1169341 – RHEL7 selinux context of /etc/passwd prevents from reading the file

Bug 1169341 - RHEL7 selinux context of /etc/passwd prevents from reading the file

Summary: RHEL7 selinux context of /etc/passwd prevents from reading the file

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Spacewalk
Classification:	Community
Component:	Server
Sub Component:
Version:	2.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Tomas Lestach
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	space28
TreeView+	depends on / blocked

Reported:	2014-12-01 11:53 UTC by Lukas Pramuk
Modified:	2018-04-20 12:22 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-10-18 16:08:39 UTC
Embargoed:

Attachments	(Terms of Use)

Description Lukas Pramuk 2014-12-01 11:53:41 UTC

Description of problem:
/etc/passwd's selinux file context has changed from system_u:object_r:etc_t on RHEL6 to passwd_file_t on RHEL7
This causes both oracleXE and Postgres SWnightly to fail.

Version-Release number of selected component (if applicable):
SW on RHEL7

How reproducible:
100%

Steps to Reproduce:
1. Install SW on RHEL7
2. Watch for SELinux denials

oracleXE (lsnrctl and sqlplus cannot read the file):

type=SYSCALL msg=audit(1416777658.415:913): arch=c000003e syscall=2 success=no exit=-13 a0=7f325fdaad8a a1=80000 a2=1b6 a3=0 items=0 ppid=19285 pid=19286 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="lsnrctl" exe="/u01/app/oracle/product/11.2.0/xe/bin/lsnrctl" subj=unconfined_u:system_r:oracle_lsnrctl_t:s0 key=(null)
type=AVC msg=audit(1416777658.415:913): avc:  denied  { read } for  pid=19286 comm="lsnrctl" name="passwd" dev="dm-0" ino=68056196 scontext=unconfined_u:system_r:oracle_lsnrctl_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file

type=SYSCALL msg=audit(1416777658.758:930): arch=c000003e syscall=2 success=no exit=-13 a0=7f2014bd9d8a a1=80000 a2=1b6 a3=0 items=0 ppid=19340 pid=19341 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="sqlplus" exe="/u01/app/oracle/product/11.2.0/xe/bin/sqlplus" subj=system_u:system_r:oracle_sqlplus_t:s0 key=(null)
type=AVC msg=audit(1416777658.758:930): avc:  denied  { read } for  pid=19341 comm="sqlplus" name="passwd" dev="dm-0" ino=68056196 scontext=system_u:system_r:oracle_sqlplus_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


Postgres (osa-dispatcher cannot read the file):

type=SYSCALL msg=audit(1416432808.898:934): arch=c000003e syscall=2 success=no exit=-13 a0=7f40b861fd8a a1=80000 a2=1b6 a3=7fff3b35cb20 items=0 ppid=21314 pid=21315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="osa-dispatcher" exe="/usr/bin/python2.7" subj=system_u:system_r:osa_dispatcher_t:s0 key=(null)
type=AVC msg=audit(1416432808.898:934): avc:  denied  { read } for  pid=21315 comm="osa-dispatcher" name="passwd" dev="dm-1" ino=69865143 scontext=system_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file

Actual results:
selinux denials, file cannot be read

Expected results:
no selinux denials

Comment 1 Jan Pazdziora 2014-12-08 09:51:39 UTC

The /etc/passwd had type passwd_file_t for some time on Fedora -- Fedora 18 has it too. What has changed (against Fedoras) that it started to cause issues now, in RHEL 7?

Comment 2 Jan Pazdziora 2017-10-18 08:03:29 UTC

Is this still an issue at all?

Comment 3 Tomas Lestach 2017-10-18 16:08:39 UTC

I believe this issue has been solved in the mean time. I'm closing the BZ CURRENTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.