Bug 1495327

Summary: chpasswd and login need dac_override
Product: [Fedora] Fedora Reporter: Dusty Mabe <dustymabe>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, jpokorny, lsm5, lvrabec, mgrepl, miabbott, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-20 11:23:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dusty Mabe 2017-09-25 20:27:44 UTC 
Description of problem:

When I boot an atomic host with cloud-init and the system tries to configure a user I get denials.

Here are the denials I am seeing:

```
[atomic@cloudhost ~]$ sudo ausearch -m avc,user_avc                                                                                                                                          
\----
time->Mon Sep 25 19:50:12 2017
type=PROCTITLE msg=audit(1506369012.772:113): proctitle=706173737764002D6C0061746F6D6963
type=SYSCALL msg=audit(1506369012.772:113): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=558417460790 a2=242 a3=0 items=0 ppid=778 pid=910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="passwd" exe="/usr/bin/passwd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1506369012.772:113): avc:  denied  { dac_override } for  pid=910 comm="passwd" capability=1  scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:system_r:passwd_t:s0 tclass=capability permissive=1
----
time->Mon Sep 25 19:50:15 2017
type=PROCTITLE msg=audit(1506369015.232:152): proctitle="chpasswd"
type=SYSCALL msg=audit(1506369015.232:152): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=55cff26baaa0 a2=20902 a3=0 items=0 ppid=974 pid=1171 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chpasswd" exe="/usr/sbin/chpasswd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1506369015.232:152): avc:  denied  { dac_override } for  pid=1171 comm="chpasswd" capability=1  scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:system_r:passwd_t:s0 tclass=capability permissive=1
----
time->Mon Sep 25 19:52:19 2017
type=PROCTITLE msg=audit(1506369139.946:176): proctitle=6C6F67696E202D2D206665646F7261
type=SYSCALL msg=audit(1506369139.946:176): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556ec29b2fb0 a2=802 a3=0 items=0 ppid=989 pid=1217 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=ttyS0 ses=1 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1506369139.946:176): avc:  denied  { dac_override } for  pid=1217 comm="login" capability=1  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=1
```


Version-Release number of selected component (if applicable):

[atomic@cloudhost ~]$ rpm -q selinux-policy kernel
selinux-policy-3.13.1-288.fc28.noarch
kernel-4.14.0-0.rc1.git4.1.fc28.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Download https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20170925.n.0/compose/CloudImages/x86_64/images/Fedora-Atomic-Rawhide-20170925.n.0.x86_64.qcow2
2. Edit disk image to have enforcing=0 on kernel command line (this might be easier with the raw.xz image (same directory as other image) if you prefer)
3. boot with a cloud-init that configures a password: like:

```
#cloud-config                                                                                                                                                                                
password: foopass                                                                                                                                                                           
chpasswd: { expire: False }                                                                                                                                                                  
ssh_pwauth: True
```

Actual results:
denials

Expected results:
able to log in with fedora/foopass
Comment 1 Daniel Walsh 2017-09-26 12:05:52 UTC 
Yes I would say passwd_t needs DAC_OVERRIDE since it is rewriting /etc/shadow. with permissions 0000.
Comment 2 Dusty Mabe 2017-09-26 12:38:18 UTC 
(In reply to Daniel Walsh from comment #1)
> Yes I would say passwd_t needs DAC_OVERRIDE since it is rewriting
> /etc/shadow. with permissions 0000.

what about `local_login_t` from the 3rd AVC?
Comment 3 Jan Pokorný [poki] 2017-09-27 07:01:58 UTC 
Not sure if immediately related, but quite similar: [bug 1495839].
Comment 4 Daniel Walsh 2017-09-27 13:50:31 UTC 
local login probably needs it to write content into /root directory.