Bug 838285

Summary: SELinux policy denies passwd to change password in gnome_keyring_daemon
Product: [Fedora] Fedora Reporter: Patrick Uiterwijk <puiterwijk>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-09 08:52:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrick Uiterwijk 2012-07-08 09:23:38 UTC 
Description of problem:
When changing my password, passwd gets denied to change the password of the login keyring.

Version-Release number of selected component (if applicable):
passwd-0.78.99-1.fc17.x86_64
selinux-policy-3.10.0-137.fc17.noarch
gnome-keyring-3.4.1-2.fc17.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install a new Fedora 17 system with updates-testing enabled
2. Configure the system with firstboot
3. Login to the created account
4. Go to System settings -> User Accounts
5. Select the account created
6. Change the password
7. (SELinux gives the warning in Additional info)
8. Log out
9. Log in with the new password
10. Open Keys & Passwords
11. Try to add a new password
  
Actual results:
The system changes the gnome keyring password together with the login password, and adds the new password in step 11.

Expected results:
The gnome keyring password is not changed, and when adding a new password in step 11, it asks to provide the (old) keyring password.

Additional info:
SELinux is preventing /usr/bin/passwd from execute access on the file gnome-keyring-daemon.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore passwd trying to execute access the gnome-keyring-daemon file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/passwd /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that passwd should be allowed execute access on the gnome-keyring-daemon file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep passwd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:gkeyringd_exec_t:s0
Target Objects                gnome-keyring-daemon [ file ]
Source                        passwd
Source Path                   /usr/bin/passwd
Port                          <Unknown>
Host                          fedoratest.virtual.patrick.local
Source RPM Packages           passwd-0.78.99-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-137.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedoratest.virtual.patrick.local
Platform                      Linux fedoratest.virtual.patrick.local
                              3.4.4-5.fc17.x86_64 #1 SMP Thu Jul 5 20:20:59 UTC
                              2012 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 08 Jul 2012 11:10:43 AM CEST
Last Seen                     Sun 08 Jul 2012 11:10:43 AM CEST
Local ID                      f4a3e895-5cf9-48b1-9acd-2bd79fcc5d3a

Raw Audit Messages
type=AVC msg=audit(1341738643.455:60): avc:  denied  { execute } for  pid=1305 comm="passwd" name="gnome-keyring-daemon" dev="vda2" ino=24242 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1341738643.455:60): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fea169de5c0 a1=7ffff7746a80 a2=7fea1d33cd50 a3=13 items=0 ppid=1299 pid=1305 auid=1000 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)

Hash: passwd,passwd_t,gkeyringd_exec_t,file,execute

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 1 Patrick Uiterwijk 2012-07-08 09:30:49 UTC 
This is also reproducible on a normal Fedora 17 system without updates-testing.
Only different version is selinux-policy, which is selinux-policy-3.10.0-134.fc17.noarch.
Comment 2 Miroslav Grepl 2012-07-09 08:52:22 UTC 

*** This bug has been marked as a duplicate of bug 733353 ***