Bug 772374 - SELinux is preventing /usr/sbin/usermod from editing /etc/passwd
Summary: SELinux is preventing /usr/sbin/usermod from editing /etc/passwd
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-07 02:35 UTC by Josh Boyer
Modified: 2012-01-09 14:02 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-09 09:18:53 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Josh Boyer 2012-01-07 02:35:08 UTC 
Description of problem:

Running:

sudo usermod -G mock -a jwboyer

(or directly as root) results in an AVC denial and usermod returing:

[jwboyer@vader ~]$ sudo usermod -G mock -a jwboyer
usermod: cannot open /etc/passwd
[jwboyer@vader ~]$ 


Version-Release number of selected component (if applicable):

selinux-policy-3.10.0-72.fc17.noarch

How reproducible:

Always

Steps to Reproduce:
1. Try and add a user to the mock group with usermod
2.
3.
  
Actual results:

Fail

Expected results:

Works

Additional info:

audit.log excerpt:

type=USER_CMD msg=audit(1325903494.147:502): user pid=0 uid=0 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/jwboyer" cmd=757365726D6F64202D47206D6F636B202D61206A77626F796572 terminal=pts/2 res=success'
type=CRED_ACQ msg=audit(1325903494.148:503): user pid=0 uid=0 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=USER_START msg=audit(1325903494.150:504): user pid=0 uid=0 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=AVC msg=audit(1325903494.153:505): avc:  denied  { write } for  pid=17319 comm="usermod" name="passwd" dev=dm-1 ino=2492504 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1325903494.153:505): arch=c000003e syscall=2 success=no exit=-13 a0=615020 a1=2 a2=1b6 a3=238 items=0 ppid=17318 pid=17319 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=15 comm="usermod" exe="/usr/sbin/usermod" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=USER_CHAUTHTOK msg=audit(1325903494.154:506): user pid=0 uid=0 auid=1000 ses=15 subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 msg='op=modifying account acct="jwboyer" exe="/usr/sbin/usermod" hostname=? addr=? terminal=pts/2 res=failed'
type=USER_END msg=audit(1325903494.154:507): user pid=0 uid=0 auid=1000 ses=15 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Comment 1 Miroslav Grepl 2012-01-09 09:18:53 UTC 
please execute

# restorecon -R -v /etc/passwd

which will fix the label.
Comment 2 Josh Boyer 2012-01-09 14:02:31 UTC 
(In reply to comment #1)
> please execute
> 
> # restorecon -R -v /etc/passwd
> 
> which will fix the label.

Yep, that worked.  Had to do the same for /etc/group for some reason.  Thanks for the tip.
Note You need to log in before you can comment on or make changes to this bug.