How can I create shadow_t file ?

Daniel J Walsh dwalsh at redhat.com
Wed May 13 13:33:35 UTC 2009


On 05/13/2009 07:41 AM, Shintaro Fujiwara wrote:
> Well, I've been writing a policy to add user from certain domain.
>
> I wrote a policy including these interfaces,
>
> auth_domtrans_chk_passwd(segatex_t)
> auth_manage_shadow(segatex_t)
> auth_rw_shadow(segatex_t)
> files_manage_etc_files(segatex_t)
>
> and still I can't add user from certain domain and when I look into
> log, I have two denied messages,
>
> etc_t file create
> shadow_t file create
>
> So I wrote exactly same thing to allow create these but sill I can't
> add user nor delete user.
>
> I feel numb.
>
>
You are fighting constraints.

If your tool is relabeling you probably need,
domain_subj_id_change_exemption(segatex_t)
To allow you to change the user component.

audit2allow -w (audit2why) will tell you if you are failing a constraint.




More information about the fedora-selinux-list mailing list