Bug 746644

Summary: "chsh -s /bin/dash root" fail with "chsh: setpwnam failed: Permission denied"
Product: [Fedora] Fedora Reporter: Jim Meyering <meyering>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, dominick.grift, dwalsh, jakub, mgrepl, schwab
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-17 19:51:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jim Meyering 2011-10-17 11:25:20 UTC 
Description of problem: chsh -s ___ root always fails


Version-Release number of selected component (if applicable):
glibc-2.14.90-12.x86_64

How reproducible: every time


Steps to Reproduce: (first ensure you have installed dash)
1. chsh -s /bin/dash root
2.
3.
  
Actual results:
chsh: setpwnam failed: Permission denied
Shell *NOT* changed.  Try again later.

Expected results:
No failure and exit status = 0


Additional info:
Comment 1 Adam Williamson 2011-10-17 16:17:28 UTC 
is this another result of the groups problem with -12? test with -12.999, thanks!
Comment 2 Jim Meyering 2011-10-17 17:14:31 UTC 
Adam,

No, this is different.
I confirmed that this bug persists when I install -12.999 on rawhide (both before and after reboot), but not on F16.

It is due to SELinux policy, so I've adjusted the component.

-=--------------------------------
SELinux is preventing /usr/bin/chsh from create access on the file ptmptmp.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow chsh to have create access on the ptmptmp file
Then you need to change the label on ptmptmp
Do
# semanage fcontext -a -t FILE_TYPE 'ptmptmp'
where FILE_TYPE is one of the following: passwd_file_t, pcscd_var_run_t, krb5_host_rcache_t. 
Then execute: 
restorecon -v 'ptmptmp'
Comment 3 Daniel Walsh 2011-10-17 18:22:07 UTC 
Jim I can not get this to happen on my box.  The chsh is completing correctly.  What is ptmptmp?  Is this a file in /etc?
Comment 4 Jim Meyering 2011-10-17 19:21:26 UTC 
Hi Dan,

I built a new rawhide VM yesterday, starting from F16-beta and upgrading from there.  Thus maybe I have a slightly newer version of glibc?  I was using both -12, and later, -12.999 from koji.

yes, chsh works by writing a temporary file, /etc/ptmptmp, and then replacing /etc/passwd atomically.
Comment 5 Daniel Walsh 2011-10-17 19:51:56 UTC 
Fixed in selinux-policy-3.10.0-40.2.fc17.noarch