Bug 119113 - chsh setpwnam: Permission denied
chsh setpwnam: Permission denied
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-25 01:02 EST by Charles R. Anderson
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-10 11:01:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Charles R. Anderson 2004-03-25 01:02:06 EST
Description of problem:

chsh fails (as regular user or as root) due to SELinux policy.  

Version-Release number of selected component (if applicable):

policy-1.9-11
util-linux-2.12-14

How reproducible:
100%

Steps to Reproduce:
1. Log in as user, or as root
2. chsh username
3. Try changing shell to e.g. /bin/tcsh
  
Actual results:

[root@q root]# chsh cra
Changing shell for cra.
New shell [/bin/bash]: /bin/tcsh
setpwnam: Permission denied
Shell *NOT* changed.  Try again later.
[root@q root]# 

Expected results:

shell should be changed.

Additional info:

Fresh install of FC 1.91 200403230535.  AVC messages:

audit(1080193991.075:0): avc:  denied  { setrlimit } for  pid=30420
exe=/usr/bin/chsh scontext=user_u:user_r:chfn_t
tcontext=user_u:user_r:chfn_t tclass=process
audit(1080193991.075:0): avc:  denied  { create } for  pid=30420
exe=/usr/bin/chsh name=ptmptmp scontext=user_u:user_r:chfn_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1080194006.776:0): avc:  denied  { setrlimit } for  pid=30425
exe=/usr/bin/chsh scontext=root:sysadm_r:chfn_t
tcontext=root:sysadm_r:chfn_t tclass=process
audit(1080194006.776:0): avc:  denied  { create } for  pid=30425
exe=/usr/bin/chsh name=ptmptmp scontext=root:sysadm_r:chfn_t
tcontext=system_u:object_r:etc_t tclass=file
audit(1080194129.536:0): avc:  denied  { setrlimit } for  pid=30456
exe=/usr/bin/chsh scontext=root:sysadm_r:chfn_t
tcontext=root:sysadm_r:chfn_t tclass=process
audit(1080194129.537:0): avc:  denied  { create } for  pid=30456
exe=/usr/bin/chsh name=ptmptmp scontext=root:sysadm_r:chfn_t
tcontext=system_u:object_r:etc_t tclass=file
Comment 1 Daniel Walsh 2004-03-25 08:11:57 EST
Could you try this with a later policy.  policy-1.9-15.  The create
should  not fail, and I would like to know if it fails.

Dan

Note You need to log in before you can comment on or make changes to this bug.