Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1376991 - unix_chkpwd is missing dac_read_search capability
unix_chkpwd is missing dac_read_search capability
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-17 06:26 EDT by Ondrej Moriš
Modified: 2018-04-10 08:25 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-175.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 08:24:04 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 None None None 2018-04-10 08:25 EDT

  None (edit)
Description Ondrej Moriš 2016-09-17 06:26:36 EDT 
Description of problem:

PAM authentication in libreswan (via xauth) fails in pam_unix pluto PAM stack due to missing dac_read_search capability for unix_chkpwd.

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-97.el7
libreswan-3.15-8.el7

How reproducible:

100%

Steps to Reproduce:

Configure xauthby=pam for libreswan and bring up the connection, for detailed steps please see RHBZ#1278063#c5.

Actual results:

Connection does not work, authentication failure.

# ausearch -ts 12:06:56 -m avc -sv no
----
time->Sat Sep 17 12:06:56 2016
type=PATH msg=audit(1474106816.540:2362): item=0 name="/etc/shadow" inode=67668197 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=NORMAL
type=CWD msg=audit(1474106816.540:2362):  cwd="/run/pluto"
type=SYSCALL msg=audit(1474106816.540:2362): arch=c000003e syscall=2 success=no exit=-13 a0=7fb186b7c453 a1=80000 a2=1b6 a3=24 items=1 ppid=23533 pid=23668 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:chkpwd_t:s0 key=(null)
type=AVC msg=audit(1474106816.540:2362): avc:  denied  { dac_read_search } for  pid=23668 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:system_r:chkpwd_t:s0 tclass=capability

# ausearch -ts 12:06:56 -m avc -sv no | audit2allow 

#============= chkpwd_t ==============
allow chkpwd_t self:capability dac_read_search;

Expected results:

Successful authentication.

Additional info:

Please see RHBZ#1278063 for more details.
Comment 3 Lukas Vrabec 2016-09-19 06:22:49 EDT 
Thank you guys for info, moving to RHEL-7.4
Comment 9 errata-xmlrpc 2018-04-10 08:24:04 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.