Bug 449594 - AVC denial with passwd
Summary: AVC denial with passwd
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-02 21:23 UTC by Jerry James
Modified: 2008-10-22 15:54 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-10-22 15:54:33 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jerry James 2008-06-02 21:23:01 UTC
Description of problem:
I don't know if this is a passwd bug or an selinux-policy bug, so I'm filing
against the latter.  I just changed my password with /usr/bin/passwd.  The
password change was successful, but just as the program exited, I got this AVC
denial:

host=localhost.localdomain type=AVC msg=audit(1212440781.663:61): avc: denied {
search } for pid=17579 comm="passwd" name="tmp" dev=dm-0 ino=253457
scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:tmp_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1212440781.663:61):
arch=c000003e syscall=6 success=no exit=-13 a0=6ad0a5 a1=7fffedc9b990
a2=7fffedc9b990 a3=7f16e5c81810 items=0 ppid=17572 pid=17579 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=1
comm="passwd" exe="/usr/bin/passwd"
subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-55.fc9
passwd-0.75-2.fc9

How reproducible:
I have not tried to reproduce it.

Steps to Reproduce:
1. Run /usr/bin/passwd as a non-root user
  
Actual results:
AVC denial

Expected results:
No AVC denial

Additional info:
Setroubleshoot suggested trying to relabel /tmp.  I ran restorecon -v on /tmp,
with no change.

Comment 1 Daniel Walsh 2008-07-02 18:57:53 UTC
This is hard to fix.  Any confined domain that is started in a random directory
attempts to search/getattr on the current working directory.  If you ran passwd
from / or your homedir you would not get this avc.

Comment 2 Daniel Walsh 2008-07-02 19:03:37 UTC
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-75.fc9.noarch

Comment 3 Jerry James 2008-10-22 14:11:09 UTC
Bugzilla tells me that I need to verify that this is fixed.  So ... I verified that this is fixed.  Thank you, Daniel.


Note You need to log in before you can comment on or make changes to this bug.