Bug 1971228
| Summary: | SELinux is preventing /usr/sbin/unix_chkpwd from getattr access on the filesystem /proc | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Jimmie Mayfield <mayfield+bugzilla> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | baker1tex, lvrabec, mmalik, plautrba, ssekidde, stevenhrosenberg, yoyang |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | 8.5 | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-16 16:47:40 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1969483 | ||
I can confirm this issue in CentOS Stream 8. This commit needs to be backported:
commit 0b26432144f0b6f2140b974b9c508d991286bfa4
Author: Zdenek Pytela <zpytela>
Date: Mon Jan 4 19:50:49 2021 +0100
Allow domain stat /proc filesystem
Resolves: rhbz#1892401
I also can confirm this issue on my installation of CentOS Stream 8. I believe this bug is a duplicate of BZ#1967125. What version of libcap-ng package is installed on the machine? # rpm -qa libcap\* Thank you. > rpm -qa libpcap\*
libpcap-1.9.1-5.el8.x86_64
Thank you for the confirmation, resolution for this bz should be a part of RHEL 8.5, it is a (non-obvious) dup of bz#1967125. *** This bug has been marked as a duplicate of bug 1967125 *** On my fully-patched CentOS Stream 8 virtual machine: rpm -qa libcap\* libcap-ng-0.7.11-1.el8.x86_64 libcap-2.26-4.el8.x86_64 |
Description of problem: On CentOS 8 Stream, SELinux 'unix_chkpwd' triggers an SELinux violation sealert -l f26706db-2c08-4ee4-b0cf-be5534e68597 SELinux is preventing /usr/sbin/unix_chkpwd from getattr access on the filesystem /proc. ... Raw Audit Messages type=AVC msg=audit(1623556801.295:290): avc: denied { getattr } for pid=10311 comm="unix_chkpwd" name="/" dev="proc" ino=1 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ... type=SYSCALL msg=audit(1623556801.295:290): arch=x86_64 syscall=fstatfs success=no exit=EACCES a0=3 a1=7fff617eba70 a2=0 a3=0 items=0 ppid=10301 pid=10311 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): OS: CentOS 8 Stream with the most recent updates pam-1.3.1-15.el8.x86_64 selinux-policy-3.14.3-68.el8.noarch As far as SELinux policies and PAM configuration are concerned, this machine appears to be using the package default configurations. No local customizations have been made to SELinux or PAM config. How reproducible: This occurs every time someone logs into the machine Steps to Reproduce: 1. Log into the machine 2. 3. Actual results: Successful login is accompanied by a series of messages written to the journal indicating unix_chkpwd has triggered an SELinux action Expected results: Near as I can tell, this machine has no customized local policies and is using the default PAM config files. I would expect a default installation to not trigger SELinux actions. Additional info: