Bug 990874 - SELinux is preventing /usr/bin/passwd from 'unlink' accesses on the file nshadow.
Summary: SELinux is preventing /usr/bin/passwd from 'unlink' accesses on the file nsha...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:3cd67cb77c9356b2fe38d881922...
: 990870 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-01 06:50 UTC by Paul Fee
Modified: 2013-08-02 09:42 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-08-01 15:56:41 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Paul Fee 2013-08-01 06:50:55 UTC
Description of problem:
Tried setting password of another user from root shell. 

# passwd <user>
SELinux is preventing /usr/bin/passwd from 'unlink' accesses on the file nshadow.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow passwd to have unlink access on the nshadow file
Then you need to change the label on nshadow
Do
# semanage fcontext -a -t FILE_TYPE 'nshadow'
where FILE_TYPE is one of the following: faillog_t, krb5_host_rcache_t, passwd_file_t, pcscd_var_run_t, shadow_t. 
Then execute: 
restorecon -v 'nshadow'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that passwd should be allowed unlink access on the nshadow file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep passwd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                nshadow [ file ]
Source                        passwd
Source Path                   /usr/bin/passwd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           passwd-0.78.99-3.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-98.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.11-200.fc18.x86_64 #1 SMP Mon
                              Jul 22 21:04:50 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-08-01 07:47:29 BST
Last Seen                     2013-08-01 07:47:29 BST
Local ID                      0a94d677-3746-4493-9984-805e66a9b4c2

Raw Audit Messages
type=AVC msg=audit(1375339649.304:407): avc:  denied  { unlink } for  pid=2063 comm="passwd" name="nshadow" dev="dm-1" ino=16380 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file


type=SYSCALL msg=audit(1375339649.304:407): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7fe3b0ab6c52 a1=0 a2=0 a3=6165726373662f72 items=0 ppid=1934 pid=2063 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts4 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)

Hash: passwd,passwd_t,etc_t,file,unlink

audit2allow

#============= passwd_t ==============
allow passwd_t etc_t:file unlink;

audit2allow -R
require {
	type passwd_t;
}

#============= passwd_t ==============
files_delete_etc_files(passwd_t)


Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.9.11-200.fc18.x86_64
type:           libreport

Comment 1 Daniel Walsh 2013-08-01 15:56:41 UTC
The alert tells you what to do.

restorecon /etc/nshadow

Comment 2 Daniel Walsh 2013-08-01 15:56:53 UTC
*** Bug 990870 has been marked as a duplicate of this bug. ***

Comment 3 Paul Fee 2013-08-01 16:15:10 UTC
It looks as though /etc/nshadow was a temporary file, hence using restorecon is not appropriate as the file doesn't exist before issuing the "passwd" command.

Not being overly familiar with SELinux security contexts, I'm wondering if nshadow inherits its context from a parent, e.g. the /etc directory.  Perhaps there's something wrong in that this new (temporary) file is created by the "passwd" program, but "passwd" is not then able to unlink it.

On another F18 system of mine I have no issues using passwd as root to modify other users' passwords.

There's something different about this problem machine, however I'm not sure if this bug should be closed just yet.

Comment 4 Daniel Walsh 2013-08-01 18:44:05 UTC
Well you had an /etc/nshadow file on disk which was labeled etc_t, might be gone now.

THe file transition rule referenced in the other bug report should label it correctly when run through passwd.

Not sure what went wrong.

Comment 5 Paul Fee 2013-08-02 09:42:08 UTC
I upgraded to F19 via fedup.  The problem has now disappeared and I can reset user passwords.  I'm happy to close this bug and move on.

Thanks for the feedback.


Note You need to log in before you can comment on or make changes to this bug.