Bug 208838 - Not logging newrole errors as USER_ROLE_CHANGE
Not logging newrole errors as USER_ROLE_CHANGE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: policycoreutils (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-10-02 07:00 EDT by Bastien Nocera
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: beta2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-12-22 19:58:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch fixing problems described herein (546 bytes, patch)
2006-10-19 14:41 EDT, Steve Grubb
no flags Details | Diff

  None (edit)
Description Bastien Nocera 2006-10-02 07:00:53 EDT

As a test user:
$ newrole -r system_r
Authenticating root.
newrole: incorrect password for root

In audit.log:
type=USER_AUTH msg=audit(1159034947.964:259): user pid=13388 uid=500 auid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c255 msg='PAM: authentication acct=root
: exe="/usr/bin/newrole" (hostname=?, addr=?, terminal=pts/1 res=failed)'

This should be USER_ROLE_CHANGE, rather than USER_AUTH
Comment 1 Daniel Walsh 2006-10-05 09:43:37 EDT
I don't agree, since you are failing on the login versus failing on the changing
of the role.

Steve what do you think?
Comment 2 Steve Grubb 2006-10-05 10:00:15 EDT
All use of authentication mechanism must be audited. The event above is
correctly attributing a failed use of that facility. This does not preclude
another event being generated by newrole that says USER_ROLE_CHANGE failed. As a
matter of fact, I think Mike was working on a patch that does just this.
Comment 3 Steve Grubb 2006-10-19 14:41:12 EDT
Created attachment 138894 [details]
patch fixing problems described herein

This patch adds an audit message when the password is incorrect. Please Apply.
Comment 5 RHEL Product and Program Management 2006-10-19 16:02:18 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.
Comment 7 Daniel Walsh 2006-10-20 09:54:26 EDT
Fixed in policycoreutils-1.32-1
Comment 9 Jay Turner 2006-11-22 12:43:24 EST
With policycoreutils-1.33.1-7.el5 I'm not seeing a change:

type=USER_AUTH msg=audit(1164217171.511:362): user pid=4619 uid=0 auid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?, terminal=pts/0 res=failed)'
type=USER_ACCT msg=audit(1164217201.031:363): user pid=4622 uid=0
auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM:
accounting acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
Comment 10 Daniel Walsh 2006-11-28 10:41:32 EST
Fixed in policycoreutils-1.33.5-1
Comment 11 RHEL Product and Program Management 2006-12-22 19:58:20 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.