Description of problem: When running sudo passwd foo from a terminal, I immediately get 26 warnings in setroublshooter. Here is the first one: SELinux is preventing /usr/bin/passwd from getattr access on the chr_file /dev/uinput. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that passwd should be allowed getattr access on the uinput chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep passwd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 Target Context system_u:object_r:event_device_t:s0 Target Objects /dev/uinput [ chr_file ] Source passwd Source Path /usr/bin/passwd Port <Unknown> Host igor-hp Source RPM Packages passwd-0.78-3.fc15 Target RPM Packages Policy RPM selinux-policy-3.10.0-32.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name igor-hp Platform Linux igor-hp 3.1.0-0.rc8.git0.0.fc16.x86_64 #1 SMP Wed Sep 28 01:31:14 UTC 2011 x86_64 x86_64 Alert Count 6 First Seen Wed 28 Sep 2011 10:47:09 PM EDT Last Seen Fri 30 Sep 2011 03:25:52 PM EDT Local ID c567e85d-8b1a-4adf-915e-877926c1dc50 Raw Audit Messages type=AVC msg=audit(1317410752.219:515): avc: denied { getattr } for pid=7961 comm="passwd" path="/dev/uinput" dev=devtmpfs ino=11274 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1317410752.219:515): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fffacd463a0 a1=7fffacd41c70 a2=7fffacd41c70 a3=0 items=0 ppid=7955 pid=7961 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=18 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) Hash: passwd,passwd_t,event_device_t,chr_file,getattr audit2allow #============= passwd_t ============== allow passwd_t event_device_t:chr_file getattr; audit2allow -R #============= passwd_t ============== allow passwd_t event_device_t:chr_file getattr; The others are for /proc/core and /dev/{ppp,initctl,hidraw1,fb0,fuse,brtfs-control,cpu_dma_latency,sg0,usbmon5,loop3,loop-control,rtc0,tmp0,nvram,ptmx,autofs,snapshot,freefall,mcelog,mem,vga_arbiter,rfkill,sr0,lp3}. Let me know if you need more details on any of those too. Version-Release number of selected component (if applicable): $ rpm -qi passwd Name : passwd Version : 0.78 Release : 3.fc15 $ rpm -qi selinux-policy Name : selinux-policy Version : 3.10.0 Release : 32.fc16 How reproducible: Always Steps to Reproduce: 1. Create a dummy user account "sudo useradd -m foo" 2. Set the password on that account: "sudo passwd foo" Actual results: The password is actually reset despite all the error messages.
i can confirm this: # ausearch -m avc -ts yesterday | grep passwd_t | audit2allow #============= passwd_t ============== allow passwd_t agp_device_t:chr_file getattr; allow passwd_t apm_bios_t:chr_file getattr; allow passwd_t autofs_device_t:chr_file getattr; allow passwd_t clock_device_t:chr_file getattr; allow passwd_t device_t:chr_file getattr; allow passwd_t event_device_t:chr_file getattr; allow passwd_t fixed_disk_device_t:blk_file getattr; allow passwd_t framebuf_device_t:chr_file getattr; allow passwd_t fuse_device_t:chr_file getattr; allow passwd_t initctl_t:fifo_file getattr; allow passwd_t kmsg_device_t:chr_file getattr; allow passwd_t loop_control_device_t:chr_file getattr; allow passwd_t lvm_control_t:chr_file getattr; allow passwd_t memory_device_t:chr_file getattr; allow passwd_t netcontrol_device_t:chr_file getattr; allow passwd_t nvram_device_t:chr_file getattr; allow passwd_t ppp_device_t:chr_file getattr; allow passwd_t printer_device_t:chr_file getattr; allow passwd_t proc_kcore_t:file getattr; allow passwd_t ptmx_t:chr_file getattr; allow passwd_t scsi_generic_device_t:chr_file getattr; allow passwd_t tpm_device_t:chr_file getattr; allow passwd_t usbmon_device_t:chr_file getattr; allow passwd_t v4l_device_t:chr_file getattr; allow passwd_t watchdog_device_t:chr_file getattr; allow passwd_t wireless_device_t:chr_file getattr; allow passwd_t xserver_misc_device_t:chr_file getattr;
#============= passwd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow passwd_t event_device_t:chr_file getattr; sh-4.2# rpm -q selinux-policy selinux-policy-3.10.0-33.fc16.noarch
selinux-policy-3.10.0-36.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16
Package selinux-policy-3.10.0-36.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-36.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-38.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.