Bug 912399
| Summary: | avc: denied { read } for pid=5011 comm="dbus-daemon" name="passwd" dev="dm-2" ino=16943125 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Michal Kovarik <mkovarik> | ||||
| Component: | shadow-utils | Assignee: | Tomas Mraz <tmraz> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.0 | CC: | jstodola, mbanas, mmalik, ohudlick, rvokal, tmraz | ||||
| Target Milestone: | alpha | ||||||
| Target Release: | --- | ||||||
| Hardware: | s390x | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | shadow-utils-4.1.5.1-4.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-13 10:01:58 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 782468 | ||||||
| Attachments: |
|
||||||
|
Comment 1
Milos Malik
2013-02-19 08:42:16 UTC
Here is the reproducer: # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 # rpm -q --scripts dbus preinstall scriptlet (using /bin/sh): /usr/sbin/groupadd -r -g 81 dbus 2>/dev/null || : /usr/sbin/useradd -c 'System message bus' -u 81 -g 81 \ -s /sbin/nologin -r -d '/' dbus 2> /dev/null || : preuninstall scriptlet (using /bin/sh): if [ $1 = 0 ]; then /bin/systemctl stop dbus.service dbus.socket > /dev/null 2>&1 || : fi postuninstall scriptlet (using /bin/sh): /bin/systemctl daemon-reload >/dev/null 2>&1 || : # ls -Z /etc/passwd -rw-r--r--. root root unconfined_u:object_r:passwd_file_t:s0 /etc/passwd # mv /etc/selinux/targeted/contexts /etc/selinux/targeted/contexts.orig # /usr/sbin/groupadd -r -g 83 dbus3 # ls -Z /etc/passwd -rw-r--r--. root root unconfined_u:object_r:passwd_file_t:s0 /etc/passwd # /usr/sbin/useradd -c 'System message bus' -u 83 -g 83 -s /sbin/nologin -r -d '/' dbus3 # ls -Z /etc/passwd -rw-r--r--. root root unconfined_u:object_r:shadow_t:s0 /etc/passwd # Maybe you ask why I executed following command: # mv /etc/selinux/targeted/contexts /etc/selinux/targeted/contexts.orig The dbus package is installed after selinux-policy package is installed, but before selinux-policy-targeted package is installed. It means that /etc/selinux/targeted/contexts does not exist yet. Correction: The dbus package is installed before selinux-policy, selinux-policy-targeted, policycoreutils packages are installed. The reproducer changes SELinux labels on following files too: * /etc/group * /etc/gshadow We could add Requires: selinux-policy to shadow-utils package. However I am not sure it would help as the reason why selinux-policy is installed later might be due to its dependencies. So it would basically just create dependency loop which could be resolved incorrectly anyway. Also I am not sure that Requires: selinux-policy would really pull also the selinux-policy-targeted. But I don't think adding hard dependency on selinux-policy-targeted is right. Another possibility would be to copy the SELinux context of the original file when the updated passwd file is created but that could break other situations. Mirek, do you know what matchpathcon() returns when /etc/selinux/targeted/contexts does not exist? # matchpathcon /etc/passwd /etc/passwd system_u:object_r:passwd_file_t:s0 # mv /etc/selinux/targeted/contexts /etc/selinux/targeted/contexts.orig # matchpathcon /etc/passwd /etc/passwd <<none>> # To me it seems the clearest solution would be to copy the original context in case the matchpathcon() returns error. I'm not seeing how this ordering would have been preserved in earlier releases (Fedora or RHEL) - how/why did it work before? I think some changes in the selinux policy might be the culprit. It might have some other consequences in previous releases that were not so highly visible. For example the /etc/shadow could be labeled etc_t in such situation which does not make login broken just the SELinux protection of /etc/shadow wouldn't be so strict. Also note that in non-minimal installs there are probably some packages that add users in %post that are installed at the end of the install sequence - and that fixes the label. Dan Walsh built a new version of selinux-policy packages (3.12.1-14.el7) which call /sbin/restorecon on /etc/passwd* /etc/group* /etc/*shadow* as a part of postinstall script. In older versions of selinux-policy packages the /sbin/restorecon call was present in "if" branch. It seems that there will always be a time window, when /etc/passwd is mislabelled, but once selinux-policy-targeted package gets installed, the label will be corrected. Hmm I'd actually be interested in knowing whether shadow-utils-4.1.5.1-4.el7 fixed the problem (without the selinux-policy change). Created attachment 701261 [details]
test output executed to verify the fix
Retested on latest RHEL-7.0-20130222.0 with shadow-utils-4.1.5.1-4.el7 It works fine, /etc/passwd has passwd_t context all the time.
Moving to VERIFIED.
Thanks,
Martin
I believe that comment#15 contains a typo. The test output confirms it. /etc/passwd should be and also is labelled passwd_file_t, which is correct. Yes, it was just a typo. Sorry for that :) This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |