LTC Owner is: dmosby@us.ibm.com
LTC Originator is: mcthomps@us.ibm.com


Problem description:
With SELinux in enforcing mode and policy configured to be MLS, doing a newrole
-l with level of s3 or greater will cause an error message to be generated. I
was instructed by Dan Walsh to create a bugzilla for this, and hope it is in the
correct place.


Environment
i386, FC5-Devel (rawhide)

rpm -qa | grep selinux:
libselinux-1.29.7-1.2
selinux-policy-targeted-2.2.21-8
libselinux-python-1.29.7-1.2
selinux-policy-mls-2.2.21-8
selinux-policy-2.2.21-8

rpm -qa | grep audit:
audit-libs-1.1.5-1
audit-1.1.5-1
audit-libs-python-1.1.5-1
audit-libs-devel-1.1.5-1

uname -r:
2.6.15-1.1986.2.1_FC5.lspp.10


Is this reproducible?
Yes, newrole with any level value (-l) of s3 or higher. Either through a pty or tty.


Additional information:

Transaction of newrole action:
[root@dyn94141107 ~]# newrole -l s3
Authenticating root.
Password:
Error!  Could not set new context for /dev/pts/1


AVC & audit messages generated by this action:
type=AVC msg=audit(1141892377.262:371): avc:  denied  { read write } for 
pid=7706 comm="unix_chkpwd" name="1" dev=devpts ino=3
scontext=root:secadm_r:system_chkpwd_t:s15:c0.c255
tcontext=root:object_r:secadm_devpts_t:s15:c0.c255 tclass=chr_file
type=SYSCALL msg=audit(1141892377.262:371): arch=40000003 syscall=11 success=yes
exit=0 a0=431ab8 a1=bfdab04c a2=43f424 a3=8aa51b0 items=2 pid=7706 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="unix_chkpwd"
exe="/sbin/unix_chkpwd"
type=CWD msg=audit(1141892377.262:371):  cwd="/root"
type=PATH msg=audit(1141892377.262:371): item=0 name="/sbin/unix_chkpwd"
flags=101  inode=6508189 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1141892377.262:371): item=1 flags=101  inode=4774792
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=USER_AUTH msg=audit(1141892377.266:372): user pid=7705 uid=0 auid=0
msg='PAM: authentication acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?,
terminal=pts/1 res=success)'
type=AVC msg=audit(1141892377.270:373): avc:  denied  { read write } for 
pid=7707 comm="unix_chkpwd" name="1" dev=devpts ino=3
scontext=root:secadm_r:system_chkpwd_t:s15:c0.c255
tcontext=root:object_r:secadm_devpts_t:s15:c0.c255 tclass=chr_file
type=SYSCALL msg=audit(1141892377.270:373): arch=40000003 syscall=11 success=yes
exit=0 a0=431ab8 a1=bfdaab3c a2=4333e4 a3=400 items=2 pid=7707 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="unix_chkpwd"
exe="/sbin/unix_chkpwd"
type=CWD msg=audit(1141892377.270:373):  cwd="/root"
type=PATH msg=audit(1141892377.270:373): item=0 name="/sbin/unix_chkpwd"
flags=101  inode=6508189 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1141892377.270:373): item=1 flags=101  inode=4774792
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=USER_ACCT msg=audit(1141892377.274:374): user pid=7705 uid=0 auid=0
msg='PAM: accounting acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?,
terminal=pts/1 res=success)'

Created mirror request (id=5638)Red Hat Bugzilla

Submitted at the request of Dan Walsh from a note on the redhat-lspp@redhat.com
mailing list.