Bug 629897
| Summary: | SELinux is preventing /usr/bin/chsh "write" access on /var/run/dbus/system_bus_socket. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Carl G. <carlg> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 14 | CC: | dwalsh, kzak, mgrepl, shamardin |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:4e64965b9dbf6303c5ea36f86d8619aadf0ba4a770691df186c9eb3f66488c3c | ||
| Fixed In Version: | selinux-policy-3.9.3-1.fc14 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-09-11 03:42:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Carl G.
2010-09-03 08:29:46 UTC
What tool were you using when you saw this happen? accountsdialog? Nope, i used chsh. What does id -Z show? Do you have a leak of system_dbusd_var_run_t into your session? staff_u:staff_r:staff_t:s0 staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r I don't have any other system_dbusd_var_run_t AVC or anything related to dbus right now. Well I will reassign to util-linux to see if those guys have any idea. chsh uses PAM, what do you have in your /etc/pam.d/{chsh,system-auth} ?
chsh : #%PAM-1.0 auth sufficient pam_rootok.so auth include system-auth account include system-auth password include system-auth session include system-auth system-auth : #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so $ ldd /lib64/security/pam_fprintd.so | grep dbus
libdbus-glib-1.so.2 => /usr/lib64/libdbus-glib-1.so.2 (0x00007ffc43852000)
libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00007ffc4360d000)
Fixed in selinux-policy-3.9.3-1.fc14 selinux-policy-3.9.3-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14 selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14 selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |