1495327 – chpasswd and login need dac_override

Bug 1495327 - chpasswd and login need dac_override

Summary: chpasswd and login need dac_override

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-25 20:27 UTC by Dusty Mabe
Modified:	2018-02-20 11:23 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-20 11:23:22 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1495839	0	unspecified	CLOSED	agetty: cannot login (for "denied { dac_override }") as a user after update to 3.13.1-288.fc28	2021-02-22 00:41:40 UTC

Internal Links: 1495839

Description Dusty Mabe 2017-09-25 20:27:44 UTC

Description of problem:

When I boot an atomic host with cloud-init and the system tries to configure a user I get denials.

Here are the denials I am seeing:

```
[atomic@cloudhost ~]$ sudo ausearch -m avc,user_avc                                                                                                                                          
\----
time->Mon Sep 25 19:50:12 2017
type=PROCTITLE msg=audit(1506369012.772:113): proctitle=706173737764002D6C0061746F6D6963
type=SYSCALL msg=audit(1506369012.772:113): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=558417460790 a2=242 a3=0 items=0 ppid=778 pid=910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="passwd" exe="/usr/bin/passwd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1506369012.772:113): avc:  denied  { dac_override } for  pid=910 comm="passwd" capability=1  scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:system_r:passwd_t:s0 tclass=capability permissive=1
----
time->Mon Sep 25 19:50:15 2017
type=PROCTITLE msg=audit(1506369015.232:152): proctitle="chpasswd"
type=SYSCALL msg=audit(1506369015.232:152): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=55cff26baaa0 a2=20902 a3=0 items=0 ppid=974 pid=1171 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chpasswd" exe="/usr/sbin/chpasswd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1506369015.232:152): avc:  denied  { dac_override } for  pid=1171 comm="chpasswd" capability=1  scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:system_r:passwd_t:s0 tclass=capability permissive=1
----
time->Mon Sep 25 19:52:19 2017
type=PROCTITLE msg=audit(1506369139.946:176): proctitle=6C6F67696E202D2D206665646F7261
type=SYSCALL msg=audit(1506369139.946:176): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556ec29b2fb0 a2=802 a3=0 items=0 ppid=989 pid=1217 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=ttyS0 ses=1 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1506369139.946:176): avc:  denied  { dac_override } for  pid=1217 comm="login" capability=1  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=1
```


Version-Release number of selected component (if applicable):

[atomic@cloudhost ~]$ rpm -q selinux-policy kernel
selinux-policy-3.13.1-288.fc28.noarch
kernel-4.14.0-0.rc1.git4.1.fc28.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Download https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20170925.n.0/compose/CloudImages/x86_64/images/Fedora-Atomic-Rawhide-20170925.n.0.x86_64.qcow2
2. Edit disk image to have enforcing=0 on kernel command line (this might be easier with the raw.xz image (same directory as other image) if you prefer)
3. boot with a cloud-init that configures a password: like:

```
#cloud-config                                                                                                                                                                                
password: foopass                                                                                                                                                                           
chpasswd: { expire: False }                                                                                                                                                                  
ssh_pwauth: True
```

Actual results:
denials

Expected results:
able to log in with fedora/foopass

Comment 1 Daniel Walsh 2017-09-26 12:05:52 UTC

Yes I would say passwd_t needs DAC_OVERRIDE since it is rewriting /etc/shadow. with permissions 0000.

Comment 2 Dusty Mabe 2017-09-26 12:38:18 UTC

(In reply to Daniel Walsh from comment #1)
> Yes I would say passwd_t needs DAC_OVERRIDE since it is rewriting
> /etc/shadow. with permissions 0000.

what about `local_login_t` from the 3rd AVC?

Comment 3 Jan Pokorný [poki] 2017-09-27 07:01:58 UTC

Not sure if immediately related, but quite similar: [bug 1495839].

Comment 4 Daniel Walsh 2017-09-27 13:50:31 UTC

local login probably needs it to write content into /root directory.

Note You need to log in before you can comment on or make changes to this bug.