-------- Original-Nachricht -------- > Datum: Tue, 5 Aug 2008 08:04:34 -0700 > Von: "Justin Mattock" <justinmattock@xxxxxxxxx> > An: "Stephen Smalley" <sds@xxxxxxxxxxxxx> > CC: "Dennis Wronka" <linuxweb@xxxxxxx>, "Xavier Toth" <txtoth@xxxxxxxxx>, "SELinux Mailing List" <selinux@xxxxxxxxxxxxx> > Betreff: Re: Question about newrole > On Tue, Aug 5, 2008 at 7:48 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > > On Tue, 2008-08-05 at 22:32 +0800, Dennis Wronka wrote: > >> Thanks. > >> That seems to help quite a bit. > >> I now get some messages. For example it seems that newrole wants to > >> read /etc/shadow directly. > >> Will check those messages and play around with the policy. > > > > The way it works is that pam_unix attempts to open /etc/shadow directly > > for reading, and if it fails, it falls back to running unix_chkpwd to > > perform the password check. SELinux policy prohibits most programs from > > directly reading /etc/shadow, including even ones that run as root, and > > forces them to go through unix_chkpwd instead, in order to limit the set > > of processes that have full read access to the shadow password file. > > > > The logic to try to open /etc/shadow and fall back to unix_chkpwd > > already existed before SELinux in order to support non-root processes > > re-authenticating the current user. What changed with SELinux was that > > it could also happen for root processes. > > > > The current policy dontaudit's the attempt to directly read /etc/shadow > > to avoid noise. When you did semodule -DB, you turned on that auditing. > > But those denials are what is expected, and allowing them will mean > > giving newrole direct read access to /etc/shadow (although that will > > only work if running as root, of course, as otherwise it has to use a > > suid helper like unix_chkpwd anyway). > > > > Does newrole work for you as a non-root user? > > > > -- > > Stephen Smalley > > National Security Agency > > > > > > -- > > This message was distributed to subscribers of the selinux mailing list. > > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx > with > > the words "unsubscribe selinux" without quotes as the message. > > > > I usually just type passwd in a terminal > and update the database. then choose you're role > and do the same for that role if need be. > but depending on what you have, this might be a different case. > hope this helps. > regards; > > -- > Justin P. Mattock What I actually want to use newrole for is not resetting passwords. I was thinking to introduce MLS to the next release and thus require the user to transition to secadm_r if he wants to switch from enforcing to permissive. -- GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! Jetzt dabei sein: http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
