Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1039089

Summary: SELinux policy prevents console/gdm (local_login_t/xdm_t) from updating expired passwords
Product: Red Hat Enterprise Linux 6 Reporter: ross tyler <retyler>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.5CC: dwalsh, ksrot, mgrepl, mmalik, retyler, ssekidde, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-256.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 07:58:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ross tyler 2013-12-06 15:05:27 UTC 
Description of problem:
SELinux policy prevents console/gdm (local_login_t/xdm_t) from updating expired passwords

Version-Release number of selected component (if applicable):
3.7.19-231

How reproducible:


Steps to Reproduce:
1. Expire password for a local UNIX user by changing the date of last password change field in shadow(5) to 0 and setting the maximum password age to 1.
2. Login from the serial/graphics console (using agetty/mingetty + login) or from a GDM managed desktop.
3. Enter new password

Actual results:
Failure

Expected results:
Success

Additional info:

Abbreviated AVC /var/log/audit/audit.log entries generated when SELinux is temporarily placed in Permissive mode.

tail -f /var/log/audit/audit.log | grep AVC > $event.log
setenforce 0
#! console login (login) or gdm login (xdm) event
setenforce 1
#! tidy up $event.log for presentation below

---- login.log

type=AVC avc: denied  { write		} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:shadow_t	tclass=file
type=AVC avc: denied  { write		} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:etc_t	tclass=dir
type=AVC avc: denied  { add_name	} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:etc_t	tclass=dir
type=AVC avc: denied  { create		} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:etc_t	tclass=file
type=AVC avc: denied  { write		} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:etc_t	tclass=file
type=AVC avc: denied  { setattr		} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:etc_t	tclass=file
type=AVC avc: denied  { remove_name	} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:etc_t	tclass=dir
type=AVC avc: denied  { rename		} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:etc_t	tclass=file
type=AVC avc: denied  { unlink		} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:etc_t	tclass=file
type=AVC avc: denied  { create		} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:shadow_t	tclass=file
type=AVC avc: denied  { setattr		} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:shadow_t	tclass=file
type=AVC avc: denied  { rename		} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:shadow_t	tclass=file
type=AVC avc: denied  { unlink		} scontext=system_u:system_r:local_login_t	tcontext=system_u:object_r:shadow_t	tclass=file

---- xdm.log

type=AVC avc: denied  { module_request	} scontext=system_u:system_r:xdm_t	tcontext=system_u:system_r:kernel_t	tclass=system
type=AVC avc: denied  { write		} scontext=system_u:system_r:xdm_t	tcontext=system_u:object_r:shadow_t	tclass=file
type=AVC avc: denied  { add_name	} scontext=system_u:system_r:xdm_t	tcontext=system_u:object_r:etc_t	tclass=dir
type=AVC avc: denied  { create		} scontext=system_u:system_r:xdm_t	tcontext=system_u:object_r:etc_t	tclass=file
type=AVC avc: denied  { write		} scontext=system_u:system_r:xdm_t	tcontext=system_u:object_r:etc_t	tclass=file
type=AVC avc: denied  { setattr		} scontext=system_u:system_r:xdm_t	tcontext=system_u:object_r:etc_t	tclass=file
type=AVC avc: denied  { remove_name	} scontext=system_u:system_r:xdm_t	tcontext=system_u:object_r:etc_t	tclass=dir
type=AVC avc: denied  { rename		} scontext=system_u:system_r:xdm_t	tcontext=system_u:object_r:etc_t	tclass=file
type=AVC avc: denied  { unlink		} scontext=system_u:system_r:xdm_t	tcontext=system_u:object_r:shadow_t	tclass=file
type=AVC avc: denied  { create		} scontext=system_u:system_r:xdm_t	tcontext=system_u:object_r:shadow_t	tclass=file
type=AVC avc: denied  { setattr		} scontext=system_u:system_r:xdm_t	tcontext=system_u:object_r:shadow_t	tclass=file
type=AVC avc: denied  { rename		} scontext=system_u:system_r:xdm_t	tcontext=system_u:object_r:shadow_t	tclass=file

----

Resultant SELinux Type Enforcement files generated from audit2allow

audit2allow -M login < login.log
audit2allow -M xdm   < xdm.log

---- login.te

module login 1.0;

require {
	type etc_t;
	type local_login_t;
	type shadow_t;
	class dir { write remove_name add_name };
	class file { rename setattr create write unlink };
}

#============= local_login_t ==============
#!!!! The source type 'local_login_t' can write to a 'dir' of the following types:
# faillog_t, pam_var_run_t, pcscd_var_run_t, pam_var_console_t, local_login_tmp_t, var_lock_t, tmp_t, var_auth_t, var_t, auth_cache_t, cluster_var_lib_t, clust
er_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t

allow local_login_t etc_t:dir { write remove_name add_name };
allow local_login_t etc_t:file { write rename create unlink setattr };
allow local_login_t shadow_t:file { write rename create unlink setattr };

---- xdm.te

module xdm 1.0;

require {
	type kernel_t;
	type etc_t;
	type xdm_t;
	type shadow_t;
	class dir { remove_name add_name };
	class system module_request;
	class file { rename setattr create write unlink };
}

#============= xdm_t ==============
allow xdm_t etc_t:dir { remove_name add_name };
allow xdm_t etc_t:file { write rename create setattr };

#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow xdm_t kernel_t:system module_request;
allow xdm_t shadow_t:file { write rename create unlink setattr };

----

Correct SELinux policy by installing the SELinux Policy Packages generated from audit2allow

semodule -i login.pp
semodule -i xdm.pp
Comment 1 Miroslav Grepl 2013-12-09 10:17:06 UTC 
Could you please attach full raw AVC msgs?
Comment 2 ross tyler 2013-12-09 17:56:03 UTC 
---- xdm.log, raw AVC msgs

type=AVC msg=audit(1386277488.649:2763): avc:  denied  { module_request } for  pid=25348 comm="canberra-gtk-pl" kmod="net-pf-10" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1386277511.102:2814): avc:  denied  { write } for  pid=25359 comm="gdm-session-wor" name=".pwd.lock" dev=dm-0 ino=132229 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386277511.129:2817): avc:  denied  { add_name } for  pid=25359 comm="gdm-session-wor" name="nopasswd" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1386277511.129:2817): avc:  denied  { create } for  pid=25359 comm="gdm-session-wor" name="nopasswd" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386277511.129:2817): avc:  denied  { write } for  pid=25359 comm="gdm-session-wor" name="nopasswd" dev=dm-0 ino=153170 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386277511.129:2818): avc:  denied  { setattr } for  pid=25359 comm="gdm-session-wor" name="nopasswd" dev=dm-0 ino=153170 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386277511.130:2820): avc:  denied  { remove_name } for  pid=25359 comm="gdm-session-wor" name="nopasswd" dev=dm-0 ino=153170 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1386277511.130:2820): avc:  denied  { rename } for  pid=25359 comm="gdm-session-wor" name="nopasswd" dev=dm-0 ino=153170 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386277511.130:2820): avc:  denied  { unlink } for  pid=25359 comm="gdm-session-wor" name="opasswd" dev=dm-0 ino=136472 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386277511.131:2822): avc:  denied  { create } for  pid=25359 comm="gdm-session-wor" name="nshadow" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386277511.133:2823): avc:  denied  { setattr } for  pid=25359 comm="gdm-session-wor" name="nshadow" dev=dm-0 ino=136472 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386277511.134:2825): avc:  denied  { rename } for  pid=25359 comm="gdm-session-wor" name="nshadow" dev=dm-0 ino=136472 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
Comment 3 ross tyler 2013-12-09 18:02:23 UTC 
---- login.log, raw AVC msgs

type=AVC msg=audit(1386274939.765:3165): avc:  denied  { write } for  pid=3766 comm="login" name=".pwd.lock" dev="dm-0" ino=131657 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386274939.789:3168): avc:  denied  { write } for  pid=3766 comm="login" name="security" dev="dm-0" ino=135786 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1386274939.789:3168): avc:  denied  { add_name } for  pid=3766 comm="login" name="nopasswd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1386274939.789:3168): avc:  denied  { create } for  pid=3766 comm="login" name="nopasswd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386274939.789:3168): avc:  denied  { write } for  pid=3766 comm="login" path="/etc/security/nopasswd" dev="dm-0" ino=135800 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386274939.789:3169): avc:  denied  { setattr } for  pid=3766 comm="login" name="nopasswd" dev="dm-0" ino=135800 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386274940.087:3171): avc:  denied  { remove_name } for  pid=3766 comm="login" name="nopasswd" dev="dm-0" ino=135800 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1386274940.087:3171): avc:  denied  { rename } for  pid=3766 comm="login" name="nopasswd" dev="dm-0" ino=135800 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386274940.087:3171): avc:  denied  { unlink } for  pid=3766 comm="login" name="opasswd" dev="dm-0" ino=141084 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386274940.087:3173): avc:  denied  { create } for  pid=3766 comm="login" name="nshadow" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386274940.088:3174): avc:  denied  { setattr } for  pid=3766 comm="login" name="nshadow" dev="dm-0" ino=141084 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386274940.189:3176): avc:  denied  { rename } for  pid=3766 comm="login" name="nshadow" dev="dm-0" ino=141084 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386274940.189:3176): avc:  denied  { unlink } for  pid=3766 comm="login" name="shadow" dev="dm-0" ino=156119 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
Comment 4 Daniel Walsh 2013-12-11 22:05:50 UTC 
Did you modify the pam stack?  It is supposed to be executing a helper app rather then the login programs doing this directly.

/usr/sbin/unix_update
Comment 5 ross tyler 2013-12-12 18:07:13 UTC 
Good call.

Yes, apparently, the significant change I made to

password    sufficient    pam_unix.so

lines in /etc/pam.d/*-ac files (post authconfig --updateall)
was to add a remember= clause.

This used to work with RHEL 6.4 but broke on 6.5.
The before/after pam file content did not change between 6.4 and 6.5.
However, there was a significant change in the pam-1.1.1-17.el6.x86_64 RPM.
The SELinux type of /etc/security/opasswd was changed from etc_t to shadow_t.
Changing this back fixes the problem but the right fix would be to move all access to opasswd to the helper (/sbin/unix_update) which already has access to SELinux shadow_t types.

So, I think, this is a bug in pam_unix/unix_update.

Of course, making the above SELinux policy modifications mentioned above work too but that is certainly the wrong thing to do.
My diagnosis above was thwarted because the pam_unix code only uses the helper if SELinux forces it to so and by suspending SELinux (making it permissive) I made pam_unix think that it could do it without its helper.
Comment 6 ross tyler 2013-12-12 19:48:14 UTC 
*Additional*
Steps to Reproduce:
0a. Install pam-1.1.1-17.el6
0b. Add remember=1 to "password * pam_unix.so *" line in /etc/pam.d/system-auth-ac

Workaround:
chcon --type etc_t /etc/security/opasswd

Revert:
restorecon /etc/security/opasswd
Comment 7 Tomas Mraz 2013-12-13 08:13:43 UTC 
The remember functionality of pam_unix is deprecated in upstream PAM. I'd prefer not developing it further. The SELinux policy in RHEL-6 should not change the opasswd file to shadow_t. This should have been done only in Fedora/RHEL-7 where the replacement for remember functionality - that is the pam_pwhistory module has its own pwhistory_helper for accessing shadow_t files.
Comment 9 Miroslav Grepl 2014-01-20 08:02:24 UTC 
(In reply to Tomas Mraz from comment #7)
> The remember functionality of pam_unix is deprecated in upstream PAM. I'd
> prefer not developing it further. The SELinux policy in RHEL-6 should not
> change the opasswd file to shadow_t. This should have been done only in
> Fedora/RHEL-7 where the replacement for remember functionality - that is the
> pam_pwhistory module has its own pwhistory_helper for accessing shadow_t
> files.

So we should not have

/etc/security/opasswd   --      gen_context(system_u:object_r:shadow_t,s0)
/etc/security/opasswd\.old      --      gen_context(system_u:object_r:shadow_t,s0)
Comment 10 Tomas Mraz 2014-01-20 08:31:03 UTC 
I'd say so. These lines should not have been added to RHEL-6 policy.
Comment 29 errata-xmlrpc 2014-10-14 07:58:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html