abrt version: 2.0.5 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-0.rc6.git0.0.fc16.x86_64 reason: SELinux is preventing /usr/bin/passwd from 'getattr' accesses on the chr_file /dev/autofs. time: Sat Sep 17 13:45:18 2011 description: :SELinux is preventing /usr/bin/passwd from 'getattr' accesses on the chr_file /dev/autofs. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that passwd should be allowed getattr access on the autofs chr_file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep passwd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 :Target Context system_u:object_r:autofs_device_t:s0 :Target Objects /dev/autofs [ chr_file ] :Source passwd :Source Path /usr/bin/passwd :Port <Unknown> :Host (removed) :Source RPM Packages passwd-0.78-3.fc15 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-28.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.1.0-0.rc6.git0.0.fc16.x86_64 #1 SMP : Mon Sep 12 22:46:15 UTC 2011 x86_64 x86_64 :Alert Count 7 :First Seen Sat 17 Sep 2011 01:43:22 PM CEST :Last Seen Sat 17 Sep 2011 01:44:10 PM CEST :Local ID 03ab46fb-ecca-4c35-a51b-52b98ce5be41 : :Raw Audit Messages :type=AVC msg=audit(1316259850.563:742): avc: denied { getattr } for pid=2214 comm="passwd" path="/dev/autofs" dev=devtmpfs ino=1121 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:autofs_device_t:s0 tclass=chr_file : : :type=SYSCALL msg=audit(1316259850.563:742): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fffdb767ce0 a1=7fffdb7635b0 a2=7fffdb7635b0 a3=0 items=0 ppid=2213 pid=2214 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) : :Hash: passwd,passwd_t,autofs_device_t,chr_file,getattr : :audit2allow : :#============= passwd_t ============== :allow passwd_t autofs_device_t:chr_file getattr; : :audit2allow -R : :#============= passwd_t ============== :allow passwd_t autofs_device_t:chr_file getattr; :
See also Bug 739302 - passwd will stat all files in /dev This shows up as one of many avcs: type=SYSCALL msg=audit(1316260343.422:3158): arch=c000003e syscall=4 success=no exit=-13 a0=7fff129292a0 a1=7fff12924b70 a2=7fff12924b70 a3=0 items=0 ppid=2398 pid=2399 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260343.422:3159): avc: denied { getattr } for pid=2399 comm="passwd" path="/dev/mem" dev=devtmpfs ino=1027 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260343.422:3159): arch=c000003e syscall=4 success=no exit=-13 a0=7fff129292a0 a1=7fff12924b70 a2=7fff12924b70 a3=0 items=0 ppid=2398 pid=2399 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260343.422:3160): avc: denied { getattr } for pid=2399 comm="passwd" path="/dev/vga_arbiter" dev=devtmpfs ino=1026 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260343.422:3160): arch=c000003e syscall=4 success=no exit=-13 a0=7fff129292a0 a1=7fff12924b70 a2=7fff12924b70 a3=0 items=0 ppid=2398 pid=2399 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=USER_CHAUTHTOK msg=audit(1316260343.423:3161): user pid=2399 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=change password id=501 exe="/usr/bin/passwd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1316260346.075:3162): avc: denied { getattr } for pid=2230 comm="setroubleshootd" path="/dev/media0" dev=devtmpfs ino=12644 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260346.075:3162): arch=c000003e syscall=6 success=no exit=-13 a0=7f88921df2a0 a1=7f88921df1c0 a2=7f88921df1c0 a3=35fb33f770 items=0 ppid=1 pid=2230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260348.793:3163): avc: denied { getattr } for pid=2230 comm="setroubleshootd" path="/dev/media0" dev=devtmpfs ino=12644 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260348.793:3163): arch=c000003e syscall=6 success=no exit=-13 a0=7f88921df2a0 a1=7f88921df1c0 a2=7f88921df1c0 a3=35fb33f770 items=0 ppid=1 pid=2230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) type=USER_AUTH msg=audit(1316260641.376:3164): user pid=2441 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="mk" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_ACCT msg=audit(1316260641.379:3165): user pid=2441 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="mk" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_CMD msg=audit(1316260641.382:3166): user pid=2441 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/mk" cmd=70617373776420626F62 terminal=pts/1 res=success' type=CRED_ACQ msg=audit(1316260641.383:3167): user pid=2447 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_START msg=audit(1316260641.385:3168): user pid=2447 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=AVC msg=audit(1316260641.392:3169): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/hidraw1" dev=devtmpfs ino=26523 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.392:3169): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.392:3170): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/hidraw0" dev=devtmpfs ino=26520 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.392:3170): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.392:3171): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/video0" dev=devtmpfs ino=12645 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.392:3171): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.392:3172): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/media0" dev=devtmpfs ino=12644 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.392:3172): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3173): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/rfkill" dev=devtmpfs ino=12642 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.393:3173): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3174): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/watchdog" dev=devtmpfs ino=11687 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:watchdog_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.393:3174): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3175): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1316260641.393:3175): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3176): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1316260641.393:3176): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3177): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1316260641.393:3177): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3178): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1316260641.393:3178): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3179): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/uinput" dev=devtmpfs ino=10881 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.393:3179): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3180): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/ppp" dev=devtmpfs ino=10873 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.393:3180): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3181): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/lp0" dev=devtmpfs ino=10751 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.393:3181): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3182): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/lp1" dev=devtmpfs ino=10750 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.393:3182): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3183): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/lp2" dev=devtmpfs ino=10749 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.393:3183): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.393:3184): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/lp3" dev=devtmpfs ino=10748 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.393:3184): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.394:3185): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/initctl" dev=devtmpfs ino=10559 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1316260641.394:3185): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.394:3186): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/sda4" dev=devtmpfs ino=1169 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1316260641.394:3186): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.394:3187): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1316260641.394:3187): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.394:3188): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/rtc0" dev=devtmpfs ino=1155 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.394:3188): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.394:3189): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/fb0" dev=devtmpfs ino=7089 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:framebuf_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.394:3189): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.394:3190): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/fb0" dev=devtmpfs ino=7089 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:framebuf_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.394:3190): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.394:3191): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/fuse" dev=devtmpfs ino=9897 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fuse_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.394:3191): arch=c000003e syscall=4 success=no exit=-13 a0=8fea50 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.394:3192): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/btrfs-control" dev=devtmpfs ino=9896 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.394:3192): arch=c000003e syscall=4 success=no exit=-13 a0=905570 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.394:3193): avc: denied { getattr } for pid=2447 comm="passwd" path="/proc/kcore" dev=proc ino=4026532032 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file type=SYSCALL msg=audit(1316260641.394:3193): arch=c000003e syscall=4 success=no exit=-13 a0=905570 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.394:3194): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/sg1" dev=devtmpfs ino=1172 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1316260641.394:3194): arch=c000003e syscall=4 success=no exit=-13 a0=905570 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.394:3195): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/sr0" dev=devtmpfs ino=1171 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1316260641.394:3195): arch=c000003e syscall=4 success=no exit=-13 a0=905570 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1316260641.395:3196): avc: denied { getattr } for pid=2447 comm="passwd" path="/dev/sda4" dev=devtmpfs ino=1169 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1316260641.395:3196): arch=c000003e syscall=4 success=no exit=-13 a0=905570 a1=7fff1582d320 a2=7fff1582d320 a3=0 items=0 ppid=2441 pid=2447 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
Did you run restorecon on /dev when this happened?
No, I didn't run restorecon. The system has just been rebooted and relabeled: [root@fladmast ~]# restorecon -rvn /dev restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0 [root@fladmast ~]# rpm -q selinux-policy systemd dracut selinux-policy-3.10.0-30.fc16.noarch systemd-35-1.fc16.x86_64 dracut-013-8.fc16.noarch [root@fladmast ~]# useradd aa [root@fladmast ~]# passwd aa Changing password for user aa. Sep 19 08:21:23 fladmast kernel: [ 4038.534940] type=1400 audit(1316434883.228:4): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/uinput" dev=devtmpfs ino=11284 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file Sep 19 08:21:23 fladmast kernel: [ 4038.534975] type=1400 audit(1316434883.228:5): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/ppp" dev=devtmpfs ino=11276 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file Sep 19 08:21:23 fladmast kernel: [ 4038.535013] type=1400 audit(1316434883.228:6): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/lp2" dev=devtmpfs ino=10458 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file Sep 19 08:21:23 fladmast kernel: [ 4038.535038] type=1400 audit(1316434883.228:7): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/lp0" dev=devtmpfs ino=10457 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file Sep 19 08:21:23 fladmast kernel: [ 4038.535063] type=1400 audit(1316434883.228:8): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/lp3" dev=devtmpfs ino=10456 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file Sep 19 08:21:23 fladmast kernel: [ 4038.535087] type=1400 audit(1316434883.228:9): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/lp1" dev=devtmpfs ino=10455 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file Sep 19 08:21:23 fladmast kernel: [ 4038.535144] type=1400 audit(1316434883.228:10): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/initctl" dev=devtmpfs ino=10267 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file Sep 19 08:21:23 fladmast kernel: [ 4038.535246] type=1400 audit(1316434883.229:11): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/dm-2" dev=devtmpfs ino=6966 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Sep 19 08:21:23 fladmast kernel: [ 4038.535289] type=1400 audit(1316434883.229:12): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/sdb1" dev=devtmpfs ino=1497 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Sep 19 08:21:23 fladmast kernel: [ 4038.535331] type=1400 audit(1316434883.229:13): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/sdb" dev=devtmpfs ino=7781 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file New password: Retype new password: Sep 19 08:21:36 fladmast kernel: [ 4051.879476] audit_printk_skb: 156 callbacks suppressed Sep 19 08:21:36 fladmast kernel: [ 4051.879485] type=1400 audit(1316434896.579:66): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/uinput" dev=devtmpfs ino=11284 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file Sep 19 08:21:36 fladmast kernel: [ 4051.879587] type=1400 audit(1316434896.580:67): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/ppp" dev=devtmpfs ino=11276 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ppp_device_t:s0 tclass=chr_file Sep 19 08:21:36 fladmast kernel: [ 4051.879678] type=1400 audit(1316434896.580:68): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/lp2" dev=devtmpfs ino=10458 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file Sep 19 08:21:36 fladmast kernel: [ 4051.879769] type=1400 audit(1316434896.580:69): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/lp0" dev=devtmpfs ino=10457 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file Sep 19 08:21:36 fladmast kernel: [ 4051.879858] type=1400 audit(1316434896.580:70): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/lp3" dev=devtmpfs ino=10456 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file Sep 19 08:21:36 fladmast kernel: [ 4051.879948] type=1400 audit(1316434896.580:71): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/lp1" dev=devtmpfs ino=10455 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file Sep 19 08:21:36 fladmast kernel: [ 4051.880042] type=1400 audit(1316434896.580:72): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/initctl" dev=devtmpfs ino=10267 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file Sep 19 08:21:36 fladmast kernel: [ 4051.880233] type=1400 audit(1316434896.580:73): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/dm-2" dev=devtmpfs ino=6966 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Sep 19 08:21:36 fladmast kernel: [ 4051.880326] type=1400 audit(1316434896.580:74): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/sdb1" dev=devtmpfs ino=1497 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Sep 19 08:21:36 fladmast kernel: [ 4051.880445] type=1400 audit(1316434896.580:75): avc: denied { getattr } for pid=1500 comm="passwd" path="/dev/sdb" dev=devtmpfs ino=7781 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file passwd: all authentication tokens updated successfully.
Ok, I will add dev_dontaudit_getattr_all(passwd_t)
This might have shown up as a consequence of bug 739307. I don't know if the workaround is necessary when that has been solved.
No I actually think this is caused by a pam module
Fixed in selinux-policy-3.10.0-33.fc16
(In reply to comment #6) > No I actually think this is caused by a pam module Bug 739302 agree that it is caused by a pam module (calling glibc ttyname), but also that it stats everything because the first stat fails.
What pam module caused what? I do not think so as there was no related change in a pam module. Again, I have to repeat that the passwd_t must be able to getattr on user_devpts_t, otherwise ttyname() as called by passwd and pam modules will not work correctly.
RIght, but there was a labeling problem, so It was denied and then went nuts searching for a device it could write.
Is user_devpts_t correct labelling? If so, then passwd_t is still prevented from getattr it on my F16 install.
sesearch -A -s passwd_t -t user_devpts_t -C Found 2 semantic av rules: allow passwd_t user_devpts_t : chr_file { ioctl read write getattr append } ; THis is what I see. What AVC are you seeing? What policy do you have installed?
Hmm maybe the real reason is that the passwd_t is not allowed to search devpts_t dir? sesearch -A -s passwd_t -t devpts_t -C Found 1 semantic av rules: allow passwd_t devpts_t : chr_file { ioctl read write getattr append } ; No dir class above and the /dev/pts is directory with devpts_t type.
Ok I will allow this access. Fixed in selinux-policy-3.10.0-33.fc16
Just another observation - that might be implied by your discussion above: There is no problem when running passwd as root logged in on tty2 - passwd can do what it wants to do without statting everything. When logged in as an ordinary user in X and running "su -" in a console I see the reported behaviour with 28 AVCs. That is using selinux-policy-3.10.0.32, which (except for /dev/pts/ptmx) works fine.
Mads have you tried this with the latest policy?
I don't see this any more after upgrading to selinux-policy-3.10.0-35.fc16.noarch When I upgraded I saw: Sep 29 15:19:11 fladmast setroubleshoot: Deleting alert 058b5219-80ff-4a3f-a7fd-5428e131f648, it is dontaudit'd in current policy Sep 29 15:19:11 fladmast setroubleshoot: Deleting alert d353df85-ec9f-4f8b-9120-bb738b0e297c, it is dontaudit'd in current policy Sep 29 15:19:12 fladmast setroubleshoot: [server.ERROR] Unable to add audit event: node=fladmast type=AVC msg=audit(1317323878.830:1284): avc: denied { getattr } for pid=7938 comm="passwd" path="/dev/vga_arbiter" dev=devtmpfs ino=1026 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_misc_device_t:s0 tclass=chr_file#012 #012**** Invalid AVC dontaudited in current policy. 'semodule -B' will turn on dontaudit rules. *** The last one seems a bit strange - I don't know if it indicates a real problem.
selinux-policy-3.10.0-36.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16
Package selinux-policy-3.10.0-36.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-36.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-38.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.