[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

newrole using SELinux user identity for password lookups

So on a default Fedora installation, as a regular user trying to run
newrole -r sysadm_r, I get this:

testuser optimus-prime:~$ newrole -r sysadm_r
cannot find your entry in the passwd file.

Now, in newrole.c:364, there is the code:

  if( !(pw=getpwnam(context_user_get(context))) ) {
    fprintf(stderr,_("cannot find your entry in the passwd file.\n"));

context_user_get just returns the user identity portion of the security
context of current process.  Since I have no special user identity
defined, it defaults to user_u, which is obviously not in the passwd

This conflicts with our current default Fedora policy, we have in the
SELinux users file:

user user_u roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r
system_r') }; 

The user_canbe_sysadm tunable is on by default, but the user can't use
newrole to get to that role - only su.

So how to fix this bug?  I understand the reason we're using the SELinux
user identity - SELinux doesn't want to trust the Linux uid.  But
perhaps it would be good if we had a way to say that for particular
SELinux user identities like user_u, newrole could just use the Linux
uid for authentication.

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]