So on a default Fedora installation, as a regular user trying to run
newrole -r sysadm_r, I get this:
testuser@optimus-prime:~$ newrole -r sysadm_r
cannot find your entry in the passwd file.
Now, in newrole.c:364, there is the code:
if( !(pw=getpwnam(context_user_get(context))) ) {
fprintf(stderr,_("cannot find your entry in the passwd file.\n"));
exit(-1);
}
context_user_get just returns the user identity portion of the security
context of current process. Since I have no special user identity
defined, it defaults to user_u, which is obviously not in the passwd
file.
This conflicts with our current default Fedora policy, we have in the
SELinux users file:
user user_u roles { user_r ifdef(`user_canbe_sysadm', `sysadm_r
system_r') };
The user_canbe_sysadm tunable is on by default, but the user can't use
newrole to get to that role - only su.
So how to fix this bug? I understand the reason we're using the SELinux
user identity - SELinux doesn't want to trust the Linux uid. But
perhaps it would be good if we had a way to say that for particular
SELinux user identities like user_u, newrole could just use the Linux
uid for authentication.