chsh cannot change shell as root or user(staff_u) haven't tested with user_u but probably also fails seems like it cannot work with /etc/.pwd.lock (system_u:object_r:shadow_t) file Trying to change shell with enforcing mode: Jan 31 00:00:12 localhost kernel: [ 6099.295297] type=1400 audit(1327964412.806:650): avc: denied { write } for pid=18351 comm="chsh" name=".pwd.lock" dev="dm-0" ino=7414347 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:shadow_t tclass=file Changing shell in permissive: Jan 31 00:00:34 localhost kernel: [ 6121.390495] type=1400 audit(1327964434.946:652): avc: denied { write } for pid=18355 comm="chsh" name=".pwd.lock" dev="dm-0" ino=7414347 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:shadow_t tclass=file Jan 31 00:00:35 localhost kernel: [ 6121.543743] type=1400 audit(1327964435.099:653): avc: denied { execute } for pid=18357 comm="chsh" name="nscd" dev="dm-0" ino=25749590 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file Jan 31 00:00:35 localhost kernel: [ 6121.543759] type=1400 audit(1327964435.099:654): avc: denied { read open } for pid=18357 comm="chsh" name="nscd" dev="dm-0" ino=25749590 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file Jan 31 00:00:35 localhost kernel: [ 6121.543877] type=1400 audit(1327964435.099:655): avc: denied { execute_no_trans } for pid=18357 comm="chsh" path="/usr/sbin/nscd" dev="dm-0" ino=25749590 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file Reproducible: Always Steps to Reproduce: 1. run chsh 2. enter new shell Actual Results: Changing the login shell for root Enter the new value, or press ENTER for the default Login Shell [/bin/bash]: /bin/zsh chsh: cannot lock /etc/passwd; try again later. Expected Results: Changes shell Portage 2.1.10.44 (hardened/linux/amd64/selinux, gcc-4.5.3, glibc-2.14.1-r2, 3.2.2-hardened-r1 x86_64) ================================================================= System uname: Linux-3.2.2-hardened-r1-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.1 Timestamp of tree: Mon, 30 Jan 2012 19:30:01 +0000 app-shells/bash: 4.2_p20 dev-lang/python: 2.7.2-r3, 3.2.2 dev-util/cmake: 2.8.6-r4 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.1 sys-apps/openrc: 0.9.8.2 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.11.2-r1 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.3-r2, 4.7.0_alpha20120114::hardened-dev sys-devel/gcc-config: 1.5-r2 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.2 (virtual/os-headers) sys-libs/glibc: 2.14.1-r2 Repositories: gentoo hardened-dev my_local_overlay ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA Intel-SDP PUEL" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox selinux sesandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/hardened-development /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acpi alsa amd64 bash-completion berkdb bzip2 cli cracklib crypt cxx dbus dri gdbm gif gpm hardened iconv jpeg justify mmx modules mudflap multilib ncurses nls nptl nptlonly open_perms opengl openmp pam pax_kernel pcre png pppd readline selinux session sse sse2 ssl ssse3 sysfs system-sqlite tcpd tiff truetype udev unicode urandom usb v4l vim-syntax xinerama xorg zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
I'm not that happy with the two obvious scenario's here: - allow chfn_t to manage shadow_t files (or even just write to them if that's all that was needed). After all, it should only update the passwd file. Sadly, it uses the /etc/.pwd.lock file as a locking file to ensure updates aren't crossing each other. But granting it access to shadow_t opens a path for more disclosure (or even modification of) which I really don't want to do. - make /etc/.pwd.lock an etc_t file instead of shadow_t. Although I don't know if there is a risk here, it strikes me that this file is explicitly marked as a shadow_t file in our policy. "Lowering" its type to etc_t *might* make it susceptible to race conditions from less trusted resources (which do have etc_t write privileges) Going to check with some other authorative sources on this one
Checking upstream See http://oss.tresys.com/pipermail/refpolicy/2012-March/005027.html
Ok, going to mark .pwd.lock as etc_t for now.
In hardened-dev overlay (since 2012-04-11, forgot to update bugreport) You might need to restorecon /etc/.pwd.lock after updating the policies at first.
In main tree, ~arch'ed
Stable