Thanks Dan,
I tried that with no success. The updated newrole file is:
[root@localhost pam.d]# cat /etc/pam.d/newrole
#%PAM-1.0
auth sufficient pam_rootok.so
auth include system-auth
account include system-auth
password include system-auth
session required pam_namespace.so unmnt_remnt no_unmount_on_close
If I reboot the computer and try again with change. I also used sudo this time to change to root.
[root@localhost pam.d]# newrole -r system_r -t unconfined_t
newrole: incorrect password for xyzuser
Error sending audit message.
[root@localhost pam.d]#
If I check the audit log file
[root@localhost pam.d]# audit2allow -a -w 2>&1 | grep unix_chkpwd
type=AVC msg=audit(1368042244.285:341): avc: denied { noatsecure } for pid=1458
comm="unix_chkpwd" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1368042244.285:341): avc: denied { siginh } for pid=1458 comm="unix_chkpwd" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1368042244.285:341): avc: denied { rlimitinh } for pid=1458 comm="unix_chkpwd" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
Suggestions?
Thank You
John Emrich
847-312-1244 (cell)
John Emrich
847-312-1244 (cell)
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
To: John Emrich <john.emrich@xxxxxxxxxxxxx>
Cc: "selinux@xxxxxxxxxxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, May 8, 2013 10:38 AM
Subject: Re: question why newrole gives error
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/08/2013 11:23 AM, John Emrich wrote:
> Hello,
>
> Running Fedora-18. When executing the newrole command I consistently get
> the same error message "incorrect password for xyzuser". I have su'd to
> root. Everything appears valid. Below is a snippet from a terminal session
> that demonstrates the error message. I receive the same error regardless
> whether I am in enforcement mode or not. Any suggestions as to the cause?
>
>
> [root@localhost xyzuser]# newrole -r system_r -t sysadm_t Password:
> newrole: incorrect password for xyzuser Error sending audit message.
> [root@localhost xyzuser]# semanage user -l
>
> Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> ... deleted lines ... root user s0 s0-s0:c0.c1023
> staff_r sysadm_r system_r unconfined_r staff_u user s0
> s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
> sysadm_u user s0 s0-s0:c0.c1023
> sysadm_r system_u user s0 s0-s0:c0.c1023
> system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023
> system_r unconfined_r ... deleted lines ... [root@localhost xyzuser]# id
> -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
>
>
> Thank You John Emrich
>
>
>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
I think we had a capability bug. Just add pam_rootok to /etc/pam.d/newrole
and it should work better for you.
I prefer to use sudo for transitioning my user role.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGKcWUACgkQrlYvE4MpobPdsgCgyxTvROuzdPk4vvsXqcuiBqQ/
ddsAnRhxQ/kPOatbpjJQ7ThodyO3b7mU
=82Xe
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
