Bug 2057297

Summary: useradd causes avc: denied { execute } for pid=57884 comm="chpasswd" name="sss_cache"
Product: Red Hat Enterprise Linux 9 Reporter: Cédric Jeanneret <cjeanner>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 9.0CC: lvrabec, mmalik, ssekidde
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-23 07:44:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2057261    

Description Cédric Jeanneret 2022-02-23 07:14:35 UTC 
This bug was initially created as a copy of Bug #2050952

I am copying this bug because: 
The initial BZ was reported against Fedora-35, but this issue also hits EL9, for instance raised here:
https://bugzilla.redhat.com/show_bug.cgi?id=2057261

So it's probably a matter of backporting the fix from Fedora.

Thank you!


Description of problem: In today's cockpit Fedora 35 test image refresh [1], there is a new SELinux rejection:

    avc:  denied  { execute } for  pid=57884 comm="chpasswd" name="sss_cache" dev="vda5" ino=39569 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0


Full journal at [2]. This seems to happen when running `useradd -G libvirt test_user`.


Version-Release number of selected component (if applicable):

There are a lot of package updates since last week [3], but the relevant ones are:

   selinux-policy (35.11-1.fc35 -> 35.13-1.fc35)
   sssd (2.6.1-1.fc35 -> 2.6.3-1.fc35)

At first sight, running "sss_cache" from chpasswd seems plausible -- but of course, if it isn't, please reassign to sssd.

Thanks!


[1] https://github.com/cockpit-project/bots/pull/2897
[2] https://logs.cockpit-project.org/logs/pull-2897-20220205-074019-32a8cfdc-fedora-35-firefox-cockpit-project-cockpit-machines/TestMachinesLifecycle-testLibvirt-fedora-35-127.0.0.2-2201-FAIL.log.gz
[3] https://logs.cockpit-project.org/logs/image-refresh-2897-20220205-065151/log
Comment 1 Milos Malik 2022-02-23 07:19:11 UTC 
I believe this bug is a duplicate of BZ#2054657.

$ matchpathcon /usr/bin/chage
/usr/bin/chage	system_u:object_r:passwd_exec_t:s0
$ matchpathcon /usr/sbin/chpasswd 
/usr/sbin/chpasswd	system_u:object_r:passwd_exec_t:s0
$
Comment 2 Cédric Jeanneret 2022-02-23 07:44:17 UTC 
Hey Milos,

I think you're perfectly right, lemme close this as duplicate then!

Thanks for the quick answer!

*** This bug has been marked as a duplicate of bug 2054657 ***