Description of problem: When I boot an atomic host with cloud-init and the system tries to configure a user I get denials. Here are the denials I am seeing: ``` [atomic@cloudhost ~]$ sudo ausearch -m avc,user_avc \---- time->Mon Sep 25 19:50:12 2017 type=PROCTITLE msg=audit(1506369012.772:113): proctitle=706173737764002D6C0061746F6D6963 type=SYSCALL msg=audit(1506369012.772:113): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=558417460790 a2=242 a3=0 items=0 ppid=778 pid=910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="passwd" exe="/usr/bin/passwd" subj=system_u:system_r:passwd_t:s0 key=(null) type=AVC msg=audit(1506369012.772:113): avc: denied { dac_override } for pid=910 comm="passwd" capability=1 scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:system_r:passwd_t:s0 tclass=capability permissive=1 ---- time->Mon Sep 25 19:50:15 2017 type=PROCTITLE msg=audit(1506369015.232:152): proctitle="chpasswd" type=SYSCALL msg=audit(1506369015.232:152): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=55cff26baaa0 a2=20902 a3=0 items=0 ppid=974 pid=1171 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chpasswd" exe="/usr/sbin/chpasswd" subj=system_u:system_r:passwd_t:s0 key=(null) type=AVC msg=audit(1506369015.232:152): avc: denied { dac_override } for pid=1171 comm="chpasswd" capability=1 scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:system_r:passwd_t:s0 tclass=capability permissive=1 ---- time->Mon Sep 25 19:52:19 2017 type=PROCTITLE msg=audit(1506369139.946:176): proctitle=6C6F67696E202D2D206665646F7261 type=SYSCALL msg=audit(1506369139.946:176): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556ec29b2fb0 a2=802 a3=0 items=0 ppid=989 pid=1217 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=ttyS0 ses=1 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1506369139.946:176): avc: denied { dac_override } for pid=1217 comm="login" capability=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=1 ``` Version-Release number of selected component (if applicable): [atomic@cloudhost ~]$ rpm -q selinux-policy kernel selinux-policy-3.13.1-288.fc28.noarch kernel-4.14.0-0.rc1.git4.1.fc28.x86_64 How reproducible: Always Steps to Reproduce: 1. Download https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20170925.n.0/compose/CloudImages/x86_64/images/Fedora-Atomic-Rawhide-20170925.n.0.x86_64.qcow2 2. Edit disk image to have enforcing=0 on kernel command line (this might be easier with the raw.xz image (same directory as other image) if you prefer) 3. boot with a cloud-init that configures a password: like: ``` #cloud-config password: foopass chpasswd: { expire: False } ssh_pwauth: True ``` Actual results: denials Expected results: able to log in with fedora/foopass
Yes I would say passwd_t needs DAC_OVERRIDE since it is rewriting /etc/shadow. with permissions 0000.
(In reply to Daniel Walsh from comment #1) > Yes I would say passwd_t needs DAC_OVERRIDE since it is rewriting > /etc/shadow. with permissions 0000. what about `local_login_t` from the 3rd AVC?
Not sure if immediately related, but quite similar: [bug 1495839].
local login probably needs it to write content into /root directory.