From e7844e723e353c07cceb15ac342e5b113814720c Mon Sep 17 00:00:00 2001 From: John Johansen Date: Tue, 30 May 2023 15:04:48 -0700 Subject: [PATCH] parser: Remove check for root to run parser The check isn't correct, it should be checking for capability MAC_ADMIN, but in the future that won't be correct either. Instead rely on the kernel to check permission to load policy, which it alread does as it is possible to by-pass the parser to load policy. Also improve the error message when the kernel does deny loading policy due to failed permission checks. Signed-off-by: John Johansen --- parser/parser_interface.c | 10 ++++++---- parser/parser_main.c | 6 ------ 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/parser/parser_interface.c b/parser/parser_interface.c index c98a1fa29..85859e2bb 100644 --- a/parser/parser_interface.c +++ b/parser/parser_interface.c @@ -51,9 +51,6 @@ static void print_error(int error) case -ESPIPE: PERROR(_("Bad write position\n")); break; - case -EPERM: - PERROR(_("Permission denied\n")); - break; case -ENOMEM: PERROR(_("Out of memory\n")); break; @@ -75,8 +72,13 @@ static void print_error(int error) case -ENOENT: PERROR(_("Profile doesn't exist\n")); break; + case -EPERM: + PERROR(_("%s: Permission denied. You need policy admin privileges to manage profiles.\n\n"), + progname); + break; case -EACCES: - PERROR(_("Permission denied; attempted to load a profile while confined?\n")); + PERROR(_("%s: Access denied. You need policy admin privileges to manage profiles.\n\n"), + progname); break; default: PERROR(_("Unknown error (%d): %s\n"), -error, strerror(-error)); diff --git a/parser/parser_main.c b/parser/parser_main.c index b1731bed8..7903ffdad 100644 --- a/parser/parser_main.c +++ b/parser/parser_main.c @@ -855,12 +855,6 @@ int have_enough_privilege(void) uid = getuid(); euid = geteuid(); - if (uid != 0 && euid != 0) { - PERROR(_("%s: Sorry. You need root privileges to run this program.\n\n"), - progname); - return EPERM; - } - if (uid != 0 && euid == 0) { PERROR(_("%s: Warning! You've set this program setuid root.\n" "Anybody who can run this program can update "