question why newrole gives error
Daniel J Walsh
dwalsh at redhat.com
Wed May 8 21:00:49 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/08/2013 04:18 PM, John Emrich wrote:
> Thanks Dan,
>
> I tried that with no success. The updated newrole file is:
>
> [root at localhost pam.d]# cat /etc/pam.d/newrole #%PAM-1.0 auth
> sufficientpam_rootok.so auth includesystem-auth account
> includesystem-auth password includesystem-auth session
> requiredpam_namespace.so unmnt_remnt no_unmount_on_close
>
> If I reboot the computer and try again with change. I also used sudo this
> time to change to root. [root at localhost pam.d]# newrole -r system_r -t
> unconfined_t newrole: incorrect password for xyzuser Error sending audit
> message. [root at localhost pam.d]#
>
> If I check the audit log file [root at localhost pam.d]# audit2allow -a -w
> 2>&1 | grep unix_chkpwd type=AVC msg=audit(1368042244.285:341): avc:
> denied { noatsecure } for pid=1458 comm="unix_chkpwd"
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process type=AVC
> msg=audit(1368042244.285:341): avc: denied { siginh } for pid=1458
> comm="unix_chkpwd" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process type=AVC
> msg=audit(1368042244.285:341): avc: denied { rlimitinh } for pid=1458
> comm="unix_chkpwd" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
>
> Suggestions?
>
> Thank You John Emrich 847-312-1244 (cell)
> --------------------------------------------------------------------------------
>
>
*From:* Daniel J Walsh <dwalsh at redhat.com>
> *To:* John Emrich <john.emrich at sbcglobal.net> *Cc:*
> "selinux at lists.fedoraproject.org" <selinux at lists.fedoraproject.org> *Sent:*
> Wednesday, May 8, 2013 10:38 AM *Subject:* Re: question why newrole gives
> error
>
> On 05/08/2013 11:23 AM, John Emrich wrote:
>> Hello,
>
>> Running Fedora-18. When executing the newrole command I consistently get
>> the same error message "incorrect password for xyzuser". I have su'd to
>> root. Everything appears valid. Below is a snippet from a terminal
>> session that demonstrates the error message. I receive the same error
>> regardless whether I am in enforcement mode or not. Any suggestions as to
>> the cause?
>
>
>> [root at localhost xyzuser]# newrole -r system_r -t sysadm_t Password:
>> newrole: incorrect password for xyzuser Error sending audit message.
>> [root at localhost xyzuser]# semanage user -l
>
>> Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range
>> SELinux Roles
>
>> ... deleted lines ... root user s0 s0-s0:c0.c1023
>> staff_r sysadm_r system_r unconfined_r staff_u user s0
>> s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
>> sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u
>> user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u
>> user s0 s0-s0:c0.c1023 system_r unconfined_r ... deleted
>> lines ... [root at localhost xyzuser]# id -Z
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
>
>
>> Thank You John Emrich
>
>
>
>> -- selinux mailing list selinux at lists.fedoraproject.org
> <mailto:selinux at lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> I think we had a capability bug. Just add pam_rootok to
> /etc/pam.d/newrole and it should work better for you.
>
> I prefer to use sudo for transitioning my user role.
>
>
>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
First open a bugzilla on newrole not working, rather then doing this on a
mailing list.
So you start out as unconfined_u:unconfined_r:unconfined_t:s0 and you are
trying to newrole to unconfined_u:system_r:unconfined_t:s0
Why are you trying to do that?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGKvQEACgkQrlYvE4MpobPHIACgxoiwZXLrW06pgtoeFcfoKfIn
a9AAnRfbPLUa8+3q5fjqdKDDVBPgFGnk
=OJ2w
-----END PGP SIGNATURE-----
More information about the selinux
mailing list