Bug 471344

Summary: SELinux is preventing the passwd from using potentially mislabeled files (2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429).
Product: [Fedora] Fedora Reporter: Jerry Amundson <jamundso>
Component: kdebaseAssignee: Than Ngo <than>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: dwalsh, jkubin, jreznik, kevin, lorenzo, ltinkl, mgrepl, rdieter, than, tuxbrewr
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-06 14:43:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jerry Amundson 2008-11-13 03:49:53 UTC 
Description of problem:
useradd newuser, echo newpass | passwd --stdin newuser, causes avc denial

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-42.fc9.noarch
selinux-policy-targeted-3.3.1-42.fc9.noarch

How reproducible:
Once.

Steps to Reproduce:
1. useradd newuser, echo newpass | passwd --stdin newuser
2. avc denial pops up
3.
  
Actual results:
avc denial

Expected results:
normal operation

Additional info:

Summary:

SELinux is preventing the passwd from using potentially mislabeled files
(2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429).

Detailed Description:

SELinux has denied passwd access to potentially mislabeled file(s)
(2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429).
This means that SELinux will not allow passwd to use these files. It is common
for users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access.

Allowing Access:

If you want passwd to access this files, you need to relabel them using
restorecon -v
'2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429'.
You might want to relabel the entire directory using restorecon -R -v ''.

Additional Information:

Source Context                unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                2F7661722F746D702F6B646563616368652D6474696C6F6361
                              6C2F6B70632F6B64652D69636F6E2D63616368652E696E6465
                              78202864656C6574656429 [ file ]
Source                        passwd
Source Path                   /usr/bin/passwd
Port                          <Unknown>
Host                          jerry-d600f9
Source RPM Packages           passwd-0.75-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     jerry-d600f9
Platform                      Linux jerry-d600f9 2.6.25-14.fc9.i686 #1 SMP Thu
                              May 1 06:28:41 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Wed 12 Nov 2008 09:39:57 PM CST
Last Seen                     Wed 12 Nov 2008 09:39:57 PM CST
Local ID                      00e9ba70-c0e4-4488-9730-aa22776e3cb8
Line Numbers                  

Raw Audit Messages            

host=jerry-d600f9 type=AVC msg=audit(1226547597.633:88): avc:  denied  { read write } for  pid=18628 comm="passwd" path=2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429 dev=dm-0 ino=885565 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

host=jerry-d600f9 type=AVC msg=audit(1226547597.633:88): avc:  denied  { read write } for  pid=18628 comm="passwd" path=2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429 dev=dm-0 ino=885566 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

host=jerry-d600f9 type=SYSCALL msg=audit(1226547597.633:88): arch=40000003 syscall=11 success=yes exit=0 a0=94085b0 a1=940b8e8 a2=940b6f8 a3=0 items=0 ppid=16257 pid=18628 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-11-13 22:20:39 UTC 
type=AVC msg=audit(11/12/08 22:39:57.633:88) : avc:  denied  { read write } for  
pid=18628 comm=passwd path=/var/tmp/kdecache-dtilocal/kpc/kde-icon-cache.data (deleted) dev=dm-0 ino=885566 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file 

kde/kdm is leaking an open file descriptor to the file "/var/tmp/kdecache-dtilocal/kpc/kde-icon-cache.data", this is passed on to konsole which passes it on to passwd.   SELinux notices this and closes the open file descriptor.

Nothing is actually prevented by this avc, so you can ignore it for now.

Open file descriptors should be closed on exec

fcntl(fd, F_SETFD, FD_CLOSEXEC)
Comment 2 Steven M. Parrish 2009-02-06 14:43:32 UTC 

*** This bug has been marked as a duplicate of bug 484370 ***