Bug 1518655 - Lots of SELinux denials with "passwd: compat"
Summary: Lots of SELinux denials with "passwd: compat"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 27
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-29 12:16 UTC by Trond H. Amundsen
Modified: 2018-08-08 15:34 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-08 15:34:09 UTC
Type: Bug


Attachments (Terms of Use)

Description Trond H. Amundsen 2017-11-29 12:16:27 UTC
Description of problem:
When using "passwd: compat" in /etc/nsswitch.conf, various services need to read /etc/passwd. SELinux denies this, creating a steady stream of denials:

SELinux is preventing dbus-daemon from map access on the file /etc/passwd.
SELinux is preventing sshd from map access on the file /etc/passwd.
...etc...

Here is a summary of what we've had to add to our local policy for this to work:

allow NetworkManager_t passwd_file_t:file map;
allow abrt_dump_oops_t passwd_file_t:file map;
allow abrt_t passwd_file_t:file map;
allow accountsd_t passwd_file_t:file map;
allow automount_t passwd_file_t:file map;
allow avahi_t passwd_file_t:file map;
allow chkpwd_t passwd_file_t:file map;
allow chronyd_t passwd_file_t:file map;
allow colord_t passwd_file_t:file map;
allow cupsd_t passwd_file_t:file map;
allow firewalld_t passwd_file_t:file map;
allow init_t passwd_file_t:file map;
allow mcelog_t passwd_file_t:file map;
allow policykit_auth_t passwd_file_t:file map;
allow policykit_t passwd_file_t:file map;
allow postfix_master_t passwd_file_t:file map;
allow postfix_pickup_t passwd_file_t:file map;
allow postfix_qmgr_t passwd_file_t:file map;
allow rtkit_daemon_t passwd_file_t:file map;
allow setroubleshootd_t passwd_file_t:file map;
allow sshd_t passwd_file_t:file map;
allow sssd_t passwd_file_t:file map;
allow system_dbusd_t passwd_file_t:file map;
allow systemd_logind_t passwd_file_t:file map;
allow systemd_tmpfiles_t passwd_file_t:file map;
allow useradd_t passwd_file_t:file map;
allow xdm_t passwd_file_t:file map;

This is not an complete list. It would depend on how one configures nsswitch.conf beyond "passwd: compat", as well as which services are running.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-283.17.fc27.noarch

How reproducible:
Always.

Steps to Reproduce:
1. Configure "passwd: compat" in /etc/nsswitch.conf
2. Watch the flow of denials

Actual results:
Host becomes practically unusable, e.g. user can't log in.

Expected results:
No denials.

Comment 2 Fedora Update System 2018-07-27 09:23:05 UTC
selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86

Comment 3 Fedora Update System 2018-07-27 15:39:16 UTC
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86

Comment 4 Fedora Update System 2018-08-08 15:34:09 UTC
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.