From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 9 Aug 2012 20:38:51 +0200 Subject: [refpolicy] How to give _admin rights? Message-ID: <20120809183851.GA2643@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi guys, Currently all administration I do is handled through the sysadm_r:sysadm_t context. As a result, I never needed to explicitly grant an admin interface (like nscd_admin) to a specific role. I'm now trying to allow a role (be it user_r, staff_r or a newly created role) to (re)start the NSCD init script (which is labeled nscd_initrc_exec_t) so I thought it would be sufficient to just add in: nscd_admin(staff_t, staff_r) However, a user (SELinux user staff_u) doesn't seem to be able to really use it properly, unless I also give that user the root password (which I don't) for the run_init command... I've tried: ~$ /etc/init.d/nscd status -bash: /etc/init.d/nscd: /sbin/runscript: bad interpreter: Permission denied which is because of: security_compute_sid: invalid context staff_u:system_r:initrc_t for scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:nscd_initrc_exec_t tclass=process I've tried: ~$ /usr/sbin/run_init /etc/init.d/nscd status Authenticating oper. Password: Could not set exec context to system_u:system_r:initrc_t which is because of: avc: denied { setexec } for pid=18505 comm="run_init" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:staff_t tclass=process I've tried: ~$ sudo /usr/sbin/run_init /etc/init.d/nscd status but then, after authenticating, run_init asks for the root password which I don't want to grant. I've tried: ~$ sudo /etc/init.d/nscd status sudo: unable to execute /etc/init.d/nscd: Permission denied For this I don't know what is causing this - only see the standard denials (rlimitinh, noatsecure, ...) and a getattr on a tty device. It it "normal" that I would need to allow setexec for the user domain? What is the correct way to, once a role/user is defined, grant him the _admin interface and have him start/stop the init scripts? Wkr, Sven Vermeulen