Bug 1495327 - chpasswd and login need dac_override
Summary: chpasswd and login need dac_override
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-25 20:27 UTC by Dusty Mabe
Modified: 2018-02-20 11:23 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-20 11:23:22 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1495839 0 unspecified CLOSED agetty: cannot login (for "denied { dac_override }") as a user after update to 3.13.1-288.fc28 2021-02-22 00:41:40 UTC

Internal Links: 1495839

Description Dusty Mabe 2017-09-25 20:27:44 UTC
Description of problem:

When I boot an atomic host with cloud-init and the system tries to configure a user I get denials.

Here are the denials I am seeing:

```
[atomic@cloudhost ~]$ sudo ausearch -m avc,user_avc                                                                                                                                          
\----
time->Mon Sep 25 19:50:12 2017
type=PROCTITLE msg=audit(1506369012.772:113): proctitle=706173737764002D6C0061746F6D6963
type=SYSCALL msg=audit(1506369012.772:113): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=558417460790 a2=242 a3=0 items=0 ppid=778 pid=910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="passwd" exe="/usr/bin/passwd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1506369012.772:113): avc:  denied  { dac_override } for  pid=910 comm="passwd" capability=1  scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:system_r:passwd_t:s0 tclass=capability permissive=1
----
time->Mon Sep 25 19:50:15 2017
type=PROCTITLE msg=audit(1506369015.232:152): proctitle="chpasswd"
type=SYSCALL msg=audit(1506369015.232:152): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=55cff26baaa0 a2=20902 a3=0 items=0 ppid=974 pid=1171 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chpasswd" exe="/usr/sbin/chpasswd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1506369015.232:152): avc:  denied  { dac_override } for  pid=1171 comm="chpasswd" capability=1  scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:system_r:passwd_t:s0 tclass=capability permissive=1
----
time->Mon Sep 25 19:52:19 2017
type=PROCTITLE msg=audit(1506369139.946:176): proctitle=6C6F67696E202D2D206665646F7261
type=SYSCALL msg=audit(1506369139.946:176): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556ec29b2fb0 a2=802 a3=0 items=0 ppid=989 pid=1217 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=ttyS0 ses=1 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1506369139.946:176): avc:  denied  { dac_override } for  pid=1217 comm="login" capability=1  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=1
```


Version-Release number of selected component (if applicable):

[atomic@cloudhost ~]$ rpm -q selinux-policy kernel
selinux-policy-3.13.1-288.fc28.noarch
kernel-4.14.0-0.rc1.git4.1.fc28.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Download https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20170925.n.0/compose/CloudImages/x86_64/images/Fedora-Atomic-Rawhide-20170925.n.0.x86_64.qcow2
2. Edit disk image to have enforcing=0 on kernel command line (this might be easier with the raw.xz image (same directory as other image) if you prefer)
3. boot with a cloud-init that configures a password: like:

```
#cloud-config                                                                                                                                                                                
password: foopass                                                                                                                                                                           
chpasswd: { expire: False }                                                                                                                                                                  
ssh_pwauth: True
```

Actual results:
denials

Expected results:
able to log in with fedora/foopass

Comment 1 Daniel Walsh 2017-09-26 12:05:52 UTC
Yes I would say passwd_t needs DAC_OVERRIDE since it is rewriting /etc/shadow. with permissions 0000.

Comment 2 Dusty Mabe 2017-09-26 12:38:18 UTC
(In reply to Daniel Walsh from comment #1)
> Yes I would say passwd_t needs DAC_OVERRIDE since it is rewriting
> /etc/shadow. with permissions 0000.

what about `local_login_t` from the 3rd AVC?

Comment 3 Jan Pokorný [poki] 2017-09-27 07:01:58 UTC
Not sure if immediately related, but quite similar: [bug 1495839].

Comment 4 Daniel Walsh 2017-09-27 13:50:31 UTC
local login probably needs it to write content into /root directory.


Note You need to log in before you can comment on or make changes to this bug.