Description of problem: qemu-ga set password command fails with SELinux enforcing: type=AVC msg=audit(1431952168.903:567): avc: denied { write } for pid=2097 comm="chpasswd" name=".pwd.lock" dev="vda1" ino=33595649 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
Could you re-run the scenario in permissive mode and collect SELinux denials? # ausearch -m avc -m user_avc -m selinux_err -i -ts recent
I think this is it: type=SYSCALL msg=audit(07/15/2015 10:07:40.206:404) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7fcb807290dd a1=O_WRONLY|O_CREAT|O_CLOEXEC a2=0600 a3=0x1 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(07/15/2015 10:07:40.206:404) : avc: denied { write } for pid=3683 comm=chpasswd name=.pwd.lock dev="dm-1" ino=134688785 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/15/2015 10:07:40.206:405) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7fff385192b0 a1=O_WRONLY|O_CREAT|O_EXCL a2=0600 a3=0xb items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(07/15/2015 10:07:40.206:405) : avc: denied { write } for pid=3683 comm=chpasswd path=/etc/passwd.3683 dev="dm-1" ino=135973408 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(07/15/2015 10:07:40.206:405) : avc: denied { create } for pid=3683 comm=chpasswd name=passwd.3683 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(07/15/2015 10:07:40.206:405) : avc: denied { add_name } for pid=3683 comm=chpasswd name=passwd.3683 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(07/15/2015 10:07:40.206:405) : avc: denied { write } for pid=3683 comm=chpasswd name=etc dev="dm-1" ino=134320257 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 10:07:40.207:406) : arch=x86_64 syscall=link success=yes exit=0 a0=0x7fff385192b0 a1=0x7fff385196b0 a2=0x5 a3=0x0 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(07/15/2015 10:07:40.207:406) : avc: denied { link } for pid=3683 comm=chpasswd name=passwd.3683 dev="dm-1" ino=135973408 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/15/2015 10:07:40.207:407) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7fff385192b0 a1=0x7fff385191c0 a2=0x1 a3=0x0 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(07/15/2015 10:07:40.207:407) : avc: denied { unlink } for pid=3683 comm=chpasswd name=passwd.3683 dev="dm-1" ino=135973408 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(07/15/2015 10:07:40.207:407) : avc: denied { remove_name } for pid=3683 comm=chpasswd name=passwd.3683 dev="dm-1" ino=135973408 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/15/2015 10:07:40.207:408) : arch=x86_64 syscall=open success=yes exit=6 a0=0x7fcb811f8a00 a1=O_RDWR|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW a2=0x0 a3=0x0 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(07/15/2015 10:07:40.207:408) : avc: denied { open } for pid=3683 comm=chpasswd path=/etc/shadow dev="dm-1" ino=136675055 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(07/15/2015 10:07:40.207:408) : avc: denied { read write } for pid=3683 comm=chpasswd name=shadow dev="dm-1" ino=136675055 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(07/15/2015 10:07:40.207:408) : avc: denied { dac_override } for pid=3683 comm=chpasswd capability=dac_override scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability ---- type=SYSCALL msg=audit(07/15/2015 10:07:40.207:409) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x6 a1=0x7fff38519950 a2=0x7fff38519950 a3=0x0 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(07/15/2015 10:07:40.207:409) : avc: denied { getattr } for pid=3683 comm=chpasswd path=/etc/shadow dev="dm-1" ino=136675055 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/15/2015 10:07:40.225:410) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0x7 a1=0x0 a2=0x0 a3=0x1 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(07/15/2015 10:07:40.225:410) : avc: denied { setattr } for pid=3683 comm=chpasswd name=shadow- dev="dm-1" ino=134934467 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/15/2015 10:07:40.259:411) : arch=x86_64 syscall=open success=yes exit=6 a0=0x7fff385196d0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x6165726373662f72 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(07/15/2015 10:07:40.259:411) : avc: denied { create } for pid=3683 comm=chpasswd name=shadow+ scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file ---- type=SYSCALL msg=audit(07/15/2015 10:07:40.277:412) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7fff385196d0 a1=0x7fcb811f8a00 a2=0x7fff38519640 a3=0x0 items=0 ppid=3562 pid=3683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chpasswd exe=/usr/sbin/chpasswd subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(07/15/2015 10:07:40.277:412) : avc: denied { unlink } for pid=3683 comm=chpasswd name=shadow dev="dm-1" ino=136675055 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(07/15/2015 10:07:40.277:412) : avc: denied { rename } for pid=3683 comm=chpasswd name=shadow+ dev="dm-1" ino=135973410 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
Lukas, could you check it? It looks we need to add labeling for chpasswd and allow virt_qemu_ga_t to have a transition to passwd_t.
Marc-Andre, could you re-test it with # cat mypol.te policy_module(mypol,1.0) require{ type virt_qemu_ga_t; } usermanage_domtrans_passwd(virt_qemu_ga_t) and run # yum install selinux-policy-devel # make -f /usr/share/selinux/devel/Makefile mypol.pp # semodule -i mypol.pp # chcon -t passwd_exec_t /usr/sbin/chpasswd and re-test it? Thank you.
(In reply to Miroslav Grepl from comment #6) > Marc-Andre, > could you re-test it with ... > and re-test it? Thank you. It works!
commit 21687562873180d347ff6a29e727e1e7d86437b7 Author: Lukas Vrabec <lvrabec> Date: Wed Jul 29 11:52:14 2015 +0200 Label /usr/sbin/chpasswd as passwd_exec_t. commit cd857dfac06f08ac5e82b155c137e08f4a437b30 Author: Lukas Vrabec <lvrabec> Date: Wed Jul 29 11:54:26 2015 +0200 Allow virt_qemu_ga_t domtrans to passwd_t.
Great. Thank you for testing.
Moving back to correct state
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html