Bug 771449

Summary: useradd: cannot open /etc/passwd
Product: [Fedora] Fedora Reporter: Wendell Baker <wendellcraigbaker>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bloch, dominick.grift, dwalsh, marcosfrm, mgrepl, pvrabec, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-19 13:18:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
audit.log from a fresh rawhide install (install circa 2012-01-02) none

Description Wendell Baker 2012-01-03 19:43:52 UTC 
Description of problem:

useradd will not add to /etc/passwd
groupadd will add to /etc/group

Version-Release number of selected component (if applicable):

# rpm -q -f /usr/sbin/useradd
shadow-utils-4.1.4.3-12.fc17.i686


How reproducible:
100% on 3x installations of rawhide 2012-01-02

Steps to Reproduce:
1. install rawhide
2. ssh in as root
3. useradd -u 500 -g wbaker wbaker
3.
  
Actual results:

$ useradd -u 500 -g wbaker wbaker
useradd: cannot open /etc/passwd

Expected results:

a user record for wbaker


Additional info:

I am trying to accomplish:
	groupadd -g 500 wbaker
	useradd -u 500 -g wbaker wbaker
	usermod -c 'Wendell Craig Baker' wbaker

This works on F16
This does not work on rawhide

My SElinux contexts are ok.
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# id -a
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

The filesystem has not failed and become readonly underneath me
# grep ro, /proc/mounts

Not out of space on /
# df -h .
Filesystem                            Size  Used Avail Use% Mounted on
/dev/mapper/vg_fishneteffect-lv_root   50G  4.3G   44G   9% /

No new permissions (this is the same as on F16.Verne)
# lsattr -d /etc /etc/passwd /etc/group
----------I--e- /etc
-------------e- /etc/passwd
-------------e- /etc/group

Ibidem.
# ls -alsdZ /etc /etc/passwd /etc/group
drwxr-xr-x. root root system_u:object_r:etc_t:s0       /etc
-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/group
-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/passwd



strace shows

$ strace useradd -u 500 -g wbaker wbaker >& /tmp/o.strace.out
$ less /tmp/o.strace.out
...etc...
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (N
o such file or directory)
close(4)                                = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=1742, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7
5ea000
read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1742
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0xb75ea000, 4096)                = 0
open("/etc/.pwd.lock", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 4
rt_sigaction(SIGALRM, {0x426e19b0, ~[], 0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [ALRM], [], 8) = 0
alarm(15)                               = 0
fcntl64(4, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}) = 0
alarm(0)                                = 15
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigaction(SIGALRM, {SIG_DFL, [], 0}, NULL, 8) = 0
getpid()                                = 3427
open("/etc/passwd.3427", O_WRONLY|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = 5
write(5, "3427\0", 5)                   = 5
close(5)                                = 0
link("/etc/passwd.3427", "/etc/passwd.lock") = 0
stat64("/etc/passwd.3427", {st_mode=S_IFREG|0600, st_size=5, ...}) = 0
unlink("/etc/passwd.3427")              = 0
open("/etc/passwd", O_RDWR|O_LARGEFILE) = -1 EACCES (Permission denied)
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=2512, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb75ea000
read(5, "# Locale name alias data base.\n#"..., 4096) = 2512
read(5, "", 4096)                       = 0
close(5)                                = 0
munmap(0xb75ea000, 4096)                = 0



The groupadd worked (groupadd is not broken)
The useradd did not (useradd is broken)

# tail /etc/passwd /etc/group
==> /etc/passwd <==
pulse:x:996:994:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
nm-openconnect:x:995:992:NetworkManager user for OpenConnect:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:994:991::/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin

==> /etc/group <==
nm-openconnect:x:992:
mailnull:x:47:
smmsp:x:51:
rpcuser:x:29:
nfsnobody:x:65534:
sshd:x:74:
chrony:x:991:
slocate:x:21:
tcpdump:x:72:
wbaker:x:500:
Comment 1 Adam Huffman 2012-01-04 12:24:42 UTC 
*** Bug 771630 has been marked as a duplicate of this bug. ***
Comment 2 Wendell Baker 2012-01-04 16:32:53 UTC 
Created attachment 550722 [details]
audit.log from a fresh rawhide install (install circa 2012-01-02)

For completeness I submit the whole audit.log trail over the (short) lifetime of the install.    Highlighting:

type=AVC msg=audit(1325618084.951:825): avc:  denied  { write } for  pid=3360 comm="useradd" name="passwd" dev=dm-2 ino=2099408 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.




Here's the relevant parts.

# grep -iEe '(useradd|groupadd)'  audit.log  > usergroupadd-audit.log
# audit2allow < usergroupadd-audit.log 

#============= useradd_t ==============
allow useradd_t etc_t:file write;
Comment 3 Miroslav Grepl 2012-01-19 13:18:39 UTC 
/etc/passwd is mislabeled.

You need to execute

$ restorecon -R -v /etc/passwd /etc/group
Comment 4 Wendell Baker 2012-01-24 17:06:04 UTC 
Got it.  Need to relabel the tmpfile /etc/passwd- (which doesn't exist) too.

[root ~]# /sbin/restorecon -v -v -R /etc/{passwd,group,shadow,gshadow}
/sbin/restorecon reset /etc/passwd context system_u:object_r:etc_t:s0->system_u:object_r:passwd_file_t:s0
/sbin/restorecon reset /etc/group context system_u:object_r:etc_t:s0->system_u:object_r:passwd_file_t:s0

[root ~]# useradd -u 500 -g wbaker wbaker
useradd: failure while writing changes to /etc/passwd

(the /var/mail/wbaker and /home/wbaker got created but not the passwd entry)

Also mislabeled:

[root ~]# /sbin/restorecon -v -v -R /etc/passwd-
/sbin/restorecon reset /etc/passwd- context system_u:object_r:etc_t:s0->system_u:object_r:passwd_file_t:s0

(retrying)

[root ~]# rm -rf /var/mail/wbaker /
[root ~]# useradd -u 500 -g wbaker wbaker
(ok)

Happy.
Comment 5 Tomas Mraz 2013-01-11 08:39:38 UTC 
*** Bug 781737 has been marked as a duplicate of this bug. ***