Hide Forgot
SELinux is preventing /usr/bin/chsh from 'execute' accesses on the file rssh. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that chsh should be allowed execute access on the rssh file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep chsh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 Target Context system_u:object_r:rssh_exec_t:s0 Target Objects rssh [ file ] Source chsh Source Path /usr/bin/chsh Port <Ismeretlen> Host (removed) Source RPM Packages util-linux-ng-2.18-4.8.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-29.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen 2011. febr. 11., péntek, 11.14.56 CET Last Seen 2011. febr. 11., péntek, 11.15.22 CET Local ID 9cc3365c-b29d-4dae-8d82-feccbebceee5 Raw Audit Messages type=AVC msg=audit(1297419322.47:34945): avc: denied { execute } for pid=7703 comm="chsh" name="rssh" dev=sdb3 ino=525032 scontext=unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rssh_exec_t:s0 tclass=file type=SYSCALL msg=audit(1297419322.47:34945): arch=x86_64 syscall=access success=no exit=EACCES a0=7f17a853c080 a1=1 a2=7f17a853c08d a3=7fff50a1fbb0 items=0 ppid=7535 pid=7703 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts16 ses=1 comm=chsh exe=/usr/bin/chsh subj=unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 key=(null) Hash: chsh,chfn_t,rssh_exec_t,file,execute audit2allow #============= chfn_t ============== allow chfn_t rssh_exec_t:file execute; audit2allow -R #============= chfn_t ============== allow chfn_t rssh_exec_t:file execute;
I wanted to restrict one user to allow only scp but not ssh so I installed rssh from the Fedora repository. "chsh" was unable to set the user's shell even after adding /usr/bin/rssh to /etc/shells. "usermod" worked, though.
Created attachment 478276 [details] Patch to allow chfn_t exec rssh_exec_t
Miroslav apply this patch to F13/F14 please.
Thanks for the patch. Fixed in selinux-policy-3.9.7-30.fc14
selinux-policy-3.9.7-31.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.