Bug 746644 - "chsh -s /bin/dash root" fail with "chsh: setpwnam failed: Permission denied"
Summary: "chsh -s /bin/dash root" fail with "chsh: setpwnam failed: Permission denied"
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2011-10-17 11:25 UTC by Jim Meyering
Modified: 2013-03-13 20:41 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-10-17 19:51:56 UTC
Type: ---

Attachments (Terms of Use)

Description Jim Meyering 2011-10-17 11:25:20 UTC
Description of problem: chsh -s ___ root always fails

Version-Release number of selected component (if applicable):

How reproducible: every time

Steps to Reproduce: (first ensure you have installed dash)
1. chsh -s /bin/dash root
Actual results:
chsh: setpwnam failed: Permission denied
Shell *NOT* changed.  Try again later.

Expected results:
No failure and exit status = 0

Additional info:

Comment 1 Adam Williamson 2011-10-17 16:17:28 UTC
is this another result of the groups problem with -12? test with -12.999, thanks!

Comment 2 Jim Meyering 2011-10-17 17:14:31 UTC

No, this is different.
I confirmed that this bug persists when I install -12.999 on rawhide (both before and after reboot), but not on F16.

It is due to SELinux policy, so I've adjusted the component.

SELinux is preventing /usr/bin/chsh from create access on the file ptmptmp.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow chsh to have create access on the ptmptmp file
Then you need to change the label on ptmptmp
# semanage fcontext -a -t FILE_TYPE 'ptmptmp'
where FILE_TYPE is one of the following: passwd_file_t, pcscd_var_run_t, krb5_host_rcache_t. 
Then execute: 
restorecon -v 'ptmptmp'

Comment 3 Daniel Walsh 2011-10-17 18:22:07 UTC
Jim I can not get this to happen on my box.  The chsh is completing correctly.  What is ptmptmp?  Is this a file in /etc?

Comment 4 Jim Meyering 2011-10-17 19:21:26 UTC
Hi Dan,

I built a new rawhide VM yesterday, starting from F16-beta and upgrading from there.  Thus maybe I have a slightly newer version of glibc?  I was using both -12, and later, -12.999 from koji.

yes, chsh works by writing a temporary file, /etc/ptmptmp, and then replacing /etc/passwd atomically.

Comment 5 Daniel Walsh 2011-10-17 19:51:56 UTC
Fixed in selinux-policy-3.10.0-40.2.fc17.noarch

Note You need to log in before you can comment on or make changes to this bug.