[DSE-Dev] Bug#813604: newrole: pamd error

[cgzones]

Package: newrole
Version: 2.4-4

When i try to use newrole on debian testing with upstream refpolicy
(https://github.com/TresysTechnology/refpolicy) installed, i got the
following error:

root at debianSe:~# newrole -r sysadm_r -t sysadm_t
Password:
newrole: incorrect password for root
Error sending audit message.

The is an error message in /var/log/auth.log:
Feb  3 16:58:53 debianSe newrole: PAM audit_log_acct_message() failed:
Operation not permitted


The transition should be allowed by selinux:

root at debianSe:~# semanage user -l
SELinux User    SELinux Roles

root            staff_r sysadm_r
staff_u         staff_r sysadm_r
sysadm_u        sysadm_r
system_u        system_r
unconfined_u    unconfined_r
user_u          user_r

root at debianSe:~# id -Z
root:staff_r:staff_t


When i configure the seuser like 'semange -m -R sysadm_r root', i can
login with a sysadm_r role.


root at debianSe:~# cat /etc/pam.d/newrole
#%PAM-1.0

@include common-auth
@include common-account
@include common-session
session  required pam_namespace.so unmnt_remnt no_unmount_on_close