Bug 831068 - SELinux problem passwd
SELinux problem passwd
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-12 02:46 EDT by David Spurek
Modified: 2015-03-02 00:26 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-173.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:35:47 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
reproduce test (8.42 KB, application/x-gzip)
2012-06-12 02:47 EDT, David Spurek
no flags Details

  None (edit)
Description David Spurek 2012-06-12 02:46:59 EDT
Description of problem:

type=SYSCALL msg=audit(1339480337.627:28991): arch=c000003e syscall=2 success=no exit=-13 a0=7fddf81a0173 a1=0 a2=1b6 a3=0 items=0 ppid=3322 pid=3323 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339480337.627:28991): avc:  denied  { read } for  pid=3323 comm="passwd" name="tmp" dev=dm-0 ino=260636 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

type=SYSCALL msg=audit(1339480337.627:28992): arch=c000003e syscall=4 success=no exit=-13 a0=7fddf81a017c a1=7fff7c210a40 a2=7fff7c210a40 a3=0 items=0 ppid=3322 pid=3323 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339480337.627:28992): avc:  denied  { read } for  pid=3323 comm="passwd" name="tmp" dev=dm-0 ino=2069 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file


passwd on user in ldap and setup ssl or tls
Comment 1 David Spurek 2012-06-12 02:47:35 EDT
Created attachment 591113 [details]
reproduce test
Comment 3 Milos Malik 2012-06-12 10:32:27 EDT
Following AVCs were seen in enforcing mode:
----
time->Tue Jun 12 10:14:55 2012
type=PATH msg=audit(1339510495.467:1167068): item=0 name="/var/tmp" inode=2752602 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(1339510495.467:1167068):  cwd="/root/pokus"
type=SYSCALL msg=audit(1339510495.467:1167068): arch=c000003e syscall=2 success=no exit=-13 a0=7f56c5de3173 a1=0 a2=1b6 a3=0 items=1 ppid=2126 pid=2127 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts20 ses=56842 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339510495.467:1167068): avc:  denied  { read } for  pid=2127 comm="passwd" name="tmp" dev=dm-0 ino=2752602 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Tue Jun 12 10:14:55 2012
type=PATH msg=audit(1339510495.466:1167067): item=0 name="/tmp" inode=917505 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(1339510495.466:1167067):  cwd="/root/pokus"
type=SYSCALL msg=audit(1339510495.466:1167067): arch=c000003e syscall=2 success=no exit=-13 a0=7f56c5de3177 a1=0 a2=1b6 a3=0 items=1 ppid=2126 pid=2127 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts20 ses=56842 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339510495.466:1167067): avc:  denied  { read } for  pid=2127 comm="passwd" name="tmp" dev=dm-0 ino=917505 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Tue Jun 12 10:14:55 2012
type=PATH msg=audit(1339510495.467:1167069): item=0 name="/usr/tmp"
type=CWD msg=audit(1339510495.467:1167069):  cwd="/root/pokus"
type=SYSCALL msg=audit(1339510495.467:1167069): arch=c000003e syscall=4 success=no exit=-13 a0=7f56c5de317c a1=7fffb2e57080 a2=7fffb2e57080 a3=0 items=1 ppid=2126 pid=2127 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts20 ses=56842 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339510495.467:1167069): avc:  denied  { read } for  pid=2127 comm="passwd" name="tmp" dev=dm-0 ino=526184 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
----
Comment 4 Milos Malik 2012-06-12 10:41:50 EDT
Caused by the same reproducer but executed in permissive mode:
----
time->Tue Jun 12 10:37:53 2012
type=PATH msg=audit(1339511873.491:1167478): item=0 name="/usr/tmp" inode=2752602 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(1339511873.491:1167478):  cwd="/root/pokus"
type=SYSCALL msg=audit(1339511873.491:1167478): arch=c000003e syscall=4 success=yes exit=0 a0=7feb6102a17c a1=7fff9b84dfe0 a2=7fff9b84dfe0 a3=22 items=1 ppid=5529 pid=5530 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts20 ses=56842 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339511873.491:1167478): avc:  denied  { read } for  pid=5530 comm="passwd" name="tmp" dev=dm-0 ino=526184 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
----
time->Tue Jun 12 10:37:53 2012
type=PATH msg=audit(1339511873.490:1167477): item=0 name="/tmp" inode=917505 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(1339511873.490:1167477):  cwd="/root/pokus"
type=SYSCALL msg=audit(1339511873.490:1167477): arch=c000003e syscall=2 success=yes exit=7 a0=7feb6102a177 a1=0 a2=1b6 a3=0 items=1 ppid=5529 pid=5530 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts20 ses=56842 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1339511873.490:1167477): avc:  denied  { read } for  pid=5530 comm="passwd" name="tmp" dev=dm-0 ino=917505 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
Comment 5 Daniel Walsh 2012-06-12 12:12:10 EDT
Why is the passwd command trying to list the contents of /tmp?
Comment 6 Milos Malik 2012-06-13 04:35:54 EDT
Don't know.
Comment 7 Daniel Walsh 2012-06-13 17:53:26 EDT
Did this happen on a logged in system?  IE could it be looking to see if gnome-keyringd is running?
Comment 8 Daniel Walsh 2012-06-13 17:53:55 EDT
If you run it in permissive mode do you see any additional AVC?
Comment 9 Milos Malik 2012-06-14 10:03:03 EDT
In permissive mode I see only AVCs listed in comment#4.
Comment 10 Milos Malik 2012-06-14 10:10:59 EDT
I was logged in as root on that machine when the AVCs appeared. gnome-keyring-daemon was running when the test was running.
Comment 11 Daniel Walsh 2012-06-14 15:20:18 EDT
I have no problem adding the access. It just seems strange.  I have seen passwd try to communicate and even start gnome-keyring, when the passwd is changed, I guess this is to keep the gnome-keyring passwd the same.  (ALthough I hate this hack).
Comment 12 Ilkka Tengvall 2012-09-12 03:01:31 EDT
this affects fedora 17 also. Here is my audit log:

Raw Audit Messages
type=AVC msg=audit(1347426258.23:1552): avc:  denied  { execute } for  pid=31770 comm="passwd" name="gnome-keyring-daemon" dev="dm-1" ino=5193 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1347426258.23:1552): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f81a62cf5c0 a1=7fff7b96bfb0 a2=7f81ab64adc0 a3=10 items=0 ppid=31625 pid=31770 auid=8100 uid=8100 gid=8100 euid=8100 suid=0 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=1 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)


I changed passwd from gnome3 user accout dialog, in aims to get keyring pwd changed while at it. It seems selinux blocks it though.

versions:

selinux-policy-devel-3.10.0-146.fc17.noarch
selinux-policy-targeted-3.10.0-146.fc17.noarch
selinux-policy-3.10.0-146.fc17.noarch
fedora-release-17-1.noarch
passwd-0.78.99-1.fc17.x86_64
Comment 13 Daniel Walsh 2012-09-12 06:57:32 EDT
I have a concern on this.  In that you have a root priv process executing a gkeyringd executable that could be influenced by the user environment.  Allowing this access with SELinux could be dangerous.  


If you run passwd_t in permissive what other AVC's are generated?

Make passwd_t permissive
# semanage permissive -a passwd_t
Change your password
Collect AVC's
# ausearch -m avc -ts recent 
Change passwd_t back to enforcing.
# semanage permissive -d passwd_t
Comment 14 Ilkka Tengvall 2012-09-12 08:22:19 EDT
here they are. I set selinux to permissive, and changed the pw.


$ sudo ausearch -m avc -ts recent 
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.865:371): arch=c000003e syscall=59 success=yes exit=0 a0=7f4fde2625c0 a1=7fffc1a35bd0 a2=7f4fe4adc730 a3=10 items=0 ppid=9632 pid=10015 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.865:371): avc:  denied  { execute_no_trans } for  pid=10015 comm="passwd" path="/usr/bin/gnome-keyring-daemon" dev="dm-2" ino=134702 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file
type=AVC msg=audit(1347452098.865:371): avc:  denied  { read open } for  pid=10015 comm="passwd" path="/usr/bin/gnome-keyring-daemon" dev="dm-2" ino=134702 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file
type=AVC msg=audit(1347452098.865:371): avc:  denied  { execute } for  pid=10015 comm="passwd" name="gnome-keyring-daemon" dev="dm-2" ino=134702 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.882:372): arch=c000003e syscall=83 success=yes exit=0 a0=19f7e00 a1=1c0 a2=0 a3=0 items=0 ppid=9632 pid=10015 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.882:372): avc:  denied  { create } for  pid=10015 comm="gnome-keyring-d" name="keyring-7fLZX9" scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
type=AVC msg=audit(1347452098.882:372): avc:  denied  { add_name } for  pid=10015 comm="gnome-keyring-d" name="keyring-7fLZX9" scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
type=AVC msg=audit(1347452098.882:372): avc:  denied  { write } for  pid=10015 comm="gnome-keyring-d" name=".cache" dev="dm-3" ino=1048625 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.883:373): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=7fffce35e6c0 a2=6e a3=10 items=0 ppid=9632 pid=10015 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.883:373): avc:  denied  { create } for  pid=10015 comm="gnome-keyring-d" name="control" scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.883:374): arch=c000003e syscall=149 success=yes exit=0 a0=7f0558cc2000 a1=4000 a2=3 a3=22 items=0 ppid=9632 pid=10015 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.883:374): avc:  denied  { ipc_lock } for  pid=10015 comm="gnome-keyring-d" capability=14  scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tclass=capability
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.889:375): arch=c000003e syscall=6 success=yes exit=0 a0=7fffc1a35b02 a1=7fffc1a35a70 a2=7fffc1a35a70 a3=7f4fe3148ad0 items=0 ppid=9632 pid=10021 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.889:375): avc:  denied  { getattr } for  pid=10021 comm="passwd" path="/home/ikke/.cache/keyring-7fLZX9/control" dev="dm-3" ino=1049102 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.889:376): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fffc1a35b00 a2=6e a3=7f4fe3148ad0 items=0 ppid=9632 pid=10021 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.889:376): avc:  denied  { write } for  pid=10021 comm="passwd" name="control" dev="dm-3" ino=1049102 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.891:377): arch=c000003e syscall=87 success=yes exit=0 a0=19f8040 a1=0 a2=3f6d9b0728 a3=33 items=0 ppid=1 pid=10019 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.891:377): avc:  denied  { unlink } for  pid=10019 comm="gnome-keyring-d" name="control" dev="dm-3" ino=1049102 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=sock_file
type=AVC msg=audit(1347452098.891:377): avc:  denied  { remove_name } for  pid=10019 comm="gnome-keyring-d" name="control" dev="dm-3" ino=1049102 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
----
time->Wed Sep 12 15:14:58 2012
type=SYSCALL msg=audit(1347452098.891:378): arch=c000003e syscall=84 success=yes exit=0 a0=19f7e00 a1=0 a2=3f6d9b0728 a3=33 items=0 ppid=1 pid=10019 auid=8100 uid=8100 gid=8100 euid=8100 suid=8100 fsuid=8100 egid=8100 sgid=8100 fsgid=8100 tty=(none) ses=7 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347452098.891:378): avc:  denied  { rmdir } for  pid=10019 comm="gnome-keyring-d" name="keyring-7fLZX9" dev="dm-3" ino=1049026 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir
Comment 15 Miroslav Grepl 2012-10-09 09:48:20 EDT
We added fixes to F18. Will backport to F17.

Also fixes RHEL6 AVC msgs.
Comment 21 errata-xmlrpc 2013-02-21 03:35:47 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.