Bug 588055 - SELinux is preventing passwd (passwd_t) "execute" bin_t.
Summary: SELinux is preventing passwd (passwd_t) "execute" bin_t.
Alias: None
Product: Fedora
Classification: Fedora
Component: passwd
Version: 11
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-02 12:27 UTC by David O'Brien
Modified: 2010-06-28 15:44 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-06-28 15:44:08 UTC
Type: ---

Attachments (Terms of Use)

Description David O'Brien 2010-05-02 12:27:37 UTC
Description of problem:

Full details under "Additional Information". I performed a user password change today *around* the time that this AVC was last seen; perhaps that has something to do with it. I had two attempts at the password change, because the first time was too close to the previous password.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:


SELinux is preventing passwd (passwd_t) "execute" bin_t.

Detailed Description:

SELinux denied access requested by passwd. It is not expected that this access
is required by passwd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/bin/gnome-keyring-daemon [ file ]
Source                        passwd
Source Path                   /usr/bin/passwd
Port                          <Unknown>
Host                          galileo.milky.way
Source RPM Packages           passwd-0.76-2.fc11
Target RPM Packages           gnome-keyring-2.26.3-2.fc11
Policy RPM                    selinux-policy-3.6.12-96.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     galileo.milky.way
Platform                      Linux galileo.milky.way
                     #1 SMP Thu Feb 11
                              06:51:26 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Sun 02 May 2010 08:11:22 PM EST
Last Seen                     Sun 02 May 2010 08:11:44 PM EST
Local ID                      ade2be5e-28ed-4d2c-b87e-be748b1699fd
Line Numbers                  

Raw Audit Messages            

node=galileo.milky.way type=AVC msg=audit(1272795104.836:44): avc:  denied  { execute } for  pid=3694 comm="passwd" name="gnome-keyring-daemon" dev=dm-0 ino=2301889 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=galileo.milky.way type=SYSCALL msg=audit(1272795104.836:44): arch=40000003 syscall=11 success=no exit=-13 a0=c32174 a1=bfb201d0 a2=97bf5b8 a3=c321b7 items=0 ppid=3688 pid=3694 auid=500 uid=500 gid=500 euid=500 suid=0 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=5 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)

Comment 1 Tomas Mraz 2010-05-03 06:32:32 UTC
This would have to be enabled in the SELinux policy. In case the gnome-keyring-daemon does not run pam_gnome_keyring module in the passwd configuration will try to start it up.

Comment 2 Miroslav Grepl 2010-05-03 09:39:25 UTC
It is allowed in F12. I will add it to F11 selinux-policy.

Comment 3 Daniel Walsh 2010-05-03 14:24:09 UTC
No gnome-keyring-daemon should not be started via PAM.  This is a huge side effect and policy to allow this is just too weird.  If the keyring is not running then it should just fail to update the password in the keyring.

Comment 4 Bug Zapper 2010-06-28 15:44:08 UTC
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.