Bug 208838

Summary: Not logging newrole errors as USER_ROLE_CHANGE
Product: Red Hat Enterprise Linux 5 Reporter: Bastien Nocera <bnocera>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: dwalsh, pgraner, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: beta2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-12-23 00:58:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch fixing problems described herein none

Description Bastien Nocera 2006-10-02 11:00:53 UTC 
policycoreutils-1.30.17-7

As a test user:
$ newrole -r system_r
Authenticating root.
Password:
newrole: incorrect password for root

In audit.log:
type=USER_AUTH msg=audit(1159034947.964:259): user pid=13388 uid=500 auid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c255 msg='PAM: authentication acct=root
: exe="/usr/bin/newrole" (hostname=?, addr=?, terminal=pts/1 res=failed)'

This should be USER_ROLE_CHANGE, rather than USER_AUTH
Comment 1 Daniel Walsh 2006-10-05 13:43:37 UTC 
I don't agree, since you are failing on the login versus failing on the changing
of the role.

Steve what do you think?
Comment 2 Steve Grubb 2006-10-05 14:00:15 UTC 
All use of authentication mechanism must be audited. The event above is
correctly attributing a failed use of that facility. This does not preclude
another event being generated by newrole that says USER_ROLE_CHANGE failed. As a
matter of fact, I think Mike was working on a patch that does just this.
Comment 3 Steve Grubb 2006-10-19 18:41:12 UTC 
Created attachment 138894 [details]
patch fixing problems described herein

This patch adds an audit message when the password is incorrect. Please Apply.
Comment 5 RHEL Program Management 2006-10-19 20:02:18 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.
Comment 7 Daniel Walsh 2006-10-20 13:54:26 UTC 
Fixed in policycoreutils-1.32-1
Comment 9 Jay Turner 2006-11-22 17:43:24 UTC 
With policycoreutils-1.33.1-7.el5 I'm not seeing a change:

type=USER_AUTH msg=audit(1164217171.511:362): user pid=4619 uid=0 auid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?, terminal=pts/0 res=failed)'
type=USER_ACCT msg=audit(1164217201.031:363): user pid=4622 uid=0
auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM:
accounting acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
res=success)'
Comment 10 Daniel Walsh 2006-11-28 15:41:32 UTC 
Fixed in policycoreutils-1.33.5-1
Comment 11 RHEL Program Management 2006-12-23 00:58:20 UTC 
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.