# chsh Changing the login shell for root Enter the new value, or press ENTER for the default Login Shell [/bin/zsh]: /bin/bash chsh: failure while writing changes to /etc/passwd # setenforce 0 # chsh Changing the login shell for root Enter the new value, or press ENTER for the default Login Shell [/bin/zsh]: /bin/bash Nothing in enforcing In permissive: Jan 23 20:22:15 lain kernel: [20290.691037] type=1400 audit(1358968935.217:561): avc: denied { search } for pid=18195 comm="chsh" name="files" dev="dm-0" ino=23724598 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:file_context_t tclass=dir Jan 23 20:22:15 lain kernel: [20290.691054] type=1400 audit(1358968935.217:562): avc: denied { read } for pid=18195 comm="chsh" name="file_contexts.subs_dist" dev="dm-0" ino=10757565 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:file_context_t tclass=file Jan 23 20:22:15 lain kernel: [20290.691064] type=1400 audit(1358968935.217:563): avc: denied { open } for pid=18195 comm="chsh" path="/etc/selinux/strict/contexts/files/file_contexts.subs_dist" dev="dm-0" ino=10757565 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:file_context_t tclass=file Jan 23 20:22:15 lain kernel: [20290.691075] type=1400 audit(1358968935.217:564): avc: denied { getattr } for pid=18195 comm="chsh" path="/etc/selinux/strict/contexts/files/file_contexts.subs_dist" dev="dm-0" ino=10757565 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:file_context_t tclass=file Jan 23 20:22:15 lain kernel: [20290.691119] type=1400 audit(1358968935.217:565): avc: denied { read } for pid=18195 comm="chsh" name="file_contexts" dev="dm-0" ino=23726403 scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t tclass=file Jan 23 20:22:15 lain kernel: [20290.691128] type=1400 audit(1358968935.217:566): avc: denied { open } for pid=18195 comm="chsh" path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403 scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t tclass=file Jan 23 20:22:15 lain kernel: [20290.691138] type=1400 audit(1358968935.217:567): avc: denied { getattr } for pid=18195 comm="chsh" path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403 scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t tclass=file Jan 23 20:22:15 lain kernel: [20290.890740] type=1400 audit(1358968935.417:568): avc: denied { execute } for pid=18200 comm="chsh" name="nscd" dev="dm-0" ino=7243201 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file Jan 23 20:22:15 lain kernel: [20290.890754] type=1400 audit(1358968935.417:569): avc: denied { read open } for pid=18200 comm="chsh" path="/usr/sbin/nscd" dev="dm-0" ino=7243201 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file # semodule -D -B # setenforce 1 # chsh Changing the login shell for root Enter the new value, or press ENTER for the default Login Shell [/bin/bash]: /bin/zsh chsh: failure while writing changes to /etc/passwd # In enforcing with dontaudits disabled: Jan 23 20:23:38 lain kernel: [20373.354685] type=1400 audit(1358969018.044:577): avc: denied { rlimitinh } for pid=18281 comm="chsh" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:chfn_t tclass=process Jan 23 20:23:38 lain kernel: [20373.354697] type=1400 audit(1358969018.044:578): avc: denied { siginh } for pid=18281 comm="chsh" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:chfn_t tclass=process Jan 23 20:23:38 lain kernel: [20373.354729] type=1400 audit(1358969018.045:579): avc: denied { noatsecure } for pid=18281 comm="chsh" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:chfn_t tclass=process Jan 23 20:23:38 lain kernel: [20373.361122] type=1400 audit(1358969018.051:580): avc: denied { rlimitinh } for pid=18282 comm="unix_chkpwd" scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:sysadm_r:chkpwd_t tclass=process Jan 23 20:23:38 lain kernel: [20373.361133] type=1400 audit(1358969018.051:581): avc: denied { siginh } for pid=18282 comm="unix_chkpwd" scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:sysadm_r:chkpwd_t tclass=process Jan 23 20:23:38 lain kernel: [20373.361153] type=1400 audit(1358969018.051:582): avc: denied { noatsecure } for pid=18282 comm="unix_chkpwd" scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:sysadm_r:chkpwd_t tclass=process Jan 23 20:23:38 lain kernel: [20373.361884] type=1400 audit(1358969018.052:583): avc: denied { search } for pid=18282 comm="unix_chkpwd" name="/" dev="sysfs" ino=1 scontext=staff_u:sysadm_r:chkpwd_t tcontext=system_u:object_r:sysfs_t tclass=dir Jan 23 20:23:38 lain kernel: [20373.362218] type=1400 audit(1358969018.052:584): avc: denied { search } for pid=18282 comm="unix_chkpwd" name="/" dev="sysfs" ino=1 scontext=staff_u:sysadm_r:chkpwd_t tcontext=system_u:object_r:sysfs_t tclass=dir Jan 23 20:23:43 lain kernel: [20378.806719] type=1400 audit(1358969023.507:585): avc: denied { search } for pid=18281 comm="chsh" name="selinux" dev="dm-0" ino=23724520 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jan 23 20:23:43 lain kernel: [20378.806750] type=1400 audit(1358969023.507:586): avc: denied { search } for pid=18281 comm="chsh" name="selinux" dev="dm-0" ino=23724520 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jan 23 20:23:43 lain kernel: [20378.806761] type=1400 audit(1358969023.507:587): avc: denied { search } for pid=18281 comm="chsh" name="selinux" dev="dm-0" ino=23724520 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jan 23 20:23:43 lain kernel: [20378.806776] type=1400 audit(1358969023.507:588): avc: denied { search } for pid=18281 comm="chsh" name="selinux" dev="dm-0" ino=23724520 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jan 23 20:23:43 lain kernel: [20378.904143] type=1400 audit(1358969023.605:589): avc: denied { setattr } for pid=2105 comm="syslog-ng" name="tty12" dev="devtmpfs" ino=5131 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tty_device_t tclass=chr_file Reproducible: Always
It also seems to require rights to execute nscd to flush its cache: """ # chsh Changing the login shell for root Enter the new value, or press ENTER for the default Login Shell [/bin/sh]: /bin/bash chsh: cannot execute /usr/sbin/nscd: Permission denied chsh: nscd exited with status 126 chsh: Failed to flush the nscd cache. chsh: cannot execute /usr/sbin/nscd: Permission denied chsh: nscd exited with status 126 chsh: Failed to flush the nscd cache. chsh: cannot execute /usr/sbin/nscd: Permission denied chsh: nscd exited with status 126 chsh: Failed to flush the nscd cache. """ Denials: """ type=AVC msg=audit(1359292385.975:238): avc: denied { execute } for pid=4814 comm="chsh" name="nscd" dev="dm-3" ino=1318296 scontext=root:sysadm_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file type=AVC msg=audit(1359292435.537:256): avc: denied { execute } for pid=4833 comm="chsh" name="nscd" dev="dm-3" ino=1318296 scontext=root:staff_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file type=AVC msg=audit(1359292435.541:257): avc: denied { execute } for pid=4834 comm="chsh" name="nscd" dev="dm-3" ino=1318296 scontext=root:staff_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file type=AVC msg=audit(1359292435.546:258): avc: denied { execute } for pid=4835 comm="chsh" name="nscd" dev="dm-3" ino=1318296 scontext=root:staff_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file """
Fixed in repo, will be in r12
rev 12 in main tree, ~arch'ed
stabilized