1321375 – SELinux-related "chpasswd: failure while writing changes to /etc/shadow" for systemd container

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1321375 - SELinux-related "chpasswd: failure while writing changes to /etc/shadow" for systemd container

Summary: SELinux-related "chpasswd: failure while writing changes to /etc/shadow" for ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libselinux
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Lautrbach
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1477664
TreeView+	depends on / blocked

Reported:	2016-03-25 21:59 UTC by Robert Scheck
Modified:	2021-09-09 11:48 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-06-22 13:16:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Robert Scheck 2016-03-25 21:59:21 UTC

Description of problem:
Changing the password of a systemd container using chpasswd fails, because
chpasswd does not properly recognize that SELinux is not enabled:

$ echo -n root:tux | chpasswd -R /var/lib/machines/example/
chpasswd: failure while writing changes to /etc/shadow
$ 

$ mount | grep selinuxfs
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
$ 

$ cat /sys/fs/selinux/enforce 
0$

$ mount -o ro,remount /sys/fs/selinux
$ 

$ echo -n root:tux | chpasswd -R /var/lib/machines/example/
$ 

Version-Release number of selected component (if applicable):
shadow-utils-4.1.5.1-18.el7.x86_64
libselinux-utils is not installed
selinux-policy-targeted is not installed

How reproducible:
Everytime, see above and below.

Steps to Reproduce:
1. dd if=/dev/zero of=/tmp/example.img bs=1M count=1200
2. parted /tmp/example.img mktable msdos
3. parted /tmp/example.img mkpart primary ext4 1 -- -0
4. parted /tmp/example.img set 1 boot on
5. kpartx -avs /tmp/example.img
6. mkfs.ext4 /dev/mapper/loop0p1
7. mkdir -p /mnt/example/
8. mount /dev/mapper/loop0p1 /mnt/example/
9. yum -y --releasever=7 --nogpg --installroot=/mnt/example install \
     systemd passwd centos-release kernel grub2
10. mount --bind /dev /mnt/example/dev
11. mount --bind /proc /mnt/example/proc
12. mount --bind /sys /mnt/example/sys
13. echo "GRUB_TIMEOUT=5" > /mnt/example/etc/default/grub
14. echo "GRUB_DISTRIBUTOR=\"\$(sed 's, release .*$,,g' \
      /etc/system-release)\"" >> /mnt/example/etc/default/grub
15. echo "GRUB_DEFAULT=saved" >> /mnt/example/etc/default/grub
16. echo "GRUB_DISABLE_SUBMENU=true" >> /mnt/example/etc/default/grub
17. echo "GRUB_TERMINAL_OUTPUT=\"console\"" >> \
      /mnt/example/etc/default/grub
18. echo "GRUB_CMDLINE_LINUX=\" vconsole.keymap=de \
      vconsole.font=latarcyrheb-sun16\"" >> \
      /mnt/example/etc/default/grub
19. echo "GRUB_DISABLE_RECOVERY=\"true\"" >> \
      /mnt/example/etc/default/grub
20. chroot /mnt/example/ grub2-mkconfig -o /boot/grub2/grub.cfg
21. chroot /mnt/example/ grub2-install /dev/loop0
22. umount /mnt/example/dev
23. umount /mnt/example/proc
24. umount /mnt/example/sys
25. umount /mnt/example/
26. kpartx -dvs /tmp/example.img
27. Boot this image as a virtual machine, e.g. using KVM
28. Run the following commands inside the virtual machine
29. yum -y --releasever=7 --nogpg --installroot=/var/lib/machines/example \
    install systemd passwd centos-release
30. systemd-machine-id-setup --root /var/lib/machines/example
31. echo -n root:tux | chpasswd -R /var/lib/machines/example/
32. Receive: "chpasswd: failure while writing changes to /etc/shadow"

Possible workaround: Append "selinux=0" string in step 18 - but why is
this needed? There are no SELinux related configurations, so chpassword's 
libselinux usage should detect such a situation.

Actual results:
SELinux-related "chpasswd: failure while writing changes to /etc/shadow"
for systemd container.

Expected results:
No failure when running chpasswd.

Additional info:
I see some similarities to bug #1096123 - even this is not the same issue.

Comment 1 Robert Scheck 2016-03-25 22:01:46 UTC

Cross-filed case 01607069 on the Red Hat customer portal.

Comment 3 Daniel Walsh 2016-03-28 14:28:48 UTC

Robert if SELinux is enabled on the machine, but you want libselinux to say it is disabled inside of the container, you have to mount /sys/fs/selinux read/only.  Which as you saw fixed the problem.

Not sure how we fix this in any other way.

If I understand what you are saying.

Comment 4 Robert Scheck 2016-03-28 14:52:06 UTC

Daniel, what I don't get: If I don't install selinux-policy-targeted RPM,
SELinux should be disabled, right? But /sys/fs/selinux is still read-write
for the host (and read-only for the container). The situation I would have
expected is that SELinux is disabled, if I don't install a SELinux policy.
Additionally, "cat /sys/fs/selinux/enforce" on the host says, that it's 0,
thus I would have expected permissive at maximum. Do you get my point?

Comment 5 Robert Scheck 2016-03-28 15:01:24 UTC

Maybe for clarification: I'm first creating a disk image with CentOS (RHEL),
booting that (should have no SELinux due to no selinux-policy-targeted RPM
installed) and creating inside a container with CentOS (RHEL) (which has
SELinux disabled, too, because there's is no selinux-policy-targeted RPM and
/sys/fs/selinux is read-only). But then, trying to run chpasswd from the
previously created disk image for the container leads to the mentioned error.

I might be wrong here, but how to proper enforce SELinux without a policy?

Comment 6 Robert Scheck 2016-03-28 15:19:36 UTC

Actually, if I boot the host system without "selinux=0" and also without
selinux-policy-targeted installed, dmesg(1) tells during boot:

  kernel: SELinux:  Initializing.
  kernel: SELinux:  Starting in permissive mode

This makes me believing that my comment #4 expectation is not that wrong.
However, chpasswd is denied until I boot with "selinux=0". Adding this to
the cmdline leads to:

  kernel: SELinux:  Disabled at boot.

Booting only with "enforcing=0" (no "selinux=0") also leads to the error.

Comment 7 Daniel Walsh 2016-03-28 15:24:02 UTC

Robert, yes some tools do not handle permissive correctly.  Which is probably a bug, but having /sys/fs/selinux and the policy means that the system is running in SELinux mode.

In order to have SELinux disabled, you should have SELINUX=disabled in /etc/selinux/config, or have SELINUX=0 on the kernel line.  Otherwise SELinux is enabled.  As I said above the command is not handling SELinux permissive but I guess it could be argued that if I can not fix the labeling even in permissive that should be an error.

My original comments was about the issue where you wanted SELinux enabled on the host, but apps within a container to be told that SELInux is disabled (For most containers, this is the way it should be, since we don't want container processes trying to do SELinux stuff.)

http://danwalsh.livejournal.com/73099.html

Comment 8 Daniel Walsh 2016-03-28 15:25:46 UTC

selinux-policy-targeted package installed will configure /etc/selinux/config with SELINUX=enforcing flag by default.

Changing this to SELINUX=disabled will also boot machine without SELinux.

BTW I do not recommend this, especially when you are running multi-tenant container environments. SELinux is your best tool for containing containers.

Comment 9 Tomas Mraz 2016-03-29 09:16:58 UTC

So what is the bug of shadow-utils here? That they report the error even in permissive mode = when security_getenforce() returns 0?

Comment 15 Petr Lautrbach 2018-06-18 17:13:53 UTC

The problem is in libselinux which checks SELinux the state only in the library constructor and then uses a cached value. 

In this case, libselinux is initialized before chroot() when SELinux is "enabled" and since the state is cached, it stays "enabled" even after chroot(). If libselinux was initialized after chroot(), it would detect disabled SELinux.

It can be simply reproduced using the following python code:


>>> import selinux
>>> import os
>>> os.chroot('/var/lib/machines/example')
>>> selinux.is_selinux_enabled()
1
>>> 

vs

>>> import os
>>> os.chroot('/var/lib/machines/example')
>>> import selinux
>>> selinux.is_selinux_enabled()
0
>>>

Comment 16 Petr Lautrbach 2018-06-22 11:23:42 UTC

If it's possible, you can mount selinuxfs and proc into chroot to workaround this problem:


# echo -n root:tux | chpasswd -R /var/lib/machines/example/
chpasswd: failure while writing changes to /etc/shadow

# mkdir -p /var/lib/machines/example/sys/fs/selinux

# mount -t selinuxfs selinuxfs /var/lib/machines/example/sys/fs/selinux

# mount -t proc proc /var/lib/machines/example/proc/

# echo -n root:tux | chpasswd -R /var/lib/machines/example/

# echo $?
0

Comment 18 Vit Mojzis 2018-06-22 13:16:49 UTC

Fix to this issue on selinux side could potentially trigger a permission check that wasn't previously required, thereby breaking existing policies (not to mention performance penalties).

You can replace line 31 with the following to avoid the issue:

echo -n root:tux | chroot /var/lib/machines/example/ chpasswd

Note You need to log in before you can comment on or make changes to this bug.