp_t self:passwd chfn;

chfn and others should report this error as an AVC rater then just an 
error message so the tools would be able to generate appropriate policy.

Report this as a bug and cc me on the bug report.

passwd, chfn, chsh  are all accesses required for root programs to 
change the passwd, finger info or shell of oher UIDS.

References:
- policy to allow myapp to exec chfn
  - From: Brian Ginn
- Re: policy to allow myapp to exec chfn
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]