Bug 2041460

Summary:	Password change not working because of opasswd file not writable
Product:	Red Hat Enterprise Linux 8	Reporter:	Gerwin Krist <gerwinkrist>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED WONTFIX	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.4	CC:	jjelen, lvrabec, mmalik, zpytela
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.9
Hardware:	noarch
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-07-17 07:28:13 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Gerwin Krist 2022-01-17 11:56:15 UTC

Description of problem:
When a user (running as user_u in this case) needs to update his password it fails because /etc/security/opasswd can't be updated.

Version-Release number of selected component (if applicable):
3.14.3-67.el8.noarch

Steps to Reproduce:
1. Setenforce 1 (doh!)
1. Expire password as root: passwd -e test_user
2. Login as Test user (via ssh)

Actual results:

User cannot change password, and secure log says: 
Jan 17 11:28:27 servername sshd[3147091]: pam_unix(sshd:account): expired password for user test_user (root enforced)
Jan 17 11:28:34 servername sshd[3147091]: pam_unix(sshd:chauthtok): can't open /etc/security/opasswd file to check old passwords

Expected results:
Get logged in


Additional info:
This one looks like the bugreport #1412838 attached to this one. But that one is for EL7 and pretty old actually (and should be fixed by an errata in early 2018). So maybe a regressions or something else.

When the password is expired the /etc/security/opasswd has shadow_t as context (updating password fails). When I do setenforce 0, and reset the password as user, it works. But the context has been changed to passwd_file_t. After this, password changes work even with setenforce 1!


(silent)AVCs:

type=AVC msg=audit(1642414669.452:37094): avc:  denied  { read } for  pid=3146427 comm="sshd" name="opasswd" dev="vda2" ino=393494 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file permissive=0
type=AVC msg=audit(1642414767.885:37127): avc:  denied  { read } for  pid=3146467 comm="sshd" name="opasswd" dev="vda2" ino=393494 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file permissive=0
type=AVC msg=audit(1642414815.839:37160): avc:  denied  { noatsecure } for  pid=3146561 comm="sshd" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:passwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1642414815.839:37160): avc:  denied  { rlimitinh } for  pid=3146561 comm="passwd" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:passwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1642414815.839:37160): avc:  denied  { siginh } for  pid=3146561 comm="passwd" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:passwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1642414815.862:37161): avc:  denied  { noatsecure } for  pid=3146562 comm="passwd" scontext=user_u:user_r:passwd_t:s0 tcontext=user_u:user_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1642414815.862:37161): avc:  denied  { rlimitinh } for  pid=3146562 comm="unix_chkpwd" scontext=user_u:user_r:passwd_t:s0 tcontext=user_u:user_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1642414815.862:37161): avc:  denied  { siginh } for  pid=3146562 comm="unix_chkpwd" scontext=user_u:user_r:passwd_t:s0 tcontext=user_u:user_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1642414857.170:37202): avc:  denied  { read } for  pid=3146593 comm="sshd" name="opasswd" dev="vda2" ino=393494 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(1642414857.170:37202): avc:  denied  { open } for  pid=3146593 comm="sshd" path="/etc/security/opasswd" dev="vda2" ino=393494 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(1642414857.170:37203): avc:  denied  { getattr } for  pid=3146593 comm="sshd" path="/etc/security/opasswd" dev="vda2" ino=393494 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(1642414857.170:37205): avc:  denied  { write } for  pid=3146593 comm="sshd" name=".pwd.lock" dev="vda2" ino=393433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1642414857.186:37206): avc:  denied  { create } for  pid=3146593 comm="sshd" name="nopasswd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1642414857.186:37207): avc:  denied  { setattr } for  pid=3146593 comm="sshd" name="nopasswd" dev="vda2" ino=419770 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1642414857.207:37208): avc:  denied  { rename } for  pid=3146593 comm="sshd" name="nopasswd" dev="vda2" ino=419770 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1642414857.207:37208): avc:  denied  { unlink } for  pid=3146593 comm="sshd" name="opasswd" dev="vda2" ino=393494 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(1642415314.681:37399): avc:  denied  { read } for  pid=3147091 comm="sshd" name="opasswd" dev="vda2" ino=393494 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0

Comment 1 Milos Malik 2022-01-20 10:15:24 UTC

Does it help when you use the pam_pwhistory module instead of the pam_unix remember functionality?

 * https://bugzilla.redhat.com/show_bug.cgi?id=1412838#c3

Comment 2 Gerwin Krist 2022-01-20 13:22:55 UTC

Hi Milos,

I restored the oppasswd file to shadow_t and changed my system-auth to (the pwhistory line added):

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    requisite                                    pam_pwhistory.so use_authtok remember=3
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok

But it still is not working. 

AVC:

type=AVC msg=audit(1642684486.213:21419): avc:  denied  { noatsecure } for  pid=109657 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684486.213:21419): avc:  denied  { rlimitinh } for  pid=109657 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684486.213:21419): avc:  denied  { siginh } for  pid=109657 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684486.225:21421): avc:  denied  { noatsecure } for  pid=109658 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684486.225:21421): avc:  denied  { rlimitinh } for  pid=109658 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684486.225:21421): avc:  denied  { siginh } for  pid=109658 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684486.228:21423): avc:  denied  { noatsecure } for  pid=109659 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684486.228:21423): avc:  denied  { rlimitinh } for  pid=109659 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684486.228:21423): avc:  denied  { siginh } for  pid=109659 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684488.432:21425): avc:  denied  { noatsecure } for  pid=109660 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684488.432:21425): avc:  denied  { rlimitinh } for  pid=109660 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684488.432:21425): avc:  denied  { siginh } for  pid=109660 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1642684488.455:21426): avc:  denied  { noatsecure } for  pid=109661 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=0

Comment 3 Gerwin Krist 2022-01-20 14:07:32 UTC

Just to rules things out I also updated to latest policy: 3.14.3-80.el8_5.2

Comment 4 Milos Malik 2022-01-20 16:05:01 UTC

Based on the SELinux denials listed in comment#2, I'm guessing that you removed the dontaudit rules, right?

# semodule -DB

These SELinux denials usually do not appear because the active policy contains the dontaudit rules.

Please run the following command:

# semodule -B

and let me know if the Steps to Reproduce still trigger new SELinux denials:

# ausearch -m avc -m user_avc -m selinux_err -i -ts recent

recent = last 10 minutes

Thank you.

Comment 5 Gerwin Krist 2022-01-21 09:11:39 UTC

Hi Milos,

You flagged me as needinfo. But what are info are you missing?

Comment 6 Milos Malik 2022-01-21 10:32:01 UTC

Please read comment#4.

I wonder if new SELinux denials still appear after running the "semodule -B" command.

Comment 7 Gerwin Krist 2022-01-21 10:36:44 UTC

(In reply to Milos Malik from comment #6)
> Please read comment#4.
> 
> I wonder if new SELinux denials still appear after running the "semodule -B"
> command.


My bad! No ACVs in logging now.

Comment 8 Zdenek Pytela 2022-01-21 13:05:07 UTC

(In reply to Gerwin Krist from comment #7)
> (In reply to Milos Malik from comment #6)
> > Please read comment#4.
> > 
> > I wonder if new SELinux denials still appear after running the "semodule -B"
> > command.
> 
> 
> My bad! No ACVs in logging now.

Thanks for confirming, can you also verify using pam_pwhistory instead of the pam_unix/remember works for you?

Comment 9 Gerwin Krist 2022-01-22 09:07:18 UTC

I have this active now:

fgrep -A 1 -B 1 'pwhistory' *

password-auth-password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password-auth:password    requisite                                     pam_pwhistory.so remember=5 use_authtok
password-auth-password    sufficient                                   pam_unix.so sha512 shadow try_first_pass use_authtok remember=24
--
system-auth-password    requisite                                    pam_pwquality.so try_first_pass local_users_only
system-auth:password    requisite                                pam_pwhistory.so remember=5 use_authtok
system-auth-password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok


But does not makes a different.

Comment 10 Zdenek Pytela 2022-01-25 19:17:34 UTC

(In reply to Gerwin Krist from comment #9)
> I have this active now:
> 
> fgrep -A 1 -B 1 'pwhistory' *
> 
> password-auth-password    requisite                                   
> pam_pwquality.so try_first_pass local_users_only
> password-auth:password    requisite                                    
> pam_pwhistory.so remember=5 use_authtok
> password-auth-password    sufficient                                  
> pam_unix.so sha512 shadow try_first_pass use_authtok remember=24
> --
> system-auth-password    requisite                                   
> pam_pwquality.so try_first_pass local_users_only
> system-auth:password    requisite                               
> pam_pwhistory.so remember=5 use_authtok
> system-auth-password    sufficient                                  
> pam_unix.so sha512 shadow nullok try_first_pass use_authtok
> 
> 
> But does not makes a different.

I am sorry I don't understand. Previously, you reported no AVC denials after disabling dontaudit rules again. Does that mean then that the pam_pwhistory module does not work as expected?

Comment 11 Gerwin Krist 2022-01-26 09:31:56 UTC

Short answer: no it's not working yet :-) I will try to explain:


1. Added pam_pwhistory.so remember=5 use_authtok to pam config
2. ausearch -m avc -m user_avc -m selinux_err -i -ts recent    => no results
3. Login with the expired user. Try to change password => Fails
4. ausearch -m avc -m user_avc -m selinux_err -i -ts recent => no results
5. setenforce 0
6. Login with the expired user. Try to change password => Great success
7. oppasswd file changed to passwd_file_t


But only after stap 6 I see that there are AVC (permissive ofcourse):
<code>
type=PROCTITLE msg=audit(26-01-22 10:24:41.005:1411) : proctitle=sshd: expireduser [pam] 
type=SYSCALL msg=audit(26-01-22 10:24:41.005:1411) : arch=x86_64 syscall=openat success=yes exit=12 a0=0xffffff9c a1=0x7f3068b3652f a2=O_WRONLY|O_CREAT|O_CLOEXEC a3=0x180 items=0 ppid=263025 pid=263027 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(26-01-22 10:24:41.005:1411) : avc:  denied  { write } for  pid=263027 comm=sshd name=.pwd.lock dev="vda2" ino=393433 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(26-01-22 10:24:41.024:1412) : proctitle=sshd: expireduser [pam] 
type=PATH msg=audit(26-01-22 10:24:41.024:1412) : item=3 name=(null) inode=419791 dev=fd:02 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(26-01-22 10:24:41.024:1412) : item=2 name=(null) inode=393471 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(26-01-22 10:24:41.024:1412) : item=1 name=(null) nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(26-01-22 10:24:41.024:1412) : item=0 name=(null) inode=393471 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(26-01-22 10:24:41.024:1412) : cwd=/ 
type=SYSCALL msg=audit(26-01-22 10:24:41.024:1412) : arch=x86_64 syscall=openat success=yes exit=13 a0=0xffffff9c a1=0x7f3063cfe679 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=4 ppid=263025 pid=263027 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(26-01-22 10:24:41.024:1412) : avc:  denied  { create } for  pid=263027 comm=sshd name=nopasswd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(26-01-22 10:24:41.024:1413) : proctitle=sshd: expireduser [pam] 
type=SYSCALL msg=audit(26-01-22 10:24:41.024:1413) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0xd a1=0x0 a2=0x0 a3=0x0 items=0 ppid=263025 pid=263027 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(26-01-22 10:24:41.024:1413) : avc:  denied  { setattr } for  pid=263027 comm=sshd name=nopasswd dev="vda2" ino=419791 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(26-01-22 10:24:41.031:1414) : proctitle=sshd: expireduser [pam] 
type=PATH msg=audit(26-01-22 10:24:41.031:1414) : item=1 name=(null) inode=419791 dev=fd:02 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(26-01-22 10:24:41.031:1414) : item=0 name=(null) inode=393471 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(26-01-22 10:24:41.031:1414) : cwd=/ 
type=SYSCALL msg=audit(26-01-22 10:24:41.031:1414) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7f3063cfe679 a1=0x7f3063cfdcf4 a2=0x559cae2de2f0 a3=0x7f306b1ce980 items=2 ppid=263025 pid=263027 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(26-01-22 10:24:41.031:1414) : avc:  denied  { unlink } for  pid=263027 comm=sshd name=opasswd dev="vda2" ino=419743 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 
type=AVC msg=audit(26-01-22 10:24:41.031:1414) : avc:  denied  { rename } for  pid=263027 comm=sshd name=nopasswd dev="vda2" ino=419791 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(26-01-22 10:24:41.031:1415) : proctitle=sshd: expireduser [pam] 
type=PATH msg=audit(26-01-22 10:24:41.031:1415) : item=3 name=(null) inode=419743 dev=fd:02 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(26-01-22 10:24:41.031:1415) : item=2 name=(null) inode=393220 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(26-01-22 10:24:41.031:1415) : item=1 name=(null) nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(26-01-22 10:24:41.031:1415) : item=0 name=(null) inode=393220 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(26-01-22 10:24:41.031:1415) : cwd=/ 
type=SYSCALL msg=audit(26-01-22 10:24:41.031:1415) : arch=x86_64 syscall=openat success=yes exit=13 a0=0xffffff9c a1=0x7f3063cfe6e5 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=4 ppid=263025 pid=263027 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(26-01-22 10:24:41.031:1415) : avc:  denied  { write } for  pid=263027 comm=sshd path=/etc/nshadow dev="vda2" ino=419743 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 
type=AVC msg=audit(26-01-22 10:24:41.031:1415) : avc:  denied  { create } for  pid=263027 comm=sshd name=nshadow scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(26-01-22 10:24:41.031:1416) : proctitle=sshd: expireduser [pam] 
type=SYSCALL msg=audit(26-01-22 10:24:41.031:1416) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0xd a1=0x0 a2=0x0 a3=0x0 items=0 ppid=263025 pid=263027 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(26-01-22 10:24:41.031:1416) : avc:  denied  { setattr } for  pid=263027 comm=sshd name=nshadow dev="vda2" ino=419743 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(26-01-22 10:24:41.034:1417) : proctitle=sshd: expireduser [pam] 
type=PATH msg=audit(26-01-22 10:24:41.034:1417) : item=1 name=(null) inode=419743 dev=fd:02 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(26-01-22 10:24:41.034:1417) : item=0 name=(null) inode=393220 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(26-01-22 10:24:41.034:1417) : cwd=/ 
type=SYSCALL msg=audit(26-01-22 10:24:41.034:1417) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7f3063cfe6e5 a1=0x7f3063cfe66d a2=0x559cae2de2f0 a3=0x0 items=2 ppid=263025 pid=263027 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(26-01-22 10:24:41.034:1417) : avc:  denied  { rename } for  pid=263027 comm=sshd name=nshadow dev="vda2" ino=419743 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
</code>

Comment 12 Zdenek Pytela 2022-06-13 11:19:44 UTC

Switching the component.

According to the audited AVC denials, it seems sshd tries to access files like .pwd.lock, nshadow, opasswd, nopasswd when pam_pwhistory is used. Do you think this is correct?

Comment 13 Dmitry Belyavskiy 2022-07-26 14:37:33 UTC

Dear Zdenek,
Sorry for the delay with the answer.

I never looked into these parts of code before, but looks like yes. sshd uses regular getpw* API, and we have an option

     KerberosOrLocalPasswd
             If password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as /etc/passwd.  The default is yes.

I don't think openssh is a proper component for this issue, so feel free to change it.

Comment 18 RHEL Program Management 2023-07-17 07:28:13 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.