Bug 1374262

Summary: SELinux prevents Cockpit's PAM cockpit-session from resetting expired passwords
Product: [Fedora] Fedora Reporter: Stef Walter <stefw>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: dominick.grift, dperpeet, dwalsh, jlebon, lvrabec, mgrepl, mmalik, plautrba, pvolpe, pvrabec, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-191.20.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-10 03:30:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stef Walter 2016-09-08 11:10:21 UTC 
Description of problem:

cockpit-session runs a PAM stack. It needs to be able to reset expired passwords via the standard PAM mechanisms. SELinux is preventing that from working.

Sep 08 13:06:10 falcon.thewalter.lan audit[25444]: AVC avc:  denied  { read } for  pid=25444 comm="cockpit-session" name="pw_dict.pwd" dev="sda1" ino=791037 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
Sep 08 13:06:10 falcon.thewalter.lan audit[25444]: AVC avc:  denied  { open } for  pid=25444 comm="cockpit-session" path="/usr/share/cracklib/pw_dict.pwd" dev="sda1" ino=791037 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
Sep 08 13:06:10 falcon.thewalter.lan audit[25444]: AVC avc:  denied  { getattr } for  pid=25444 comm="cockpit-session" path="/usr/share/cracklib/pw_dict.pwi" dev="sda1" ino=791038 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc:  denied  { write } for  pid=25444 comm="cockpit-session" name=".pwd.lock" dev="sda1" ino=2228600 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc:  denied  { create } for  pid=25444 comm="cockpit-session" name="nshadow" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc:  denied  { write } for  pid=25444 comm="cockpit-session" path="/etc/nshadow" dev="sda1" ino=2229348 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc:  denied  { setattr } for  pid=25444 comm="cockpit-session" name="nshadow" dev="sda1" ino=2229348 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc:  denied  { rename } for  pid=25444 comm="cockpit-session" name="nshadow" dev="sda1" ino=2229348 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc:  denied  { unlink } for  pid=25444 comm="cockpit-session" name="shadow" dev="sda1" ino=2229957 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1

Version-Release number of selected component (if applicable):

cockpit-118-1.fc24.x86_64
selinux-policy-3.13.1-191.14.fc24.noarch
Comment 2 Stef Walter 2016-09-08 11:47:35 UTC 
This is also something we need fixed in RHEL 7.3. But the specifics of the bug report above are for Fedora. I'll also come up with the data for RHEL 7.3.
Comment 3 Stef Walter 2016-09-09 18:12:06 UTC 
Tracker for when this happens during Cockpit integration tests:

https://github.com/cockpit-project/cockpit/issues/5010

Similar RHEL 7.3 bug: 

https://bugzilla.redhat.com/show_bug.cgi?id=1374572
Comment 4 Stef Walter 2016-09-09 18:14:54 UTC 
Obviously same issue happens on Fedora 25
Comment 5 Daniel Walsh 2016-09-13 13:52:52 UTC 
I see this in Upstream policy, which I think is what you need.
auth_login_pgm_domain(cockpit_session_t)
Comment 6 Lukas Vrabec 2016-09-20 13:33:24 UTC 
Fixes added to our github repo.
Comment 7 Fedora Update System 2016-11-04 12:12:03 UTC 
selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
Comment 8 Fedora Update System 2016-11-05 03:36:36 UTC 
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
Comment 9 Fedora Update System 2016-11-10 03:30:05 UTC 
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.