Bug 155525 - passwd gives Authentication token manipulation error upon altering password
passwd gives Authentication token manipulation error upon altering password
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: passwd (Show other bugs)
rawhide
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Tomas Mraz
Mike McLean
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-21 02:04 EDT by David Nielsen
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-22 04:45:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Nielsen 2005-04-21 02:04:07 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Epiphany/1.6.1

Description of problem:
Whenever I try to change my users password I get the following from passwd:

Changing password for user dnielsen.
Retype new UNIX password:
passwd: Authentication token manipulation error


Version-Release number of selected component (if applicable):
passwd-0.69-2

How reproducible:
Always

Steps to Reproduce:
1. passwd

  

Actual Results:  passwd: Authentication token manipulation error

Expected Results:  correctly altered password

Additional info:

SELinux Targeted policy is enabled, and the box has been upgrade from a fresh FC4t1 install.
Comment 1 Tomas Mraz 2005-04-21 04:13:53 EDT
Have you tried relabelling the filesystem? What messages do you see in the logs?
Comment 2 David Nielsen 2005-04-21 06:00:08 EDT
Since you didn't specify which log you wanted, I guess /var/log/audit.log,
here's the tail

type=DAEMON msg=auditd(1112457720) auditd normal halt, pid=2071, uid=0
type=DAEMON msg=auditd(1112461710) auditd start, ver=0.6.9, format=raw,
pid=2096, uid=0
type=KERNEL msg=audit(1112461710.629:0): audit_enabled=1 old=0
type=KERNEL msg=audit(1112461711.478:3156): item=0 name=/etc/passwd
inode=1801671 dev=03:04 mode=0100644 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1112461711.478:3156): syscall=5 exit=-13 a0=f04c84 a1=0
a2=1b6 a3=86f7228 items=1 pid=2123 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1112461711.478:3156): avc:  denied  { read } for  pid=2123
exe=/usr/sbin/rpc.idmapd name=passwd dev=hda4 ino=1801671
scontext=user_u:system_r:rpcd_t tcontext=system_u:object_r:file_t tclass=file
type=KERNEL msg=audit(1112461722.470:18629): item=0 name=/etc/passwd
inode=1801671 dev=03:04 mode=0100644 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1112461722.470:18629): syscall=5 exit=-13 a0=974c84 a1=0
a2=1b6 a3=84d5180 items=1 pid=2245 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1112461722.470:18629): avc:  denied  { read } for 
pid=2245 exe=/usr/sbin/ntpd name=passwd dev=hda4 ino=1801671
scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=file
type=DAEMON msg=auditd(1112463126) auditd normal halt, pid=2096, uid=0

As for relabelling, I searched google for how to do that, and came up empty
handed since all the guides where written for FC1 and SELinux changed since then
- so I'll need some pointers.
Comment 3 Tomas Mraz 2005-04-21 06:26:00 EDT
Is this log from the time when the passwd was executed?

If so then there is nothing in the audit.log which was generated by the passwd
binary.

Could you attach a relevant portions of the /var/log/messages and /var/log/secure?

Relabelling is done by restorecon. See man restorecon.
Comment 4 Tomas Mraz 2005-04-21 08:35:20 EDT
Could you also try to upgrade selinux-policy-targeted to version 1.23.12-1 and
verify that you have the latest version of pam and audit-libs?
Comment 5 David Nielsen 2005-04-22 04:36:50 EDT
relabelling the entire shebang did the trick.
Comment 6 Tomas Mraz 2005-04-22 04:45:32 EDT
OK, fine.

Note You need to log in before you can comment on or make changes to this bug.