question why newrole gives error

Dominick Grift dominick.grift at gmail.com
Wed May 8 23:37:38 UTC 2013 

On Wed, 2013-05-08 at 17:00 -0400, Daniel J Walsh wrote:
> On 05/08/2013 04:18 PM, John Emrich wrote:
> > Thanks Dan,
> > 
> > I tried that with no success. The updated newrole file is:
> > 
> > [root at localhost pam.d]# cat /etc/pam.d/newrole #%PAM-1.0 auth
> > sufficientpam_rootok.so auth       includesystem-auth account
> > includesystem-auth password   includesystem-auth session
> > requiredpam_namespace.so unmnt_remnt no_unmount_on_close
> > 
> > If I reboot the computer and try again with change. I also used sudo this
> > time to change to root. [root at localhost pam.d]# newrole -r system_r -t
> > unconfined_t newrole: incorrect password for xyzuser Error sending audit
> > message. [root at localhost pam.d]#
> > 
> > If I check the audit log file [root at localhost pam.d]# audit2allow -a -w
> > 2>&1 | grep unix_chkpwd type=AVC msg=audit(1368042244.285:341): avc:
> > denied  { noatsecure } for pid=1458 comm="unix_chkpwd"
> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
> > tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process type=AVC
> > msg=audit(1368042244.285:341): avc:  denied  { siginh } for  pid=1458 
> > comm="unix_chkpwd" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
> > tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process type=AVC
> > msg=audit(1368042244.285:341): avc:  denied  { rlimitinh } for pid=1458
> > comm="unix_chkpwd" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 
> > tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> > 
> > Suggestions?
> > 
> > Thank You John Emrich 847-312-1244 (cell) 
> > --------------------------------------------------------------------------------
> >
> > 
> *From:* Daniel J Walsh <dwalsh at redhat.com>
> > *To:* John Emrich <john.emrich at sbcglobal.net> *Cc:*
> > "selinux at lists.fedoraproject.org" <selinux at lists.fedoraproject.org> *Sent:*
> > Wednesday, May 8, 2013 10:38 AM *Subject:* Re: question why newrole gives
> > error
> > 
> > On 05/08/2013 11:23 AM, John Emrich wrote:
> >> Hello,
> > 
> >> Running Fedora-18. When executing the newrole command I consistently get 
> >> the same error message "incorrect password for xyzuser". I have su'd to 
> >> root. Everything appears valid. Below is a snippet from a terminal
> >> session that demonstrates the error message. I receive the same error
> >> regardless whether I am in enforcement mode or not. Any suggestions as to
> >> the cause?
> > 
> > 
> >> [root at localhost xyzuser]# newrole -r system_r -t sysadm_t Password: 
> >> newrole: incorrect password for xyzuser Error sending audit message. 
> >> [root at localhost xyzuser]# semanage user -l
> > 
> >> Labeling  MLS/      MLS/ SELinux User    Prefix    MCS Level  MCS Range 
> >> SELinux Roles
> > 
> >> ... deleted lines ... root            user      s0        s0-s0:c0.c1023 
> >> staff_r sysadm_r system_r unconfined_r staff_u        user      s0 
> >> s0-s0:c0.c1023                staff_r sysadm_r system_r unconfined_r 
> >> sysadm_u        user      s0        s0-s0:c0.c1023 sysadm_r system_u
> >> user      s0        s0-s0:c0.c1023 system_r unconfined_r unconfined_u
> >> user      s0        s0-s0:c0.c1023 system_r unconfined_r ... deleted
> >> lines ... [root at localhost xyzuser]# id -Z
> >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > 
> > 
> > 
> >> Thank You John Emrich
> > 
> > 
> > 
> >> -- selinux mailing list selinux at lists.fedoraproject.org
> > <mailto:selinux at lists.fedoraproject.org>
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> > I think we had a capability bug.  Just add pam_rootok to
> > /etc/pam.d/newrole and it should work better for you.
> > 
> > I prefer to use sudo for transitioning my user role.
> > 
> > 
> > 
> > 
> > 
> > -- selinux mailing list selinux at lists.fedoraproject.org 
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> 
> First open a bugzilla on newrole not working, rather then doing this on a
> mailing list.
> 
> So you start out as unconfined_u:unconfined_r:unconfined_t:s0 and you are
> trying to newrole to unconfined_u:system_r:unconfined_t:s0
> 
> Why are you trying to do that?

I might be wrong, but i do not think that this is the point here

Even if you have access to a role and it makes sense. It still is not
able to authenticate in my experience.

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list