Description of problem: With a stripped down /proc, "passwd -d account" does not work, even though selinux is disabled: brk(0x9a4c000) = 0x9a4c000 open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=447, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f21000 read(3, "# This file controls the state o"..., 4096) = 447 close(3) = 0 munmap(0xb7f21000, 4096) = 0 open("/proc/mounts", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) getuid32() = 0 open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/proc/self/attr/prev", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("(null)/enforce", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) getuid32() = 0 write(2, "Only root can do that.\n", 23) = 23 exit_group(-2) = ? Looks like a bit too restrictive checks. regards, Florian La Roche Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The passwd just calls checkPasswdAccess from libselinux. The problem is that the is_selinux_enabled() function in libselinux uses /proc/filesystems to find out if there is selinuxfs and returns -1 if /proc/filesystems cannot be opened. The question is if there is better way how to check if selinux is enabled.
This change should fix it. --- passwd-0.70/passwd.c~ 2005-08-13 06:06:03.000000000 -0400 +++ passwd-0.70/passwd.c 2006-07-11 16:51:15.000000000 -0400 @@ -261,7 +261,9 @@ /* The only flag which unprivileged users get to use is -k. */ if ((passwd_flags & ~PASSWD_KEEP) && #ifdef WITH_SELINUX - ((getuid() != 0) || selinux_check_passwd_access(PASSWD__PASSWD))) { + ((getuid() != 0) || + (is_selinux_enabled() <= 0) || + selinux_check_passwd_access(PASSWD__PASSWD)) { #else (getuid() != 0)) { #endif
I'll fix it in passwd then.
The above change doesn't help, so I am re-opening this. regards, Florian La Roche
Dan's suggestion is ok, but just needs a small adjustment with the following logic AFAIK: --- passwd-0.69/passwd.c +++ passwd-0.72/passwd.c @@ -307,7 +265,8 @@ /* The only flag which unprivileged users get to use is -k. */ if ((passwd_flags & ~PASSWD_KEEP) && #ifdef WITH_SELINUX - ((getuid() != 0) || checkPasswdAccess(PASSWD__PASSWD))) { + ((getuid() != 0) || (is_selinux_enabled() > 0 && + checkPasswdAccess(PASSWD__PASSWD)))) { #else (getuid() != 0)) { #endif
Oops, that was obviously wrong, I should have tested that. Fixed.