Bug 662938

After some more investigation I found out that a newrole does not work anymore since an upgrade of policycoreutils. Either one would need to add some SELinux rules or change the behaviour of policycoreutils back.

It worked fine with policycoreutils version 2.0.83-33.2 but not with 2.0.83-33.4 anymore.

Btw. the command I was issuing was: newrole -r unconfined_r

Miroslav, newrole needs this access in order to drop capabilities.

Stefan,
you can allow it for now using

# grep newrole /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Miroslav,

this does not work. The only AVC message I get is the one from above. If I create a module and load it, I still cannot change my role:

% newrole -r unconfined_r
Password: 
newrole: incorrect password for stefan
Error sending audit message.

The log files of auditd are empty (yes, auditd is running ;-)) also dmesg does not show anything.

What does id -Z show?

id -Z

ls -l /usr/bin/newrole
getfcap /usr/bin/newrole

Interesting, even if SELinux is in permissive mode, I cannot change my role:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

$ id -Z
staff_u:staff_r:staff_t:s0

$ ls -l /usr/bin/newrole 
-rwsr-xr-x. 1 root root 27376  7. Dez 15:32 /usr/bin/newrole

$ getcap -v /usr/bin/newrole 
/usr/bin/newrole

Today I tried the new versions (2.0.83-33.6 and 2.0.83-33.10) but both aren't working. I still get an error when I try to change my role (even in permissive mode). Therefore, I have to downgrade to version 2.0.83-33.2.

Is there something I can do, to help debugging?

Miroslav can you back port the fixes from Rawhide for selinuxutil.te

Fixed in selinux-policy-3.9.7-23.fc14

selinux-policy-3.9.7-25.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14

selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14

I guess we are speaking beside each other. Again, I also have this problem in permissive mode. So this can't be a problem just because some policy entries are missing (but to make sure I also tested the new one and it still fails).

The problem is with the package _policycoreutils_. Version 2.0.83-33.2 runs fine but version 2.0.83-33.4 not anymore.

Or does the package selinux-policy provide anything else then just the basic policy? Did I miss something?

Nope us just being dopes.  I am looking into it.

selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Its working in F15.

Fixed in policycoreutils-2.0.83-33.13.fc14

policycoreutils-2.0.85-19.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/policycoreutils-2.0.85-19.fc14

While using version 2.0.85-19 a newrole has no effect on my system:

$ newrole -r unconfined_r
Password: 
$ id
uid=500(stefan) gid=500(stefan) groups=500(stefan),18(dialout),489(mock) context=staff_u:staff_r:staff_t:s0

The role was not changed. Maybe the following might help debugging:

$ newrole -r unconfined_r
Password: 
$ echo $?                
255

No error message just a non zero return value ...

Again, I still have to downgrade to version 2.0.83-33.2 to have a working F14 :/

Strange I had this happen once, then I built a debug version and installed it, 
newrole then worked.  Now if I remove it and reinstall the 2.0.85-19  version it works, everytime.

Could you try to upgrade again and see if it works.

I removed and installed policycoreutils (version 2.0.85-19) several times without luck. As soon as I install version 2.0.83-33.2 it works fine.

I also gave it a shot and installed the debuginfo packages, but without any luck.

Any other ideas?

Nope can you download the source and install it directly to see if it works that way?

I think it is definitely failing when it drops caps.

Since everywhere else it should print something.

I did a test with a more or less fresh installation of F14, added a new user (useradd test, passwd test and semanage login -a -s staff_u test). Afterwards I tried to newrole but again I get a return value 255.

Also installing directly from source did not help.

Btw. all tests so far have been done in permissive mode.

Can you comment out the drop_capabilities call to see if this is what is crashing?

If drop_capabilities is commented out, then newrole works.

Narrowing it a bit down. The problem seems to be with capng_lock, if only this call is commented out it works, too:

// if (capng_lock() < 0)
//         return -1;

But I can't see a problem here. The usage should be fine in this context. Latest libcap-ng is installed: 0.6.5-1.fc14

Steve any ideas?

policycoreutils-2.0.85-19.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Problem still persists, even with policycoreutils-2.0.85-28.fc14

Since this version of Fedora is no longer supported I am closing this bugs.  If you are still seeing this bug in a current version of fedora, please reopen the bugzilla with the appropriate version number.