Just for the record, sent the initial reply to Stephen only. Sorry for the glitch. Rest at the bottom. On Tuesday 05 August 2008 22:13:34 Stephen Smalley wrote: > On Tue, 2008-08-05 at 21:55 +0800, Dennis Wronka wrote: > > Hi folks, > > > > I'd like to ask about a problem I am experiencing with newrole. > > When I use newrole in permissive-mode I have no problems changing the > > role. Also I don't get any audit-messages. > > But when I switch to enforcing-mode I cannot use newrole, it keeps > > telling me "incorrect password for root", although it clearly is correct. > > I suspect a problem in interaction between newrole and unix_chkpwd, but > > am not entirely sure about it. > > > > Problem is that I don't get any audits from SELinux, only errors in > > auth.log from unix_chkpwd: > > check_pass; user unknown > > password check failer for user (root) > > > > I am working with the latest reference-policy, adjusted here and there to > > fit the needs of my distro. > > > > Thanks for any suggestions. > > What version of pam are you using? What distro? > There were changes made to pam_unix and unix_chkpwd for selinux. > Also, how are you building newrole? I am using PAM 1.0.1 on the current development-version of EasyLFS. I am currently working on the integration of SELinux and seem to be hanging on this point. I haven't set much focus towards newrole in the previous releases, but want to do so now. newrole is the one from the policycoreutils 2.0.49, built simply with make && make install. Btw, I think the same problem applies to run_init, will have to check to confirm though.
Attachment:
signature.asc
Description: This is a digitally signed message part.
