newrole using SELinux user identity for password lookups
Colin Walters
walters at redhat.com
Wed Apr 21 19:02:28 UTC 2004
So on a default Fedora installation, as a regular user trying to run
newrole -r sysadm_r, I get this:
testuser at optimus-prime:~$ newrole -r sysadm_r
cannot find your entry in the passwd file.
Now, in newrole.c:364, there is the code:
if( !(pw=getpwnam(context_user_get(context))) ) {
fprintf(stderr,_("cannot find your entry in the passwd file.\n"));
exit(-1);
}
context_user_get just returns the user identity portion of the security
context of current process. Since I have no special user identity
defined, it defaults to user_u, which is obviously not in the passwd
file.
This conflicts with our current default Fedora policy, we have in the
SELinux users file:
user user_u roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r
system_r') };
The user_canbe_sysadm tunable is on by default, but the user can't use
newrole to get to that role - only su.
So how to fix this bug? I understand the reason we're using the SELinux
user identity - SELinux doesn't want to trust the Linux uid. But
perhaps it would be good if we had a way to say that for particular
SELinux user identities like user_u, newrole could just use the Linux
uid for authentication.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040421/7113512b/attachment.sig>
More information about the fedora-selinux-list
mailing list