Bug List: (2 of 4)
Bug 1243458 - Policy for command setting root/administrator account password
Summary: Policy for command setting root/administrator account password
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1174176 1243459
TreeView+ depends on / blocked
 
Reported: 2015-07-15 13:23 UTC by Marc-Andre Lureau
Modified: 2015-11-19 10:40 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-36.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1243459 (view as bug list)
Environment:
Last Closed: 2015-11-19 10:40:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2300 0 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Description Marc-Andre Lureau 2015-07-15 13:23:40 UTC 
Description of problem:

qemu-ga set password command fails with SELinux enforcing:

type=AVC msg=audit(1431952168.903:567): avc:  denied  { write } for  pid=2097 comm="chpasswd" name=".pwd.lock" dev="vda1" ino=33595649 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
Comment 2 Milos Malik 2015-07-15 14:02:57 UTC 
Could you re-run the scenario in permissive mode and collect SELinux denials?

# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
Comment 3 Marc-Andre Lureau 2015-07-15 14:10:59 UTC 
I think this is it:

type=SYSCALL msg=audit(07/15/2015 10:07:40.206:404) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7fcb807290dd a1=O_WRONLY|O_CREAT|O_CLOEXEC a2=0600 a3=0x1 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(07/15/2015 10:07:40.206:404) : avc:  denied  { write } for  pid=3683 comm=chpasswd name=.pwd.lock dev="dm-1" ino=134688785 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file 
----
type=SYSCALL msg=audit(07/15/2015 10:07:40.206:405) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7fff385192b0 a1=O_WRONLY|O_CREAT|O_EXCL a2=0600 a3=0xb items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(07/15/2015 10:07:40.206:405) : avc:  denied  { write } for  pid=3683 comm=chpasswd path=/etc/passwd.3683 dev="dm-1" ino=135973408 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file 
type=AVC msg=audit(07/15/2015 10:07:40.206:405) : avc:  denied  { create } for  pid=3683 comm=chpasswd name=passwd.3683 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file 
type=AVC msg=audit(07/15/2015 10:07:40.206:405) : avc:  denied  { add_name } for  pid=3683 comm=chpasswd name=passwd.3683 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
type=AVC msg=audit(07/15/2015 10:07:40.206:405) : avc:  denied  { write } for  pid=3683 comm=chpasswd name=etc dev="dm-1" ino=134320257 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(07/15/2015 10:07:40.207:406) : arch=x86_64 syscall=link success=yes exit=0 a0=0x7fff385192b0 a1=0x7fff385196b0 a2=0x5 a3=0x0 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(07/15/2015 10:07:40.207:406) : avc:  denied  { link } for  pid=3683 comm=chpasswd name=passwd.3683 dev="dm-1" ino=135973408 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file 
----
type=SYSCALL msg=audit(07/15/2015 10:07:40.207:407) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7fff385192b0 a1=0x7fff385191c0 a2=0x1 a3=0x0 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(07/15/2015 10:07:40.207:407) : avc:  denied  { unlink } for  pid=3683 comm=chpasswd name=passwd.3683 dev="dm-1" ino=135973408 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file 
type=AVC msg=audit(07/15/2015 10:07:40.207:407) : avc:  denied  { remove_name } for  pid=3683 comm=chpasswd name=passwd.3683 dev="dm-1" ino=135973408 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(07/15/2015 10:07:40.207:408) : arch=x86_64 syscall=open success=yes exit=6 a0=0x7fcb811f8a00 a1=O_RDWR|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW a2=0x0 a3=0x0 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(07/15/2015 10:07:40.207:408) : avc:  denied  { open } for  pid=3683 comm=chpasswd path=/etc/shadow dev="dm-1" ino=136675055 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file 
type=AVC msg=audit(07/15/2015 10:07:40.207:408) : avc:  denied  { read write } for  pid=3683 comm=chpasswd name=shadow dev="dm-1" ino=136675055 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file 
type=AVC msg=audit(07/15/2015 10:07:40.207:408) : avc:  denied  { dac_override } for  pid=3683 comm=chpasswd capability=dac_override  scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability 
----
type=SYSCALL msg=audit(07/15/2015 10:07:40.207:409) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x6 a1=0x7fff38519950 a2=0x7fff38519950 a3=0x0 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(07/15/2015 10:07:40.207:409) : avc:  denied  { getattr } for  pid=3683 comm=chpasswd path=/etc/shadow dev="dm-1" ino=136675055 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file 
----
type=SYSCALL msg=audit(07/15/2015 10:07:40.225:410) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0x7 a1=0x0 a2=0x0 a3=0x1 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(07/15/2015 10:07:40.225:410) : avc:  denied  { setattr } for  pid=3683 comm=chpasswd name=shadow- dev="dm-1" ino=134934467 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file 
----
type=SYSCALL msg=audit(07/15/2015 10:07:40.259:411) : arch=x86_64 syscall=open success=yes exit=6 a0=0x7fff385196d0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x6165726373662f72 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(07/15/2015 10:07:40.259:411) : avc:  denied  { create } for  pid=3683 comm=chpasswd name=shadow+ scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file 
----
type=SYSCALL msg=audit(07/15/2015 10:07:40.277:412) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7fff385196d0 a1=0x7fcb811f8a00 a2=0x7fff38519640 a3=0x0 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(07/15/2015 10:07:40.277:412) : avc:  denied  { unlink } for  pid=3683 comm=chpasswd name=shadow dev="dm-1" ino=136675055 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file 
type=AVC msg=audit(07/15/2015 10:07:40.277:412) : avc:  denied  { rename } for  pid=3683 comm=chpasswd name=shadow+ dev="dm-1" ino=135973410 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
Comment 5 Miroslav Grepl 2015-07-29 07:34:01 UTC 
Lukas,
could you check it?

It looks we need to add labeling for chpasswd and allow virt_qemu_ga_t to have a transition to passwd_t.
Comment 6 Miroslav Grepl 2015-07-29 07:44:12 UTC 
Marc-Andre,
could you re-test it with

# cat mypol.te
policy_module(mypol,1.0)

require{
 type virt_qemu_ga_t;
}

usermanage_domtrans_passwd(virt_qemu_ga_t)


and run

# yum install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp
# chcon -t passwd_exec_t /usr/sbin/chpasswd

and re-test it? Thank you.
Comment 7 Marc-Andre Lureau 2015-07-29 09:29:49 UTC 
(In reply to Miroslav Grepl from comment #6)
> Marc-Andre,
> could you re-test it with
...
> and re-test it? Thank you.

It works!
Comment 8 Lukas Vrabec 2015-07-29 09:58:29 UTC 
commit 21687562873180d347ff6a29e727e1e7d86437b7
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jul 29 11:52:14 2015 +0200

    Label /usr/sbin/chpasswd as passwd_exec_t.

commit cd857dfac06f08ac5e82b155c137e08f4a437b30
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jul 29 11:54:26 2015 +0200

    Allow virt_qemu_ga_t domtrans to passwd_t.
Comment 9 Miroslav Grepl 2015-07-29 10:48:31 UTC 
Great. Thank you for testing.
Comment 13 Miroslav Vadkerti 2015-10-05 14:46:34 UTC 
Moving back to correct state
Comment 15 errata-xmlrpc 2015-11-19 10:40:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html
Note You need to log in before you can comment on or make changes to this bug.
Bug List: (2 of 4)