Bug 746644 - "chsh -s /bin/dash root" fail with "chsh: setpwnam failed: Permission denied"
Summary: "chsh -s /bin/dash root" fail with "chsh: setpwnam failed: Permission denied"
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-17 11:25 UTC by Jim Meyering
Modified: 2013-03-13 20:41 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-17 19:51:56 UTC
Type: ---


Attachments (Terms of Use)

Description Jim Meyering 2011-10-17 11:25:20 UTC
Description of problem: chsh -s ___ root always fails


Version-Release number of selected component (if applicable):
glibc-2.14.90-12.x86_64

How reproducible: every time


Steps to Reproduce: (first ensure you have installed dash)
1. chsh -s /bin/dash root
2.
3.
  
Actual results:
chsh: setpwnam failed: Permission denied
Shell *NOT* changed.  Try again later.

Expected results:
No failure and exit status = 0


Additional info:

Comment 1 Adam Williamson 2011-10-17 16:17:28 UTC
is this another result of the groups problem with -12? test with -12.999, thanks!

Comment 2 Jim Meyering 2011-10-17 17:14:31 UTC
Adam,

No, this is different.
I confirmed that this bug persists when I install -12.999 on rawhide (both before and after reboot), but not on F16.

It is due to SELinux policy, so I've adjusted the component.

-=--------------------------------
SELinux is preventing /usr/bin/chsh from create access on the file ptmptmp.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow chsh to have create access on the ptmptmp file
Then you need to change the label on ptmptmp
Do
# semanage fcontext -a -t FILE_TYPE 'ptmptmp'
where FILE_TYPE is one of the following: passwd_file_t, pcscd_var_run_t, krb5_host_rcache_t. 
Then execute: 
restorecon -v 'ptmptmp'

Comment 3 Daniel Walsh 2011-10-17 18:22:07 UTC
Jim I can not get this to happen on my box.  The chsh is completing correctly.  What is ptmptmp?  Is this a file in /etc?

Comment 4 Jim Meyering 2011-10-17 19:21:26 UTC
Hi Dan,

I built a new rawhide VM yesterday, starting from F16-beta and upgrading from there.  Thus maybe I have a slightly newer version of glibc?  I was using both -12, and later, -12.999 from koji.

yes, chsh works by writing a temporary file, /etc/ptmptmp, and then replacing /etc/passwd atomically.

Comment 5 Daniel Walsh 2011-10-17 19:51:56 UTC
Fixed in selinux-policy-3.10.0-40.2.fc17.noarch


Note You need to log in before you can comment on or make changes to this bug.