On (29/10/13 10:08), Jakub Hrozek wrote:
The Kerberos provider didn't handle ERR_CHPASS_FAILED at all,
which
resulted in the default return code (System Error) to be returned if
password change failed for pretty much any reason, including password
too recent etc.
I found a selinux problem, while I was testing thjis patch.
[check_if_uid_is_active] (0x0020):
systemd-login gave error 13: Permission denied
Raw Audit Messages
type=AVC msg=audit(1383053470.652:1689): avc: denied { search } for pid=17295
comm="sssd_be" name="users" dev="tmpfs" ino=12761
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1383053470.652:1689): arch=x86_64 syscall=open success=no
exit=EACCES a0=7f66773043b0 a1=80000 a2=1b6 a3=0 items=0 ppid=17294 pid=17295
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295
tty=(none) comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0
key=(null)
We use systemd function sd_uid_get_sessions(uid, 0, NULL) from header file
systemd/sd-login.h and sssd_be cannot access directory /run/systemd/users/.
But we did not directly search this directory.
Is it bug in systemd or selinux-policy?
LS