Bug 180497 - selinux prevents vipw/pwconv from working
selinux prevents vipw/pwconv from working
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2006-02-08 12:22 EST by Habig, Alec
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-08 12:58:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Habig, Alec 2006-02-08 12:22:51 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060202 Fedora/1.7.12-1.5.2

Description of problem:
The current selinux targeted policy is stopping propagation of changes to /etc/passwd using such commands as vipw or pwconv.

For example,

# pwconv
pwconv: can't open passwd file

which results in an audit.log entry of

type=AVC msg=audit(1139419481.549:641): avc:  denied  { write } for  pid=25926 comm="pwconv" name="passwd" dev=sda3 ino=1533230 scontext=root:system_r:sysadm_passwd_t tcontext=root:object_r:etc_runtime_t tclass=file
type=SYSCALL msg=audit(1139419481.549:641): arch=40000003 syscall=5 success=no exit=-13 a0=804e000 a1=8002 a2=1b6 a3=9103ac8 items=1 pid=25926 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="pwconv" exe="/usr/sbin/pwconv"
type=CWD msg=audit(1139419481.549:641):  cwd="/var/yp"
type=PATH msg=audit(1139419481.549:641): item=0 name="/etc/passwd" flags=101  inode=1533230 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00

vipw gets similar problems but with the tmp files:

# vipw
vipw: Can't set context for /etc/ptmpvipw: /etc/ptmp: Permission denied
vipw: /etc/passwd unchanged

The commands work as expected if one does a "setenforce 0"

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
2.change something, save
3.watch it fail

Actual Results:  see description above

Additional info:
Comment 1 Habig, Alec 2006-02-08 12:24:43 EST
Could be similar to bug 162203, but that manifested itself as terminal problems.
Comment 2 Daniel Walsh 2006-02-08 12:58:30 EST
The problem is /etc/passwd is labeled incorrectly, should be etc_t.

restorecon /etc/passwd

Any idea how it got labled etc_runtime_t?

Comment 3 Habig, Alec 2006-02-08 13:39:21 EST
Ok - just did a 

  restorecon -R /etc

to reset the contexts and now things work.  Thanks!

Not sure how it got the wrong one, it's a reasonably young (~month) fresh install.

Thanks for the quick response.

Note You need to log in before you can comment on or make changes to this bug.