On Wed, 17 Mar 2004 23:41, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> On Wed, 2004-03-17 at 06:27, Carsten Grohmann wrote:
> > On Dienstag, 16. März 2004 19:13, Stephen Smalley wrote:
> > > To debug the newrole failure in enforcing mode, do a 'make
> > > enableaudit reload' in policy and then try using newrole, and
> >
> > "make enableaudit" was a good hint. The newrole domain needs read
> > access to shadow_t. The attached patch grant this by using the auth
> > attribute.
>
> This should be handled by having pam_unix run the helper program when it
> cannot directly read /etc/shadow, and the helper program should run in a
> domain that can read /etc/shadow. Do you have the same problem with the

Of course that might not be the problem. Even when things are working perfectly with the correct PAM modules it will still try to access /etc/shadow and run unix_chkpwd when direct access fails.

I have found a problem where I can't change role from sysadm_r to staff_r, I still haven't got time to debug this.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.