Description of problem: normally, in kickstart, I passwd -d and chage (and also chfn) a user to force new password on first login after installation without the user having to know what password I set in kickstart. anaconda 15.20.1 and selinux-policy-3.9.14-2.fc15 do not allow me to passwd -d (and chfn) any longer. Version-Release number of selected component (if applicable): selinux-policy-3.9.14-2.fc15 How reproducible: always Steps to Reproduce: 1. install via kickstart with selinux --enforcing 2. have all the following in the kickstart [...] # create a user user --name=user --password=geheim [...] %post ( # # set a full name chfn -f 'test user' user # # set empty password passwd -d user # # force password change chage -d 0 user # the two steps above of course only make sense if you install in a trusted network # and then log in once to set password BEFORE you put the machine in an untrusted network. # If you can not do this, set a decent password higher up in this file and disable the -d step [...] ) 1>/root/post.out 2>/root/post.err %end Actual results: user password neither empty nor full name set. [root@guest4 ~]# cat post.err chfn: chfn: system_u:system_r:rpm_script_t:s0 is not authorized to change the finger info of user passwd: system_u:system_r:rpm_script_t:s0 is not authorized to change the password of user Expected results: presuming this is not intentional, then I would like this to work like it did up to Fedora14 and RHEL6. If chfn and passwd not being allowed in %post is intentional, then please excuse the noise (I have filed RFE Bug 681658 for anaconda to learn to make a user with empty password that is forced to change on first login). Additional info: the chfn is only really used when the username is not the generic 'user' used for test installations. That's no more than 5% of my kickstarts, e.g. when installing a Linux laptop for an acquaintance. The other 95% are test installs for engineers, at the customer I'm DEEing for, that quickly need a certain RHEL or Fedora version to test something.
Any chance you got the AVC? It looks like F15 policy has sesearch -A -s rpm_script_t -c passwd -p passwd Found 1 semantic av rules: allow rpm_script_t rpm_script_t : passwd { passwd chfn chsh rootok crontab } ;
Dan, stupid question, where do I pick up the AVC? grep -r chfn after install, but before reboot, yields nothing in /tmp nor in /mnt/sysimage/var/log/ Maybe I'm just being slow this morning.
In the /var/log/audit/audit.log file or you can re-test it and run # ausearch -m avc -ts recent
Miroslav, this is just after install and _before_ I reboot the box. sh-4.2# chroot /mnt/sysimage/ sh-4.2# less /var/log/audit/audit.log /var/log/audit/audit.log: No such file or directory sh-4.2# exit sh-4.2# /var/log/audit/audit.log sh: /var/log/audit/audit.log: No such file or directory so where do the AVCs go while anaconda is running?
nevermind, got it with a bit of forcing sh-4.2# chroot /mnt/sysimage/ sh-4.2# chfn -f 'test user' user chfn: chfn: system_u:system_r:rpm_script_t:s0 is not authorized to change the finger info of user sh-4.2# grep -ri deny /var/log/* sh-4.2# /etc/init.d/auditd start Starting auditd: [ OK ] sh-4.2# chfn -f 'test user' user chfn: chfn: system_u:system_r:rpm_script_t:s0 is not authorized to change the finger info of user sh-4.2# ausearch -m avc -ts recent ---- time->Mon Mar 7 19:46:55 2011 type=SYSCALL msg=audit(1299520015.553:149): arch=c000003e syscall=59 success=yes exit=0 a0=982f90 a1=9d8910 a2=9dba80 a3=7ffffbd3ee70 items=0 ppid=13147 pid=13160 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="auditctl" exe="/sbin/auditctl" subj=system_u:system_r:auditctl_t:s0 key=(null) type=AVC msg=audit(1299520015.553:149): avc: denied { read write } for pid=13160 comm="auditctl" path="/dev/mapper/control" dev=tmpfs ino=23339 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=AVC msg=audit(1299520015.553:149): avc: denied { read write } for pid=13160 comm="auditctl" path="/tmp/vncserver.log" dev=tmpfs ino=25371 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1299520015.553:149): avc: denied { append } for pid=13160 comm="auditctl" path="/dev/tty3" dev=tmpfs ino=23024 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file type=AVC msg=audit(1299520015.553:149): avc: denied { read write } for pid=13160 comm="auditctl" path="socket:[24494]" dev=sockfs ino=24494 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:system_r:anaconda_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1299520015.553:149): avc: denied { append } for pid=13160 comm="auditctl" path="/tmp/anaconda.log" dev=tmpfs ino=23152 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1299520015.553:149): avc: denied { read write } for pid=13160 comm="auditctl" name="console" dev=tmpfs ino=23008 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file ---- time->Mon Mar 7 19:46:55 2011 type=SYSCALL msg=audit(1299520015.561:150): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fff8803bb50 a2=7fff8803bb50 a3=7fff8803ba00 items=0 ppid=13147 pid=13160 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="auditctl" exe="/sbin/auditctl" subj=system_u:system_r:auditctl_t:s0 key=(null) type=AVC msg=audit(1299520015.561:150): avc: denied { getattr } for pid=13160 comm="auditctl" path="/dev/null" dev=tmpfs ino=23015 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file ---- time->Mon Mar 7 19:46:55 2011 type=SYSCALL msg=audit(1299520015.561:151): arch=c000003e syscall=16 success=no exit=-25 a0=1 a1=5401 a2=7fff8803bac8 a3=7fff8803ba00 items=0 ppid=13147 pid=13160 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="auditctl" exe="/sbin/auditctl" subj=system_u:system_r:auditctl_t:s0 key=(null) type=AVC msg=audit(1299520015.561:151): avc: denied { ioctl } for pid=13160 comm="auditctl" path="/dev/null" dev=tmpfs ino=23015 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file sh-4.2#
agh, not my day, ignore comment 5, the AVC we need is not in there. There must be a way to get the AVC...
Might be in the install log or in the anaconda log. Not sure if the /var/log/messages file is saved during install.
(In reply to comment #7) > Might be in the install log or in the anaconda log. Not sure if the > /var/log/messages file is saved during install. There's /tmp/syslog and /mnt/sysimage/root/install.log.syslog before I reboot at the end of installation. But neither contain any of 'deny' 'denied' 'avc' or 'chfn' (as per grep -i) Installing in GUI mode (normally I install in serial console mode), I also was not able to see the AVC on any of the ttys
runcon system_u:system_r:rpm_t:s0 runcon system_u:system_r:rpm_script_t:s0 chage -d 0 pwalsh This is working for me on an F15 machine.
(In reply to comment #9) > runcon system_u:system_r:rpm_t:s0 runcon system_u:system_r:rpm_script_t:s0 > chage -d 0 pwalsh > > This is working for me on an F15 machine. Yeah, the chage works for me too, it's the chfn and passwd -d that get denied [root@guest4 ~]# cat post.err chfn: chfn: system_u:system_r:rpm_script_t:s0 is not authorized to change the finger info of user passwd: system_u:system_r:rpm_script_t:s0 is not authorized to change the password of user
runcon system_u:system_r:rpm_t:s0 runcon system_u:system_r:rpm_script_t:s0 chfn -f "Phyllis Walsh" pwalsh This works also.
I'll try again under F15 Aplha (as opposed to development/15 which I was using so far). ISOs are downloading as we speak, should hopefully get this tested tomorrow or at the latest Thursday
turns out that /selinux is not mounted in %post but, my F14 Alpha x86_64 ISO just finished downloading, I'll reproduce under that momentarily.
*** This bug has been marked as a duplicate of bug 677450 ***