Bug 449594 - AVC denial with passwd
AVC denial with passwd
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-02 17:23 EDT by Jerry James
Modified: 2008-10-22 11:54 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-22 11:54:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jerry James 2008-06-02 17:23:01 EDT
Description of problem:
I don't know if this is a passwd bug or an selinux-policy bug, so I'm filing
against the latter.  I just changed my password with /usr/bin/passwd.  The
password change was successful, but just as the program exited, I got this AVC
denial:

host=localhost.localdomain type=AVC msg=audit(1212440781.663:61): avc: denied {
search } for pid=17579 comm="passwd" name="tmp" dev=dm-0 ino=253457
scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:tmp_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1212440781.663:61):
arch=c000003e syscall=6 success=no exit=-13 a0=6ad0a5 a1=7fffedc9b990
a2=7fffedc9b990 a3=7f16e5c81810 items=0 ppid=17572 pid=17579 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=1
comm="passwd" exe="/usr/bin/passwd"
subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-55.fc9
passwd-0.75-2.fc9

How reproducible:
I have not tried to reproduce it.

Steps to Reproduce:
1. Run /usr/bin/passwd as a non-root user
  
Actual results:
AVC denial

Expected results:
No AVC denial

Additional info:
Setroubleshoot suggested trying to relabel /tmp.  I ran restorecon -v on /tmp,
with no change.
Comment 1 Daniel Walsh 2008-07-02 14:57:53 EDT
This is hard to fix.  Any confined domain that is started in a random directory
attempts to search/getattr on the current working directory.  If you ran passwd
from / or your homedir you would not get this avc.
Comment 2 Daniel Walsh 2008-07-02 15:03:37 EDT
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-75.fc9.noarch
Comment 3 Jerry James 2008-10-22 10:11:09 EDT
Bugzilla tells me that I need to verify that this is fixed.  So ... I verified that this is fixed.  Thank you, Daniel.

Note You need to log in before you can comment on or make changes to this bug.