Bug 471344 - SELinux is preventing the passwd from using potentially mislabeled files (2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429).
SELinux is preventing the passwd from using potentially mislabeled files (2F7...
Status: CLOSED DUPLICATE of bug 484370
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-12 22:49 EST by Jerry Amundson
Modified: 2009-02-06 09:43 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-06 09:43:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jerry Amundson 2008-11-12 22:49:53 EST
Description of problem:
useradd newuser, echo newpass | passwd --stdin newuser, causes avc denial

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-42.fc9.noarch
selinux-policy-targeted-3.3.1-42.fc9.noarch

How reproducible:
Once.

Steps to Reproduce:
1. useradd newuser, echo newpass | passwd --stdin newuser
2. avc denial pops up
3.
  
Actual results:
avc denial

Expected results:
normal operation

Additional info:

Summary:

SELinux is preventing the passwd from using potentially mislabeled files
(2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429).

Detailed Description:

SELinux has denied passwd access to potentially mislabeled file(s)
(2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429).
This means that SELinux will not allow passwd to use these files. It is common
for users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access.

Allowing Access:

If you want passwd to access this files, you need to relabel them using
restorecon -v
'2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429'.
You might want to relabel the entire directory using restorecon -R -v ''.

Additional Information:

Source Context                unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                2F7661722F746D702F6B646563616368652D6474696C6F6361
                              6C2F6B70632F6B64652D69636F6E2D63616368652E696E6465
                              78202864656C6574656429 [ file ]
Source                        passwd
Source Path                   /usr/bin/passwd
Port                          <Unknown>
Host                          jerry-d600f9
Source RPM Packages           passwd-0.75-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     jerry-d600f9
Platform                      Linux jerry-d600f9 2.6.25-14.fc9.i686 #1 SMP Thu
                              May 1 06:28:41 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Wed 12 Nov 2008 09:39:57 PM CST
Last Seen                     Wed 12 Nov 2008 09:39:57 PM CST
Local ID                      00e9ba70-c0e4-4488-9730-aa22776e3cb8
Line Numbers                  

Raw Audit Messages            

host=jerry-d600f9 type=AVC msg=audit(1226547597.633:88): avc:  denied  { read write } for  pid=18628 comm="passwd" path=2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429 dev=dm-0 ino=885565 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

host=jerry-d600f9 type=AVC msg=audit(1226547597.633:88): avc:  denied  { read write } for  pid=18628 comm="passwd" path=2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429 dev=dm-0 ino=885566 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

host=jerry-d600f9 type=SYSCALL msg=audit(1226547597.633:88): arch=40000003 syscall=11 success=yes exit=0 a0=94085b0 a1=940b8e8 a2=940b6f8 a3=0 items=0 ppid=16257 pid=18628 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-11-13 17:20:39 EST
type=AVC msg=audit(11/12/08 22:39:57.633:88) : avc:  denied  { read write } for  
pid=18628 comm=passwd path=/var/tmp/kdecache-dtilocal/kpc/kde-icon-cache.data (deleted) dev=dm-0 ino=885566 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file 

kde/kdm is leaking an open file descriptor to the file "/var/tmp/kdecache-dtilocal/kpc/kde-icon-cache.data", this is passed on to konsole which passes it on to passwd.   SELinux notices this and closes the open file descriptor.

Nothing is actually prevented by this avc, so you can ignore it for now.

Open file descriptors should be closed on exec

fcntl(fd, F_SETFD, FD_CLOSEXEC)
Comment 2 Steven M. Parrish 2009-02-06 09:43:32 EST

*** This bug has been marked as a duplicate of bug 484370 ***

Note You need to log in before you can comment on or make changes to this bug.