Bug 119113

Summary: chsh setpwnam: Permission denied
Product: [Fedora] Fedora Reporter: Charles R. Anderson <cra>
Component: policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: pgraner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-10 15:01:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Charles R. Anderson 2004-03-25 06:02:06 UTC
Description of problem:

chsh fails (as regular user or as root) due to SELinux policy.  

Version-Release number of selected component (if applicable):

policy-1.9-11
util-linux-2.12-14

How reproducible:
100%

Steps to Reproduce:
1. Log in as user, or as root
2. chsh username
3. Try changing shell to e.g. /bin/tcsh
  
Actual results:

[root@q root]# chsh cra
Changing shell for cra.
New shell [/bin/bash]: /bin/tcsh
setpwnam: Permission denied
Shell *NOT* changed.  Try again later.
[root@q root]# 

Expected results:

shell should be changed.

Additional info:

Fresh install of FC 1.91 200403230535.  AVC messages:

audit(1080193991.075:0): avc:  denied  { setrlimit } for  pid=30420
exe=/usr/bin/chsh scontext=user_u:user_r:chfn_t
tcontext=user_u:user_r:chfn_t tclass=process
audit(1080193991.075:0): avc:  denied  { create } for  pid=30420
exe=/usr/bin/chsh name=ptmptmp scontext=user_u:user_r:chfn_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1080194006.776:0): avc:  denied  { setrlimit } for  pid=30425
exe=/usr/bin/chsh scontext=root:sysadm_r:chfn_t
tcontext=root:sysadm_r:chfn_t tclass=process
audit(1080194006.776:0): avc:  denied  { create } for  pid=30425
exe=/usr/bin/chsh name=ptmptmp scontext=root:sysadm_r:chfn_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1080194129.536:0): avc:  denied  { setrlimit } for  pid=30456
exe=/usr/bin/chsh scontext=root:sysadm_r:chfn_t
tcontext=root:sysadm_r:chfn_t tclass=process
audit(1080194129.537:0): avc:  denied  { create } for  pid=30456
exe=/usr/bin/chsh name=ptmptmp scontext=root:sysadm_r:chfn_t
tcontext=system_u:object_r:etc_t tclass=file

Comment 1 Daniel Walsh 2004-03-25 13:11:57 UTC
Could you try this with a later policy.  policy-1.9-15.  The create
should  not fail, and I would like to know if it fails.

Dan