Bug 875387
| Summary: | SELinux is preventing /usr/sbin/groupadd from 'write' accesses on the file gshadow-. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James Heather <drfudgeboy> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:323ae6c4f618ac2419fecf2da6112382fea9df0fb43a1da8144a8df53cebdd7b | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-11-12 08:49:33 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 642376 [details]
File: type
Created attachment 642377 [details]
File: hashmarkername
/etc/gshadow- is mislabeled. # restorecon -R -v /etc/gshadow- will fix. Although we would like to know how it got this labeling. Could you reopen bug if you get it again? Or are you able to reproduce it? Thank you. |
Additional info: libreport version: 2.0.18 kernel: 3.6.6-1.fc17.x86_64 description: :SELinux is preventing /usr/sbin/groupadd from 'write' accesses on the file gshadow-. : :***** Plugin catchall_labels (83.8 confidence) suggests ******************** : :If you want to allow groupadd to have write access on the gshadow- file :Then you need to change the label on gshadow- :Do :# semanage fcontext -a -t FILE_TYPE 'gshadow-' :where FILE_TYPE is one of the following: puppet_tmp_t, passwd_file_t, security_t, faillog_t, lastlog_t, puppet_tmp_t, pcscd_var_run_t, afs_cache_t, user_cron_spool_t, groupadd_t, shadow_t. :Then execute: :restorecon -v 'gshadow-' : : :***** Plugin catchall (17.1 confidence) suggests *************************** : :If you believe that groupadd should be allowed write access on the gshadow- file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep groupadd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 :Target Context unconfined_u:object_r:etc_t:s0 :Target Objects gshadow- [ file ] :Source groupadd :Source Path /usr/sbin/groupadd :Port <Unknown> :Host (removed) :Source RPM Packages shadow-utils-4.1.5-4.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-156.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.6-1.fc17.x86_64 #1 SMP Mon Nov : 5 21:59:35 UTC 2012 x86_64 x86_64 :Alert Count 13 :First Seen 2012-11-10 15:44:33 GMT :Last Seen 2012-11-10 15:45:47 GMT :Local ID 88bd1049-48ce-421b-aab3-0318b604a732 : :Raw Audit Messages :type=AVC msg=audit(1352562347.924:987): avc: denied { write } for pid=13237 comm="groupadd" name="gshadow-" dev="loop0" ino=280675 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file : : :type=SYSCALL msg=audit(1352562347.924:987): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff8b6b6910 a1=241 a2=1b6 a3=238 items=0 ppid=13219 pid=13237 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm=groupadd exe=/usr/sbin/groupadd subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) : :Hash: groupadd,groupadd_t,etc_t,file,write : :audit2allow : :#============= groupadd_t ============== :allow groupadd_t etc_t:file write; : :audit2allow -R : :#============= groupadd_t ============== :allow groupadd_t etc_t:file write; :