Bug 742630

Summary: /usr/bin/passwd produces lots of selinux errors
Product: [Fedora] Fedora Reporter: igor.redhat <igor.redhat>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-38.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-09 19:36:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description igor.redhat@gmail.com 2011-09-30 19:55:26 UTC 
Description of problem:

When running sudo passwd foo from a terminal, I immediately get 26 warnings in setroublshooter.

Here is the first one:

SELinux is preventing /usr/bin/passwd from getattr access on the chr_file /dev/uinput.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that passwd should be allowed getattr access on the uinput chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep passwd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:event_device_t:s0
Target Objects                /dev/uinput [ chr_file ]
Source                        passwd
Source Path                   /usr/bin/passwd
Port                          <Unknown>
Host                          igor-hp
Source RPM Packages           passwd-0.78-3.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-32.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     igor-hp
Platform                      Linux igor-hp 3.1.0-0.rc8.git0.0.fc16.x86_64 #1
                              SMP Wed Sep 28 01:31:14 UTC 2011 x86_64 x86_64
Alert Count                   6
First Seen                    Wed 28 Sep 2011 10:47:09 PM EDT
Last Seen                     Fri 30 Sep 2011 03:25:52 PM EDT
Local ID                      c567e85d-8b1a-4adf-915e-877926c1dc50

Raw Audit Messages
type=AVC msg=audit(1317410752.219:515): avc:  denied  { getattr } for  pid=7961 comm="passwd" path="/dev/uinput" dev=devtmpfs ino=11274 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1317410752.219:515): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fffacd463a0 a1=7fffacd41c70 a2=7fffacd41c70 a3=0 items=0 ppid=7955 pid=7961 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=18 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)

Hash: passwd,passwd_t,event_device_t,chr_file,getattr

audit2allow

#============= passwd_t ==============
allow passwd_t event_device_t:chr_file getattr;

audit2allow -R

#============= passwd_t ==============
allow passwd_t event_device_t:chr_file getattr;


The others are for /proc/core and /dev/{ppp,initctl,hidraw1,fb0,fuse,brtfs-control,cpu_dma_latency,sg0,usbmon5,loop3,loop-control,rtc0,tmp0,nvram,ptmx,autofs,snapshot,freefall,mcelog,mem,vga_arbiter,rfkill,sr0,lp3}. Let me know if you need more details on any of those too.

Version-Release number of selected component (if applicable):

$ rpm -qi passwd
Name        : passwd
Version     : 0.78
Release     : 3.fc15

$ rpm -qi selinux-policy
Name        : selinux-policy
Version     : 3.10.0
Release     : 32.fc16

How reproducible:

Always

Steps to Reproduce:
1. Create a dummy user account "sudo useradd -m foo"
2. Set the password on that account: "sudo passwd foo"

  
Actual results:

The password is actually reset despite all the error messages.
Comment 1 Dominick Grift 2011-09-30 20:26:43 UTC 
i can confirm this:

# ausearch -m avc -ts yesterday | grep passwd_t | audit2allow


#============= passwd_t ==============
allow passwd_t agp_device_t:chr_file getattr;
allow passwd_t apm_bios_t:chr_file getattr;
allow passwd_t autofs_device_t:chr_file getattr;
allow passwd_t clock_device_t:chr_file getattr;
allow passwd_t device_t:chr_file getattr;
allow passwd_t event_device_t:chr_file getattr;
allow passwd_t fixed_disk_device_t:blk_file getattr;
allow passwd_t framebuf_device_t:chr_file getattr;
allow passwd_t fuse_device_t:chr_file getattr;
allow passwd_t initctl_t:fifo_file getattr;
allow passwd_t kmsg_device_t:chr_file getattr;
allow passwd_t loop_control_device_t:chr_file getattr;
allow passwd_t lvm_control_t:chr_file getattr;
allow passwd_t memory_device_t:chr_file getattr;
allow passwd_t netcontrol_device_t:chr_file getattr;
allow passwd_t nvram_device_t:chr_file getattr;
allow passwd_t ppp_device_t:chr_file getattr;
allow passwd_t printer_device_t:chr_file getattr;
allow passwd_t proc_kcore_t:file getattr;
allow passwd_t ptmx_t:chr_file getattr;
allow passwd_t scsi_generic_device_t:chr_file getattr;
allow passwd_t tpm_device_t:chr_file getattr;
allow passwd_t usbmon_device_t:chr_file getattr;
allow passwd_t v4l_device_t:chr_file getattr;
allow passwd_t watchdog_device_t:chr_file getattr;
allow passwd_t wireless_device_t:chr_file getattr;
allow passwd_t xserver_misc_device_t:chr_file getattr;
Comment 2 Miroslav Grepl 2011-10-03 06:48:10 UTC 
#============= passwd_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow passwd_t event_device_t:chr_file getattr;


sh-4.2# rpm -q selinux-policy
selinux-policy-3.10.0-33.fc16.noarch
Comment 3 Fedora Update System 2011-10-04 11:17:53 UTC 
selinux-policy-3.10.0-36.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16
Comment 4 Fedora Update System 2011-10-04 20:50:44 UTC 
Package selinux-policy-3.10.0-36.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-36.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2011-10-09 19:36:49 UTC 
selinux-policy-3.10.0-38.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.