parser: Remove check for root to run parser

The check isn't correct, it should be checking for capability MAC_ADMIN, but in the future that won't be correct either. Instead rely on the kernel to check permission to load policy, which it alread does as it is possible to by-pass the parser to load policy. Also improve the error message when the kernel does deny loading policy due to failed permission checks. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 14:25:52 +00:00 · 2023-05-30 15:04:48 -07:00
parent 8d6358fa6d
commit e7844e723e
2 changed files with 6 additions and 10 deletions
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -51,9 +51,6 @@ static void print_error(int error)
 	case -ESPIPE:
 		PERROR(_("Bad write position\n"));
 		break;
-	case -EPERM:
-		PERROR(_("Permission denied\n"));
-		break;
 	case -ENOMEM:
 		PERROR(_("Out of memory\n"));
 		break;
@@ -75,8 +72,13 @@ static void print_error(int error)
 	case -ENOENT:
 		PERROR(_("Profile doesn't exist\n"));
 		break;
+	case -EPERM:
+		PERROR(_("%s: Permission denied. You need policy admin privileges to manage profiles.\n\n"),
+		       progname);
+		break;
 	case -EACCES:
-		PERROR(_("Permission denied; attempted to load a profile while confined?\n"));
+		PERROR(_("%s: Access denied. You need policy admin privileges to manage profiles.\n\n"),
+		       progname);
 		break;
 	default:
 		PERROR(_("Unknown error (%d): %s\n"), -error, strerror(-error));