Hide Forgot
Description of problem: cockpit-session runs a PAM stack. It needs to be able to reset expired passwords via the standard PAM mechanisms. SELinux is preventing that from working. Sep 08 13:06:10 falcon.thewalter.lan audit[25444]: AVC avc: denied { read } for pid=25444 comm="cockpit-session" name="pw_dict.pwd" dev="sda1" ino=791037 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1 Sep 08 13:06:10 falcon.thewalter.lan audit[25444]: AVC avc: denied { open } for pid=25444 comm="cockpit-session" path="/usr/share/cracklib/pw_dict.pwd" dev="sda1" ino=791037 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1 Sep 08 13:06:10 falcon.thewalter.lan audit[25444]: AVC avc: denied { getattr } for pid=25444 comm="cockpit-session" path="/usr/share/cracklib/pw_dict.pwi" dev="sda1" ino=791038 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1 Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc: denied { write } for pid=25444 comm="cockpit-session" name=".pwd.lock" dev="sda1" ino=2228600 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc: denied { create } for pid=25444 comm="cockpit-session" name="nshadow" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc: denied { write } for pid=25444 comm="cockpit-session" path="/etc/nshadow" dev="sda1" ino=2229348 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc: denied { setattr } for pid=25444 comm="cockpit-session" name="nshadow" dev="sda1" ino=2229348 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc: denied { rename } for pid=25444 comm="cockpit-session" name="nshadow" dev="sda1" ino=2229348 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 Sep 08 13:06:13 falcon.thewalter.lan audit[25444]: AVC avc: denied { unlink } for pid=25444 comm="cockpit-session" name="shadow" dev="sda1" ino=2229957 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 Version-Release number of selected component (if applicable): cockpit-118-1.fc24.x86_64 selinux-policy-3.13.1-191.14.fc24.noarch
This is also something we need fixed in RHEL 7.3. But the specifics of the bug report above are for Fedora. I'll also come up with the data for RHEL 7.3.
Tracker for when this happens during Cockpit integration tests: https://github.com/cockpit-project/cockpit/issues/5010 Similar RHEL 7.3 bug: https://bugzilla.redhat.com/show_bug.cgi?id=1374572
Obviously same issue happens on Fedora 25
I see this in Upstream policy, which I think is what you need. auth_login_pgm_domain(cockpit_session_t)
Fixes added to our github repo.
selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.