question why newrole gives error

Daniel J Walsh dwalsh at redhat.com
Thu May 9 12:32:12 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/08/2013 07:37 PM, Dominick Grift wrote:
> On Wed, 2013-05-08 at 17:00 -0400, Daniel J Walsh wrote:
>> On 05/08/2013 04:18 PM, John Emrich wrote:
>>> Thanks Dan,
>>> 
>>> I tried that with no success. The updated newrole file is:
>>> 
>>> [root at localhost pam.d]# cat /etc/pam.d/newrole #%PAM-1.0 auth 
>>> sufficientpam_rootok.so auth       includesystem-auth account 
>>> includesystem-auth password   includesystem-auth session 
>>> requiredpam_namespace.so unmnt_remnt no_unmount_on_close
>>> 
>>> If I reboot the computer and try again with change. I also used sudo
>>> this time to change to root. [root at localhost pam.d]# newrole -r
>>> system_r -t unconfined_t newrole: incorrect password for xyzuser Error
>>> sending audit message. [root at localhost pam.d]#
>>> 
>>> If I check the audit log file [root at localhost pam.d]# audit2allow -a
>>> -w 2>&1 | grep unix_chkpwd type=AVC msg=audit(1368042244.285:341):
>>> avc: denied  { noatsecure } for pid=1458 comm="unix_chkpwd" 
>>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
>>> tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
>>> type=AVC msg=audit(1368042244.285:341): avc:  denied  { siginh } for
>>> pid=1458 comm="unix_chkpwd"
>>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
>>> tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
>>> type=AVC msg=audit(1368042244.285:341): avc:  denied  { rlimitinh } for
>>> pid=1458 comm="unix_chkpwd"
>>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
>>> tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
>>> 
>>> Suggestions?
>>> 
>>> Thank You John Emrich 847-312-1244 (cell) 
>>> --------------------------------------------------------------------------------
>>>
>>>
>>
>>> 
*From:* Daniel J Walsh <dwalsh at redhat.com>
>>> *To:* John Emrich <john.emrich at sbcglobal.net> *Cc:* 
>>> "selinux at lists.fedoraproject.org" <selinux at lists.fedoraproject.org>
>>> *Sent:* Wednesday, May 8, 2013 10:38 AM *Subject:* Re: question why
>>> newrole gives error
>>> 
>>> On 05/08/2013 11:23 AM, John Emrich wrote:
>>>> Hello,
>>> 
>>>> Running Fedora-18. When executing the newrole command I consistently
>>>> get the same error message "incorrect password for xyzuser". I have
>>>> su'd to root. Everything appears valid. Below is a snippet from a
>>>> terminal session that demonstrates the error message. I receive the
>>>> same error regardless whether I am in enforcement mode or not. Any
>>>> suggestions as to the cause?
>>> 
>>> 
>>>> [root at localhost xyzuser]# newrole -r system_r -t sysadm_t Password: 
>>>> newrole: incorrect password for xyzuser Error sending audit message.
>>>>  [root at localhost xyzuser]# semanage user -l
>>> 
>>>> Labeling  MLS/      MLS/ SELinux User    Prefix    MCS Level  MCS
>>>> Range SELinux Roles
>>> 
>>>> ... deleted lines ... root            user      s0
>>>> s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u
>>>> user      s0 s0-s0:c0.c1023                staff_r sysadm_r system_r
>>>> unconfined_r sysadm_u        user      s0        s0-s0:c0.c1023
>>>> sysadm_r system_u user      s0        s0-s0:c0.c1023 system_r
>>>> unconfined_r unconfined_u user      s0        s0-s0:c0.c1023 system_r
>>>> unconfined_r ... deleted lines ... [root at localhost xyzuser]# id -Z 
>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> 
>>> 
>>> 
>>>> Thank You John Emrich
>>> 
>>> 
>>> 
>>>> -- selinux mailing list selinux at lists.fedoraproject.org
>>> <mailto:selinux at lists.fedoraproject.org>
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> 
>>> I think we had a capability bug.  Just add pam_rootok to 
>>> /etc/pam.d/newrole and it should work better for you.
>>> 
>>> I prefer to use sudo for transitioning my user role.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -- selinux mailing list selinux at lists.fedoraproject.org 
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> 
>> 
>> First open a bugzilla on newrole not working, rather then doing this on
>> a mailing list.
>> 
>> So you start out as unconfined_u:unconfined_r:unconfined_t:s0 and you
>> are trying to newrole to unconfined_u:system_r:unconfined_t:s0
>> 
>> Why are you trying to do that?
> 
> I might be wrong, but i do not think that this is the point here
> 
> Even if you have access to a role and it makes sense. It still is not able
> to authenticate in my experience.
> 
>> -- selinux mailing list selinux at lists.fedoraproject.org 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
Well it looks like it is working in F19.

# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# newrole -r system_r -t unconfined_t
Password:
#  id -Z
unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023

We probably fixed it and need to backport to Fedora 18.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGLl0wACgkQrlYvE4MpobOKKACfXN6SEowqwci4+T6lb/Yr4Hh6
XN0AnRFzM1DXtZjb6vkuAFFjvIQGzQMg
=H0Zs
-----END PGP SIGNATURE-----

More information about the selinux mailing list