Bug 1369693
Summary: | [qemu-guest-agent] cmd: guest-set-user-password: child process has failed to set user password | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Zhengtong <zhengtli> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | knoel, lvrabec, mgrepl, mkolaja, mmalik, plautrba, pvrabec, qzhang, ssekidde, xuhan, xuwei, zhengtli |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-97.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-04 02:37:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Zhengtong
2016-08-24 07:23:16 UTC
Tried with closed SElinux, It works well. So the problem may related with how to let the cmd "guest-set-user-password" work under SElinux. There is a bug about qemu-ga running under SELinux. https://bugzilla.redhat.com/show_bug.cgi?id=1243458 This bug has been fixed before. So I mark the bug to be regression keyword. If this is not the same problem. Please change back. after fork/exec chpasswd checks selinux permissions: status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); and status = -1. There is nothing in log/messages. Moving to selinux-policy for further help/fix Hi, Could you run re-test the scenario in permissive mode: # setenforce 0 and after test attach output of: # ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent Thank you. Guest: [root@localhost ~]# setenforce 0 [root@localhost ~]# Host: guest agent: {"execute": "guest-set-user-password", "arguments": {"crypted": false, "username": "root", "password": "a3ZtYXV0b3Rlc3Q="}} {"return": {}} Guest: [root@localhost ~]# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent ---- time->Fri Sep 2 20:59:23 2016 type=USER_AVC msg=audit(1472821163.758:116): pid=3062 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:passwd_t:s0 msg='avc: denied { passwd } for scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=passwd exe="/usr/sbin/chpasswd" sauid=0 hostname=? addr=? terminal=?' ---- time->Fri Sep 2 20:59:48 2016 type=USER_AVC msg=audit(1472821188.203:118): pid=3109 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:passwd_t:s0 msg='avc: denied { passwd } for scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=passwd exe="/usr/sbin/chpasswd" sauid=0 hostname=? addr=? terminal=?' ---- time->Fri Sep 2 21:00:01 2016 type=USER_AVC msg=audit(1472821201.682:123): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Hi, Could you load local policy and then try to reproduce it in enforcing state? 1. # setenforce 1 2. $ cat virt_qemu_passwd.cil (allow virt_qemu_ga_t self (passwd (passwd))) 3. # semodule -i virt_qemu_passwd.cil 4. reproduce the scenario. If it will work, I'll add fixes. Hi, It works with the given method. [root@localhost ~]# getenforce Enforcing [root@localhost ~]# cat virt_qemu_passwd.cil (allow virt_qemu_ga_t self (passwd (passwd))) [root@localhost ~]# semodule -i virt_qemu_passwd.cil [root@localhost ~]# {"execute": "guest-set-user-password", "arguments": {"crypted": false, "username": "root", "password": "MTIzNDU2"}} {"return": {}} Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |