Bug 119113 - chsh setpwnam: Permission denied
Summary: chsh setpwnam: Permission denied
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-03-25 06:02 UTC by Charles R. Anderson
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-05-10 15:01:57 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Charles R. Anderson 2004-03-25 06:02:06 UTC
Description of problem:

chsh fails (as regular user or as root) due to SELinux policy.  

Version-Release number of selected component (if applicable):

policy-1.9-11
util-linux-2.12-14

How reproducible:
100%

Steps to Reproduce:
1. Log in as user, or as root
2. chsh username
3. Try changing shell to e.g. /bin/tcsh
  
Actual results:

[root@q root]# chsh cra
Changing shell for cra.
New shell [/bin/bash]: /bin/tcsh
setpwnam: Permission denied
Shell *NOT* changed.  Try again later.
[root@q root]# 

Expected results:

shell should be changed.

Additional info:

Fresh install of FC 1.91 200403230535.  AVC messages:

audit(1080193991.075:0): avc:  denied  { setrlimit } for  pid=30420
exe=/usr/bin/chsh scontext=user_u:user_r:chfn_t
tcontext=user_u:user_r:chfn_t tclass=process
audit(1080193991.075:0): avc:  denied  { create } for  pid=30420
exe=/usr/bin/chsh name=ptmptmp scontext=user_u:user_r:chfn_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1080194006.776:0): avc:  denied  { setrlimit } for  pid=30425
exe=/usr/bin/chsh scontext=root:sysadm_r:chfn_t
tcontext=root:sysadm_r:chfn_t tclass=process
audit(1080194006.776:0): avc:  denied  { create } for  pid=30425
exe=/usr/bin/chsh name=ptmptmp scontext=root:sysadm_r:chfn_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1080194129.536:0): avc:  denied  { setrlimit } for  pid=30456
exe=/usr/bin/chsh scontext=root:sysadm_r:chfn_t
tcontext=root:sysadm_r:chfn_t tclass=process
audit(1080194129.537:0): avc:  denied  { create } for  pid=30456
exe=/usr/bin/chsh name=ptmptmp scontext=root:sysadm_r:chfn_t
tcontext=system_u:object_r:etc_t tclass=file

Comment 1 Daniel Walsh 2004-03-25 13:11:57 UTC
Could you try this with a later policy.  policy-1.9-15.  The create
should  not fail, and I would like to know if it fails.

Dan


Note You need to log in before you can comment on or make changes to this bug.