Bug 872956 - Changing shell for user not working when SELinux is in enforcing mode
Summary: Changing shell for user not working when SELinux is in enforcing mode
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-04 15:49 UTC by vincentvdk
Modified: 2012-12-07 04:30 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-07 04:29:58 UTC
Type: Bug


Attachments (Terms of Use)

Description vincentvdk 2012-11-04 15:49:46 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:

Change shell for a user

Steps to Reproduce:
1.
2.
3.
  
Actual results:

[root@localhost ~]# chsh -s /bin/zsh vincent
Changing shell for vincent.
chsh: setpwnam failed

Expected results:


[root@localhost ~]# chsh -s /bin/zsh vincent
Changing shell for vincent.
Shell changed.

Additional info:

[root@localhost ~]# chsh -s /bin/zsh vincent
Changing shell for vincent.
chsh: setpwnam failed
Shell *NOT* changed.  Try again later.: Permission denied
[root@localhost ~]# setenforce 0
[root@localhost ~]# chsh -s /bin/zsh vincent
Changing shell for vincent.
Shell changed.



type=AVC msg=audit(1352043686.360:373): avc:  denied  { write } for  pid=5142 comm="chsh" name=".pwd.lock" dev="sda3" ino=1704252 scontext=unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=SYSCALL msg=audit(1352043686.360:373): arch=c000003e syscall=2 success=no exit=-13 a0=7ff33554a1ac a1=80041 a2=180 a3=22 items=0 ppid=5089 pid=5142 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="chsh" exe="/usr/bin/chsh" subj=unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 key=(null)




[root@localhost ~]#

Comment 1 Karel Zak 2012-11-07 09:07:24 UTC
Yes, we use lckpwdf() for vipw, chsh and chfn now. The function uses /etc/.pwd.lock file.

Comment 2 Daniel Walsh 2012-11-07 20:41:44 UTC
Should be fixed with latest policy.

Fixed in selinux-policy-3.11.1-51.fc18.noarch

Comment 3 Fedora Update System 2012-11-28 20:56:44 UTC
selinux-policy-3.11.1-57.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-57.fc18

Comment 4 Fedora Update System 2012-11-30 06:34:54 UTC
Package selinux-policy-3.11.1-57.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-57.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-57.fc18
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2012-12-02 19:28:58 UTC
Package selinux-policy-3.11.1-59.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2012-12-06 20:11:15 UTC
Package selinux-policy-3.11.1-60.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-60.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-60.fc18
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2012-12-07 04:30:00 UTC
selinux-policy-3.11.1-60.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.