Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 184584 - LTC22309-MLS policy: newrole to value of s3 or higher causes error message
LTC22309-MLS policy: newrole to value of s3 or higher causes error message
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-09 18:27 EST by IBM Bug Proxy
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-09 11:59:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 22309 None None None Never

  None (edit)
Description IBM Bug Proxy 2006-03-09 18:27:37 EST 
LTC Owner is: dmosby@us.ibm.com
LTC Originator is: mcthomps@us.ibm.com


Problem description:
With SELinux in enforcing mode and policy configured to be MLS, doing a newrole
-l with level of s3 or greater will cause an error message to be generated. I
was instructed by Dan Walsh to create a bugzilla for this, and hope it is in the
correct place.


Environment
i386, FC5-Devel (rawhide)

rpm -qa | grep selinux:
libselinux-1.29.7-1.2
selinux-policy-targeted-2.2.21-8
libselinux-python-1.29.7-1.2
selinux-policy-mls-2.2.21-8
selinux-policy-2.2.21-8

rpm -qa | grep audit:
audit-libs-1.1.5-1
audit-1.1.5-1
audit-libs-python-1.1.5-1
audit-libs-devel-1.1.5-1

uname -r:
2.6.15-1.1986.2.1_FC5.lspp.10


Is this reproducible?
Yes, newrole with any level value (-l) of s3 or higher. Either through a pty or tty.


Additional information:

Transaction of newrole action:
[root@dyn94141107 ~]# newrole -l s3
Authenticating root.
Password:
Error!  Could not set new context for /dev/pts/1


AVC & audit messages generated by this action:
type=AVC msg=audit(1141892377.262:371): avc:  denied  { read write } for 
pid=7706 comm="unix_chkpwd" name="1" dev=devpts ino=3
scontext=root:secadm_r:system_chkpwd_t:s15:c0.c255
tcontext=root:object_r:secadm_devpts_t:s15:c0.c255 tclass=chr_file
type=SYSCALL msg=audit(1141892377.262:371): arch=40000003 syscall=11 success=yes
exit=0 a0=431ab8 a1=bfdab04c a2=43f424 a3=8aa51b0 items=2 pid=7706 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="unix_chkpwd"
exe="/sbin/unix_chkpwd"
type=CWD msg=audit(1141892377.262:371):  cwd="/root"
type=PATH msg=audit(1141892377.262:371): item=0 name="/sbin/unix_chkpwd"
flags=101  inode=6508189 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1141892377.262:371): item=1 flags=101  inode=4774792
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=USER_AUTH msg=audit(1141892377.266:372): user pid=7705 uid=0 auid=0
msg='PAM: authentication acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?,
terminal=pts/1 res=success)'
type=AVC msg=audit(1141892377.270:373): avc:  denied  { read write } for 
pid=7707 comm="unix_chkpwd" name="1" dev=devpts ino=3
scontext=root:secadm_r:system_chkpwd_t:s15:c0.c255
tcontext=root:object_r:secadm_devpts_t:s15:c0.c255 tclass=chr_file
type=SYSCALL msg=audit(1141892377.270:373): arch=40000003 syscall=11 success=yes
exit=0 a0=431ab8 a1=bfdaab3c a2=4333e4 a3=400 items=2 pid=7707 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="unix_chkpwd"
exe="/sbin/unix_chkpwd"
type=CWD msg=audit(1141892377.270:373):  cwd="/root"
type=PATH msg=audit(1141892377.270:373): item=0 name="/sbin/unix_chkpwd"
flags=101  inode=6508189 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1141892377.270:373): item=1 flags=101  inode=4774792
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=USER_ACCT msg=audit(1141892377.274:374): user pid=7705 uid=0 auid=0
msg='PAM: accounting acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?,
terminal=pts/1 res=success)'

Created mirror request (id=5638)Red Hat Bugzilla

Submitted at the request of Dan Walsh from a note on the redhat-lspp@redhat.com
mailing list.
Comment 2 Daniel Walsh 2006-05-09 11:59:20 EDT 
Seems to be working now.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.