running an selinux gentoo installation (stage3-x86-selinux-pie-ssp-20041123.tar.bz2) with these packages updated : sec-policy/selinux-base-policy ~x86 sys-apps/policycoreutils ~x86 sys-libs/libsepol ~x86 sys-libs/libselinux ~x86 sys-apps/checkpolicy ~x86 root is able to change his password or other user's password even if he is not in the sysadm_r role. Reproducible: Always Steps to Reproduce: 1.log in as root and make sure you're not in the sysadm_r role (check with id) 2.change the root password or another user's password with the /bin/passwd command 3. Actual Results: root # id -Z root:user_r:user_t root # passwd testuser New UNIX password: Retype new UNIX password: passwd: password updated successfully Expected Results: root should not be able to change password when not in the sysadm_r role. I've talked with Chris PeBenito on irc and he told me that is likely a pam related problem (pam-selinux.patch in sys-libs/pam ebuild). I've tried to take the latest pam-selinux.patch from fedora and to apply it but several parts of the patch fails.
ok I determined that this is not a pam problem, its a problem with shadow's passwd. Redhat uses the passwd package to provide passwd, rather then using the passwd from shadow, so shadow's passwd needs to be patched.
patch pushed upstream