Bug 184584 - LTC22309-MLS policy: newrole to value of s3 or higher causes error message
LTC22309-MLS policy: newrole to value of s3 or higher causes error message
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-09 18:27 EST by IBM Bug Proxy
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-09 11:59:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 22309 None None None Never

  None (edit)
Description IBM Bug Proxy 2006-03-09 18:27:37 EST
LTC Owner is: dmosby@us.ibm.com
LTC Originator is: mcthomps@us.ibm.com


Problem description:
With SELinux in enforcing mode and policy configured to be MLS, doing a newrole
-l with level of s3 or greater will cause an error message to be generated. I
was instructed by Dan Walsh to create a bugzilla for this, and hope it is in the
correct place.


Environment
i386, FC5-Devel (rawhide)

rpm -qa | grep selinux:
libselinux-1.29.7-1.2
selinux-policy-targeted-2.2.21-8
libselinux-python-1.29.7-1.2
selinux-policy-mls-2.2.21-8
selinux-policy-2.2.21-8

rpm -qa | grep audit:
audit-libs-1.1.5-1
audit-1.1.5-1
audit-libs-python-1.1.5-1
audit-libs-devel-1.1.5-1

uname -r:
2.6.15-1.1986.2.1_FC5.lspp.10


Is this reproducible?
Yes, newrole with any level value (-l) of s3 or higher. Either through a pty or tty.


Additional information:

Transaction of newrole action:
[root@dyn94141107 ~]# newrole -l s3
Authenticating root.
Password:
Error!  Could not set new context for /dev/pts/1


AVC & audit messages generated by this action:
type=AVC msg=audit(1141892377.262:371): avc:  denied  { read write } for 
pid=7706 comm="unix_chkpwd" name="1" dev=devpts ino=3
scontext=root:secadm_r:system_chkpwd_t:s15:c0.c255
tcontext=root:object_r:secadm_devpts_t:s15:c0.c255 tclass=chr_file
type=SYSCALL msg=audit(1141892377.262:371): arch=40000003 syscall=11 success=yes
exit=0 a0=431ab8 a1=bfdab04c a2=43f424 a3=8aa51b0 items=2 pid=7706 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="unix_chkpwd"
exe="/sbin/unix_chkpwd"
type=CWD msg=audit(1141892377.262:371):  cwd="/root"
type=PATH msg=audit(1141892377.262:371): item=0 name="/sbin/unix_chkpwd"
flags=101  inode=6508189 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1141892377.262:371): item=1 flags=101  inode=4774792
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=USER_AUTH msg=audit(1141892377.266:372): user pid=7705 uid=0 auid=0
msg='PAM: authentication acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?,
terminal=pts/1 res=success)'
type=AVC msg=audit(1141892377.270:373): avc:  denied  { read write } for 
pid=7707 comm="unix_chkpwd" name="1" dev=devpts ino=3
scontext=root:secadm_r:system_chkpwd_t:s15:c0.c255
tcontext=root:object_r:secadm_devpts_t:s15:c0.c255 tclass=chr_file
type=SYSCALL msg=audit(1141892377.270:373): arch=40000003 syscall=11 success=yes
exit=0 a0=431ab8 a1=bfdaab3c a2=4333e4 a3=400 items=2 pid=7707 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="unix_chkpwd"
exe="/sbin/unix_chkpwd"
type=CWD msg=audit(1141892377.270:373):  cwd="/root"
type=PATH msg=audit(1141892377.270:373): item=0 name="/sbin/unix_chkpwd"
flags=101  inode=6508189 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1141892377.270:373): item=1 flags=101  inode=4774792
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=USER_ACCT msg=audit(1141892377.274:374): user pid=7705 uid=0 auid=0
msg='PAM: accounting acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?,
terminal=pts/1 res=success)'

Created mirror request (id=5638)Red Hat Bugzilla

Submitted at the request of Dan Walsh from a note on the redhat-lspp@redhat.com
mailing list.
Comment 2 Daniel Walsh 2006-05-09 11:59:20 EDT
Seems to be working now.

Note You need to log in before you can comment on or make changes to this bug.