Description of problem: When using "passwd: compat" in /etc/nsswitch.conf, various services need to read /etc/passwd. SELinux denies this, creating a steady stream of denials: SELinux is preventing dbus-daemon from map access on the file /etc/passwd. SELinux is preventing sshd from map access on the file /etc/passwd. ...etc... Here is a summary of what we've had to add to our local policy for this to work: allow NetworkManager_t passwd_file_t:file map; allow abrt_dump_oops_t passwd_file_t:file map; allow abrt_t passwd_file_t:file map; allow accountsd_t passwd_file_t:file map; allow automount_t passwd_file_t:file map; allow avahi_t passwd_file_t:file map; allow chkpwd_t passwd_file_t:file map; allow chronyd_t passwd_file_t:file map; allow colord_t passwd_file_t:file map; allow cupsd_t passwd_file_t:file map; allow firewalld_t passwd_file_t:file map; allow init_t passwd_file_t:file map; allow mcelog_t passwd_file_t:file map; allow policykit_auth_t passwd_file_t:file map; allow policykit_t passwd_file_t:file map; allow postfix_master_t passwd_file_t:file map; allow postfix_pickup_t passwd_file_t:file map; allow postfix_qmgr_t passwd_file_t:file map; allow rtkit_daemon_t passwd_file_t:file map; allow setroubleshootd_t passwd_file_t:file map; allow sshd_t passwd_file_t:file map; allow sssd_t passwd_file_t:file map; allow system_dbusd_t passwd_file_t:file map; allow systemd_logind_t passwd_file_t:file map; allow systemd_tmpfiles_t passwd_file_t:file map; allow useradd_t passwd_file_t:file map; allow xdm_t passwd_file_t:file map; This is not an complete list. It would depend on how one configures nsswitch.conf beyond "passwd: compat", as well as which services are running. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-283.17.fc27.noarch How reproducible: Always. Steps to Reproduce: 1. Configure "passwd: compat" in /etc/nsswitch.conf 2. Watch the flow of denials Actual results: Host becomes practically unusable, e.g. user can't log in. Expected results: No denials.
selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.