newrole using SELinux user identity for password lookups

[Colin Walters]

So on a default Fedora installation, as a regular user trying to run
newrole -r sysadm_r, I get this:

testuser at optimus-prime:~$ newrole -r sysadm_r
cannot find your entry in the passwd file.

Now, in newrole.c:364, there is the code:

  if( !(pw=getpwnam(context_user_get(context))) ) {
    fprintf(stderr,_("cannot find your entry in the passwd file.\n"));
    exit(-1);
  }

context_user_get just returns the user identity portion of the security
context of current process.  Since I have no special user identity
defined, it defaults to user_u, which is obviously not in the passwd
file.

This conflicts with our current default Fedora policy, we have in the
SELinux users file:

user user_u roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r
system_r') }; 

The user_canbe_sysadm tunable is on by default, but the user can't use
newrole to get to that role - only su.

So how to fix this bug?  I understand the reason we're using the SELinux
user identity - SELinux doesn't want to trust the Linux uid.  But
perhaps it would be good if we had a way to say that for particular
SELinux user identities like user_u, newrole could just use the Linux
uid for authentication.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040421/7113512b/attachment.sig>