Bug 831068
| Summary: | SELinux problem passwd | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | David Spurek <dspurek> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.3 | CC: | dwalsh, ebenes, ikke, mmalik | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.7.19-173.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-02-21 08:35:47 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 591113 [details]
reproduce test
Following AVCs were seen in enforcing mode:
----
time->Tue Jun 12 10:14:55 2012
type=PATH msg=audit(1339510495.467:1167068): item=0 name="/var/tmp" inode=2752602 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(1339510495.467:1167068): cwd="/root/pokus"
type=SYSCALL msg=audit(1339510495.467:1167068): arch=c000003e syscall=2 success=no exit=-13 a0=7f56c5de3173 a1=0 a2=1b6 a3=0 items=1 ppid=2126 pid=2127 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts20 ses=56842 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339510495.467:1167068): avc: denied { read } for pid=2127 comm="passwd" name="tmp" dev=dm-0 ino=2752602 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Tue Jun 12 10:14:55 2012
type=PATH msg=audit(1339510495.466:1167067): item=0 name="/tmp" inode=917505 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(1339510495.466:1167067): cwd="/root/pokus"
type=SYSCALL msg=audit(1339510495.466:1167067): arch=c000003e syscall=2 success=no exit=-13 a0=7f56c5de3177 a1=0 a2=1b6 a3=0 items=1 ppid=2126 pid=2127 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts20 ses=56842 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339510495.466:1167067): avc: denied { read } for pid=2127 comm="passwd" name="tmp" dev=dm-0 ino=917505 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Tue Jun 12 10:14:55 2012
type=PATH msg=audit(1339510495.467:1167069): item=0 name="/usr/tmp"
type=CWD msg=audit(1339510495.467:1167069): cwd="/root/pokus"
type=SYSCALL msg=audit(1339510495.467:1167069): arch=c000003e syscall=4 success=no exit=-13 a0=7f56c5de317c a1=7fffb2e57080 a2=7fffb2e57080 a3=0 items=1 ppid=2126 pid=2127 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts20 ses=56842 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339510495.467:1167069): avc: denied { read } for pid=2127 comm="passwd" name="tmp" dev=dm-0 ino=526184 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
----
Caused by the same reproducer but executed in permissive mode:
----
time->Tue Jun 12 10:37:53 2012
type=PATH msg=audit(1339511873.491:1167478): item=0 name="/usr/tmp" inode=2752602 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(1339511873.491:1167478): cwd="/root/pokus"
type=SYSCALL msg=audit(1339511873.491:1167478): arch=c000003e syscall=4 success=yes exit=0 a0=7feb6102a17c a1=7fff9b84dfe0 a2=7fff9b84dfe0 a3=22 items=1 ppid=5529 pid=5530 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts20 ses=56842 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339511873.491:1167478): avc: denied { read } for pid=5530 comm="passwd" name="tmp" dev=dm-0 ino=526184 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
----
time->Tue Jun 12 10:37:53 2012
type=PATH msg=audit(1339511873.490:1167477): item=0 name="/tmp" inode=917505 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(1339511873.490:1167477): cwd="/root/pokus"
type=SYSCALL msg=audit(1339511873.490:1167477): arch=c000003e syscall=2 success=yes exit=7 a0=7feb6102a177 a1=0 a2=1b6 a3=0 items=1 ppid=5529 pid=5530 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts20 ses=56842 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339511873.490:1167477): avc: denied { read } for pid=5530 comm="passwd" name="tmp" dev=dm-0 ino=917505 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
Why is the passwd command trying to list the contents of /tmp? Don't know. Did this happen on a logged in system? IE could it be looking to see if gnome-keyringd is running? If you run it in permissive mode do you see any additional AVC? In permissive mode I see only AVCs listed in comment#4. I was logged in as root on that machine when the AVCs appeared. gnome-keyring-daemon was running when the test was running. I have no problem adding the access. It just seems strange. I have seen passwd try to communicate and even start gnome-keyring, when the passwd is changed, I guess this is to keep the gnome-keyring passwd the same. (ALthough I hate this hack). this affects fedora 17 also. Here is my audit log:
Raw Audit Messages
type=AVC msg=audit(1347426258.23:1552): avc: denied { execute } for pid=31770 comm="passwd" name="gnome-keyring-daemon" dev="dm-1" ino=5193 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1347426258.23:1552): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f81a62cf5c0 a1=7fff7b96bfb0 a2=7f81ab64adc0 a3=10 items=0 ppid=31625 pid=31770 auid=8100 uid=8100 gid=8100 euid=8100 suid=0 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=1 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
I changed passwd from gnome3 user accout dialog, in aims to get keyring pwd changed while at it. It seems selinux blocks it though.
versions:
selinux-policy-devel-3.10.0-146.fc17.noarch
selinux-policy-targeted-3.10.0-146.fc17.noarch
selinux-policy-3.10.0-146.fc17.noarch
fedora-release-17-1.noarch
passwd-0.78.99-1.fc17.x86_64
I have a concern on this. In that you have a root priv process executing a gkeyringd executable that could be influenced by the user environment. Allowing this access with SELinux could be dangerous. If you run passwd_t in permissive what other AVC's are generated? Make passwd_t permissive # semanage permissive -a passwd_t Change your password Collect AVC's # ausearch -m avc -ts recent Change passwd_t back to enforcing. # semanage permissive -d passwd_t here they are. I set selinux to permissive, and changed the pw.
$ sudo ausearch -m avc -ts recent
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.865:371): arch=c000003e syscall=59 success=yes exit=0 a0=7f4fde2625c0 a1=7fffc1a35bd0 a2=7f4fe4adc730 a3=10 items=0 ppid=9632 pid=10015 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.865:371): avc: denied { execute_no_trans } for pid=10015 comm="passwd" path="/usr/bin/gnome-keyring-daemon" dev="dm-2" ino=134702 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file
type=AVC msg=audit(1347452098.865:371): avc: denied { read open } for pid=10015 comm="passwd" path="/usr/bin/gnome-keyring-daemon" dev="dm-2" ino=134702 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file
type=AVC msg=audit(1347452098.865:371): avc: denied { execute } for pid=10015 comm="passwd" name="gnome-keyring-daemon" dev="dm-2" ino=134702 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.882:372): arch=c000003e syscall=83 success=yes exit=0 a0=19f7e00 a1=1c0 a2=0 a3=0 items=0 ppid=9632 pid=10015 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.882:372): avc: denied { create } for pid=10015 comm="gnome-keyring-d" name="keyring-7fLZX9" scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
type=AVC msg=audit(1347452098.882:372): avc: denied { add_name } for pid=10015 comm="gnome-keyring-d" name="keyring-7fLZX9" scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
type=AVC msg=audit(1347452098.882:372): avc: denied { write } for pid=10015 comm="gnome-keyring-d" name=".cache" dev="dm-3" ino=1048625 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.883:373): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=7fffce35e6c0 a2=6e a3=10 items=0 ppid=9632 pid=10015 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.883:373): avc: denied { create } for pid=10015 comm="gnome-keyring-d" name="control" scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.883:374): arch=c000003e syscall=149 success=yes exit=0 a0=7f0558cc2000 a1=4000 a2=3 a3=22 items=0 ppid=9632 pid=10015 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.883:374): avc: denied { ipc_lock } for pid=10015 comm="gnome-keyring-d" capability=14 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tclass=capability
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.889:375): arch=c000003e syscall=6 success=yes exit=0 a0=7fffc1a35b02 a1=7fffc1a35a70 a2=7fffc1a35a70 a3=7f4fe3148ad0 items=0 ppid=9632 pid=10021 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.889:375): avc: denied { getattr } for pid=10021 comm="passwd" path="/home/ikke/.cache/keyring-7fLZX9/control" dev="dm-3" ino=1049102 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.889:376): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fffc1a35b00 a2=6e a3=7f4fe3148ad0 items=0 ppid=9632 pid=10021 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.889:376): avc: denied { write } for pid=10021 comm="passwd" name="control" dev="dm-3" ino=1049102 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.891:377): arch=c000003e syscall=87 success=yes exit=0 a0=19f8040 a1=0 a2=3f6d9b0728 a3=33 items=0 ppid=1 pid=10019 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.891:377): avc: denied { unlink } for pid=10019 comm="gnome-keyring-d" name="control" dev="dm-3" ino=1049102 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file
type=AVC msg=audit(1347452098.891:377): avc: denied { remove_name } for pid=10019 comm="gnome-keyring-d" name="control" dev="dm-3" ino=1049102 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.891:378): arch=c000003e syscall=84 success=yes exit=0 a0=19f7e00 a1=0 a2=3f6d9b0728 a3=33 items=0 ppid=1 pid=10019 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.891:378): avc: denied { rmdir } for pid=10019 comm="gnome-keyring-d" name="keyring-7fLZX9" dev="dm-3" ino=1049026 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
We added fixes to F18. Will backport to F17. Also fixes RHEL6 AVC msgs. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |
Description of problem: type=SYSCALL msg=audit(1339480337.627:28991): arch=c000003e syscall=2 success=no exit=-13 a0=7fddf81a0173 a1=0 a2=1b6 a3=0 items=0 ppid=3322 pid=3323 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1339480337.627:28991): avc: denied { read } for pid=3323 comm="passwd" name="tmp" dev=dm-0 ino=260636 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1339480337.627:28992): arch=c000003e syscall=4 success=no exit=-13 a0=7fddf81a017c a1=7fff7c210a40 a2=7fff7c210a40 a3=0 items=0 ppid=3322 pid=3323 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1339480337.627:28992): avc: denied { read } for pid=3323 comm="passwd" name="tmp" dev=dm-0 ino=2069 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file passwd on user in ldap and setup ssl or tls