Bug 595280

Summary: SELinux is preventing /usr/sbin/semodule "read" access on passwd.
Product: [Fedora] Fedora Reporter: upgradeservices
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:02c15353d58fe90e907b732b581b11ebd170f4e8f727159b9a20346e7ae4ce30
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-01 06:06:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description upgradeservices 2010-05-24 09:26:51 UTC 
Summary:

SELinux is preventing /usr/sbin/semodule "read" access on passwd.

Detailed Description:

SELinux denied access requested by semodule. It is not expected that this access
is required by semodule and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:semanage_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:shadow_t:s0
Target Objects                passwd [ file ]
Source                        semodule
Source Path                   /usr/sbin/semodule
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.82-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-114.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32.12-115.fc12.x86_64 #1 SMP Fri Apr 30
                              19:46:25 UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Mon 24 May 2010 11:25:17 AM EDT
Last Seen                     Mon 24 May 2010 11:25:17 AM EDT
Local ID                      6ec52979-4209-4fcf-a8e9-9f7d906e80a3
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274714717.830:28543): avc:  denied  { read } for  pid=3436 comm="semodule" name="passwd" dev=sda6 ino=185966 scontext=unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1274714717.830:28543): arch=c000003e syscall=2 success=no exit=-13 a0=7f2b16feaa5a a1=80000 a2=1b6 a3=0 items=0 ppid=3435 pid=3436 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,semodule,semanage_t,shadow_t,file,read
audit2allow suggests:

#============= semanage_t ==============
allow semanage_t shadow_t:file read;
Comment 1 upgradeservices 2010-05-24 09:35:47 UTC 
was running pungi:
pungi --name=fx64 --ver=F12 --destdir=/somedir/p_dest --cachedir=/somedir/p_cache --nosource --nosplitmedia --force --config=/somedir/ks.cfg -G -C -B
Comment 2 Daniel Walsh 2010-05-24 15:46:16 UTC 
For some reason, some app relabeled /etc/passwd to shadow_t, which is wrong.  restorecon /etc/passwd 

will fix.   

Any idea how it got mislabeled?  Did you use some kind of tool to add a user?
Comment 3 Miroslav Grepl 2010-05-24 17:35:46 UTC 
I am trying to reproduce it with pungi tool.
Comment 4 upgradeservices 2010-05-25 15:23:08 UTC 
Guys, could it be that selinux reporting tool picks up the errors from the image which is being created with pungi as opposed to the 'host' os?
Here is what i have on the host where pungi runs:

ls --lcontext /etc/passwd
-rw-r--r--. 1 system_u:object_r:etc_t:s0       root 2.2K 2010-05-18 20:21 /etc/passwd

ls --lcontext /etc/shadow
----------. 1 system_u:object_r:shadow_t:s0    root 1.3K 2010-05-18 20:21 /etc/shadow

restorecon /etc/passwd

ls --lcontext /etc/passwd
-rw-r--r--. 1 system_u:object_r:etc_t:s0       root root 2208 2010-05-18 20:21 /etc/passwd

Above seems to be OK - right?

I can provide the ks used for pungi [if this is related at all], it contains entries to automatically add user among other things, and I recon this is when selinux alert is triggered. Also note, spinned image has selinux set to enforcing by default, when i change this option in the ks to disabled, no errors are generated at all.
Comment 5 Daniel Walsh 2010-05-25 15:36:45 UTC 
I think we need to ignore all avc messages created when running pungi.  It is too strange an environment, and is very mislabeled when it runs.  Maybe once we have policy for mock we can look at supporting pungi.