Bug 1449110 - AVC denial about dac_read_search unix_chkpwd system_u:system_r:chkpwd_t logged
Summary: AVC denial about dac_read_search unix_chkpwd system_u:system_r:chkpwd_t logged
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-09 09:00 UTC by Jan Pazdziora
Modified: 2018-05-22 10:49 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-283.34.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-22 10:49:00 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jan Pazdziora 2017-05-09 09:00:25 UTC 
Description of problem:

Logging in to Fedora rawhide with ssh produces AVC denial in audit.log.

Version-Release number of selected component (if applicable):

pam-1.3.0-3.fc27.x86_64
openssh-server-7.5p1-2.fc27.x86_64
selinux-policy-3.13.1-252.fc27.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. ssh to Fedora rawhide machine, with ssh key.
2. Check audit.log for new AVC denials.

Actual results:

type=AVC msg=audit(1494320161.241:190): avc:  denied  { dac_read_search } for  pid=1573 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=0

Expected results:

No AVC denial.

Additional info:
Comment 1 Jan Pazdziora 2017-05-15 13:54:52 UTC 
Note of similar bug 1449108 against chrony -> kernel .
Comment 2 Jan Kurik 2017-08-15 06:35:50 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 3 Jan Pazdziora 2018-05-10 09:04:07 UTC 
I no longer see this issue with selinux-policy-3.13.1-283.34.fc27.noarch. Should this bugzilla be closed CURRENTRELEASE, with some fixed in version set?
Note You need to log in before you can comment on or make changes to this bug.