LTC Owner is: dmosby.com LTC Originator is: mcthomps.com Problem description: With SELinux in enforcing mode and policy configured to be MLS, doing a newrole -l with level of s3 or greater will cause an error message to be generated. I was instructed by Dan Walsh to create a bugzilla for this, and hope it is in the correct place. Environment i386, FC5-Devel (rawhide) rpm -qa | grep selinux: libselinux-1.29.7-1.2 selinux-policy-targeted-2.2.21-8 libselinux-python-1.29.7-1.2 selinux-policy-mls-2.2.21-8 selinux-policy-2.2.21-8 rpm -qa | grep audit: audit-libs-1.1.5-1 audit-1.1.5-1 audit-libs-python-1.1.5-1 audit-libs-devel-1.1.5-1 uname -r: 2.6.15-1.1986.2.1_FC5.lspp.10 Is this reproducible? Yes, newrole with any level value (-l) of s3 or higher. Either through a pty or tty. Additional information: Transaction of newrole action: [root@dyn94141107 ~]# newrole -l s3 Authenticating root. Password: Error! Could not set new context for /dev/pts/1 AVC & audit messages generated by this action: type=AVC msg=audit(1141892377.262:371): avc: denied { read write } for pid=7706 comm="unix_chkpwd" name="1" dev=devpts ino=3 scontext=root:secadm_r:system_chkpwd_t:s15:c0.c255 tcontext=root:object_r:secadm_devpts_t:s15:c0.c255 tclass=chr_file type=SYSCALL msg=audit(1141892377.262:371): arch=40000003 syscall=11 success=yes exit=0 a0=431ab8 a1=bfdab04c a2=43f424 a3=8aa51b0 items=2 pid=7706 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" type=CWD msg=audit(1141892377.262:371): cwd="/root" type=PATH msg=audit(1141892377.262:371): item=0 name="/sbin/unix_chkpwd" flags=101 inode=6508189 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1141892377.262:371): item=1 flags=101 inode=4774792 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=USER_AUTH msg=audit(1141892377.266:372): user pid=7705 uid=0 auid=0 msg='PAM: authentication acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?, terminal=pts/1 res=success)' type=AVC msg=audit(1141892377.270:373): avc: denied { read write } for pid=7707 comm="unix_chkpwd" name="1" dev=devpts ino=3 scontext=root:secadm_r:system_chkpwd_t:s15:c0.c255 tcontext=root:object_r:secadm_devpts_t:s15:c0.c255 tclass=chr_file type=SYSCALL msg=audit(1141892377.270:373): arch=40000003 syscall=11 success=yes exit=0 a0=431ab8 a1=bfdaab3c a2=4333e4 a3=400 items=2 pid=7707 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" type=CWD msg=audit(1141892377.270:373): cwd="/root" type=PATH msg=audit(1141892377.270:373): item=0 name="/sbin/unix_chkpwd" flags=101 inode=6508189 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1141892377.270:373): item=1 flags=101 inode=4774792 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=USER_ACCT msg=audit(1141892377.274:374): user pid=7705 uid=0 auid=0 msg='PAM: accounting acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?, terminal=pts/1 res=success)' Created mirror request (id=5638)Red Hat Bugzilla Submitted at the request of Dan Walsh from a note on the redhat-lspp mailing list.
Seems to be working now.