Bug 155525 - passwd gives Authentication token manipulation error upon altering password
Summary: passwd gives Authentication token manipulation error upon altering password
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: passwd
Version: rawhide
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-21 06:04 UTC by David Nielsen
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-22 08:45:32 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description David Nielsen 2005-04-21 06:04:07 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Epiphany/1.6.1

Description of problem:
Whenever I try to change my users password I get the following from passwd:

Changing password for user dnielsen.
Retype new UNIX password:
passwd: Authentication token manipulation error


Version-Release number of selected component (if applicable):
passwd-0.69-2

How reproducible:
Always

Steps to Reproduce:
1. passwd

  

Actual Results:  passwd: Authentication token manipulation error

Expected Results:  correctly altered password

Additional info:

SELinux Targeted policy is enabled, and the box has been upgrade from a fresh FC4t1 install.
Comment 1 Tomas Mraz 2005-04-21 08:13:53 UTC 
Have you tried relabelling the filesystem? What messages do you see in the logs?
Comment 2 David Nielsen 2005-04-21 10:00:08 UTC 
Since you didn't specify which log you wanted, I guess /var/log/audit.log,
here's the tail

type=DAEMON msg=auditd(1112457720) auditd normal halt, pid=2071, uid=0
type=DAEMON msg=auditd(1112461710) auditd start, ver=0.6.9, format=raw,
pid=2096, uid=0
type=KERNEL msg=audit(1112461710.629:0): audit_enabled=1 old=0
type=KERNEL msg=audit(1112461711.478:3156): item=0 name=/etc/passwd
inode=1801671 dev=03:04 mode=0100644 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1112461711.478:3156): syscall=5 exit=-13 a0=f04c84 a1=0
a2=1b6 a3=86f7228 items=1 pid=2123 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1112461711.478:3156): avc:  denied  { read } for  pid=2123
exe=/usr/sbin/rpc.idmapd name=passwd dev=hda4 ino=1801671
scontext=user_u:system_r:rpcd_t tcontext=system_u:object_r:file_t tclass=file
type=KERNEL msg=audit(1112461722.470:18629): item=0 name=/etc/passwd
inode=1801671 dev=03:04 mode=0100644 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1112461722.470:18629): syscall=5 exit=-13 a0=974c84 a1=0
a2=1b6 a3=84d5180 items=1 pid=2245 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1112461722.470:18629): avc:  denied  { read } for 
pid=2245 exe=/usr/sbin/ntpd name=passwd dev=hda4 ino=1801671
scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=file
type=DAEMON msg=auditd(1112463126) auditd normal halt, pid=2096, uid=0

As for relabelling, I searched google for how to do that, and came up empty
handed since all the guides where written for FC1 and SELinux changed since then
- so I'll need some pointers.
Comment 3 Tomas Mraz 2005-04-21 10:26:00 UTC 
Is this log from the time when the passwd was executed?

If so then there is nothing in the audit.log which was generated by the passwd
binary.

Could you attach a relevant portions of the /var/log/messages and /var/log/secure?

Relabelling is done by restorecon. See man restorecon.
Comment 4 Tomas Mraz 2005-04-21 12:35:20 UTC 
Could you also try to upgrade selinux-policy-targeted to version 1.23.12-1 and
verify that you have the latest version of pam and audit-libs?
Comment 5 David Nielsen 2005-04-22 08:36:50 UTC 
relabelling the entire shebang did the trick.
Comment 6 Tomas Mraz 2005-04-22 08:45:32 UTC 
OK, fine.
Note You need to log in before you can comment on or make changes to this bug.