Bug 1257057
Summary: | AVC denial: scontext=system_u:unconfined_r:passwd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, othstu, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-92.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-04 02:21:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Patrik Kis
2015-08-26 07:51:25 UTC
It happens if gnome-keyring-d is not running. This error is reported in the /var/log/audit/audit.log after a user uses the passwd command to change their password while the gnome-keyring-daemon process is not running with thier user ID. If a user logs into the GUI then the gnome-keyring-daemon process will be started with thier user ID on login, and there is no problem with passwd. However our RHEL systems do not use the GUI so there is no gnome-keyring-daemon process running and so everytime a user changes their password this error appears in the audit log. (A user base of more than 500 users means this error appears freqently.) Even if the gnome-keyring-daemon process is running, but it is running as a different user ID to the user changing their password, the denied error will still be generated. This denied error can be allow with a Module Policy. grep -e '1462339594.221:775' /var/log/audit/audit.log | audit2allow -M mygnomekeyring semodule -i mygnomekeyring.pp semodule -B however this gives rise to a new denied error aureport -a 8. 04/05/16 15:28:37 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 49 sock_file create unconfined_u:object_r:user_tmp_t:s0 denied 858 if this error is also allowed it gives rise to 13 new denied errors aureport -a 13. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 83 dir write unconfined_u:object_r:user_home_dir_t:s0 denied 562 14. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 83 dir write unconfined_u:object_r:user_home_dir_t:s0 denied 563 15. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 564 16. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 565 17. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 566 18. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 567 19. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 568 20. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 569 21. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 87 sock_file unlink unconfined_u:object_r:user_tmp_t:s0 denied 570 22. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 87 sock_file unlink unconfined_u:object_r:user_tmp_t:s0 denied 571 23. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 87 sock_file unlink unconfined_u:object_r:user_tmp_t:s0 denied 572 24. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 87 sock_file unlink unconfined_u:object_r:user_tmp_t:s0 denied 573 25. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 84 dir rmdir unconfined_u:object_r:user_tmp_t:s0 denied 574 It seems everytime the process is not halted by SELinux but is allowed to continue, new problems are created because SELinux is not setup correctly for this feature of pasword maintenance. There are more related AVC denials, please consider to add them to the policy. type=SYSCALL msg=audit(1469007634.604:2112): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffe18c17970 a2=6e a3=2 items=0 ppid=19201 pid=19215 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=4294967295 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=system_u:unconfined_r:passwd_t:s0 key=(null) type=AVC msg=audit(1469007634.604:2112): avc: denied { create } for pid=19215 comm="gnome-keyring-d" name="control" scontext=system_u:unconfined_r:passwd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=sock_file I'm not able to reproduce these AVC denials and they pop up randomly, so new related AVCs may appear in the future. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |