Bug 363321 - SELinux Audit Alert When Installing shadow-utils
SELinux Audit Alert When Installing shadow-utils
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: shadow-utils (Show other bugs)
5.1
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Peter Vrabec
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-01 23:29 EDT by Steve Siano
Modified: 2009-12-19 20:56 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-10 10:45:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Audit alert from the SETroubleshoot browser (2.11 KB, text/plain)
2007-11-01 23:29 EDT, Steve Siano
no flags Details

  None (edit)
Description Steve Siano 2007-11-01 23:29:36 EDT
Description of problem:
Got an SELinux audit alert when installing shadow-utils-4.0.17-12.el5.  The
summary of the alert is

   SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog
(var_log_t).

The alert said to file a bug.

Version-Release number of selected component (if applicable):
Linux <hostname> 2.6.18-8.1.15.el5 #1 SMP Thu Oct 4 04:06:39 EDT 2007 x86_64
x86_64 x86_64 GNU/Linux

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Steve Siano 2007-11-01 23:29:36 EDT
Created attachment 246311 [details]
Audit alert from the SETroubleshoot browser
Comment 2 Huzaifa S. Sidhpurwala 2009-01-12 00:47:10 EST
Looks like the faillog file has wrong selinux context.

-rw-------  root root system_u:object_r:faillog_t      faillog

is the correct one.

As per the following selinux policy

allow useradd_t faillog_t : file { ioctl read write getattr lock append };

As per
allow useradd_t var_log_t : dir { getattr search };

Write access is not allowed.

FYI

Note You need to log in before you can comment on or make changes to this bug.