Description of problem: useradd newuser, echo newpass | passwd --stdin newuser, causes avc denial Version-Release number of selected component (if applicable): selinux-policy-3.3.1-42.fc9.noarch selinux-policy-targeted-3.3.1-42.fc9.noarch How reproducible: Once. Steps to Reproduce: 1. useradd newuser, echo newpass | passwd --stdin newuser 2. avc denial pops up 3. Actual results: avc denial Expected results: normal operation Additional info: Summary: SELinux is preventing the passwd from using potentially mislabeled files (2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429). Detailed Description: SELinux has denied passwd access to potentially mislabeled file(s) (2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429). This means that SELinux will not allow passwd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want passwd to access this files, you need to relabel them using restorecon -v '2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429'. You might want to relabel the entire directory using restorecon -R -v ''. Additional Information: Source Context unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:user_tmp_t:s0 Target Objects 2F7661722F746D702F6B646563616368652D6474696C6F6361 6C2F6B70632F6B64652D69636F6E2D63616368652E696E6465 78202864656C6574656429 [ file ] Source passwd Source Path /usr/bin/passwd Port <Unknown> Host jerry-d600f9 Source RPM Packages passwd-0.75-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name jerry-d600f9 Platform Linux jerry-d600f9 2.6.25-14.fc9.i686 #1 SMP Thu May 1 06:28:41 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 12 Nov 2008 09:39:57 PM CST Last Seen Wed 12 Nov 2008 09:39:57 PM CST Local ID 00e9ba70-c0e4-4488-9730-aa22776e3cb8 Line Numbers Raw Audit Messages host=jerry-d600f9 type=AVC msg=audit(1226547597.633:88): avc: denied { read write } for pid=18628 comm="passwd" path=2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E696E646578202864656C6574656429 dev=dm-0 ino=885565 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file host=jerry-d600f9 type=AVC msg=audit(1226547597.633:88): avc: denied { read write } for pid=18628 comm="passwd" path=2F7661722F746D702F6B646563616368652D6474696C6F63616C2F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429 dev=dm-0 ino=885566 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file host=jerry-d600f9 type=SYSCALL msg=audit(1226547597.633:88): arch=40000003 syscall=11 success=yes exit=0 a0=94085b0 a1=940b8e8 a2=940b6f8 a3=0 items=0 ppid=16257 pid=18628 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/12/08 22:39:57.633:88) : avc: denied { read write } for pid=18628 comm=passwd path=/var/tmp/kdecache-dtilocal/kpc/kde-icon-cache.data (deleted) dev=dm-0 ino=885566 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file kde/kdm is leaking an open file descriptor to the file "/var/tmp/kdecache-dtilocal/kpc/kde-icon-cache.data", this is passed on to konsole which passes it on to passwd. SELinux notices this and closes the open file descriptor. Nothing is actually prevented by this avc, so you can ignore it for now. Open file descriptors should be closed on exec fcntl(fd, F_SETFD, FD_CLOSEXEC)
*** This bug has been marked as a duplicate of bug 484370 ***