Description of problem: Tried setting password of another user from root shell. # passwd <user> SELinux is preventing /usr/bin/passwd from 'unlink' accesses on the file nshadow. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow passwd to have unlink access on the nshadow file Then you need to change the label on nshadow Do # semanage fcontext -a -t FILE_TYPE 'nshadow' where FILE_TYPE is one of the following: faillog_t, krb5_host_rcache_t, passwd_file_t, pcscd_var_run_t, shadow_t. Then execute: restorecon -v 'nshadow' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that passwd should be allowed unlink access on the nshadow file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep passwd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:etc_t:s0 Target Objects nshadow [ file ] Source passwd Source Path /usr/bin/passwd Port <Unknown> Host (removed) Source RPM Packages passwd-0.78.99-3.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-98.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.11-200.fc18.x86_64 #1 SMP Mon Jul 22 21:04:50 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-08-01 07:47:29 BST Last Seen 2013-08-01 07:47:29 BST Local ID 0a94d677-3746-4493-9984-805e66a9b4c2 Raw Audit Messages type=AVC msg=audit(1375339649.304:407): avc: denied { unlink } for pid=2063 comm="passwd" name="nshadow" dev="dm-1" ino=16380 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1375339649.304:407): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7fe3b0ab6c52 a1=0 a2=0 a3=6165726373662f72 items=0 ppid=1934 pid=2063 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts4 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) Hash: passwd,passwd_t,etc_t,file,unlink audit2allow #============= passwd_t ============== allow passwd_t etc_t:file unlink; audit2allow -R require { type passwd_t; } #============= passwd_t ============== files_delete_etc_files(passwd_t) Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.11-200.fc18.x86_64 type: libreport
The alert tells you what to do. restorecon /etc/nshadow
*** Bug 990870 has been marked as a duplicate of this bug. ***
It looks as though /etc/nshadow was a temporary file, hence using restorecon is not appropriate as the file doesn't exist before issuing the "passwd" command. Not being overly familiar with SELinux security contexts, I'm wondering if nshadow inherits its context from a parent, e.g. the /etc directory. Perhaps there's something wrong in that this new (temporary) file is created by the "passwd" program, but "passwd" is not then able to unlink it. On another F18 system of mine I have no issues using passwd as root to modify other users' passwords. There's something different about this problem machine, however I'm not sure if this bug should be closed just yet.
Well you had an /etc/nshadow file on disk which was labeled etc_t, might be gone now. THe file transition rule referenced in the other bug report should label it correctly when run through passwd. Not sure what went wrong.
I upgraded to F19 via fedup. The problem has now disappeared and I can reset user passwords. I'm happy to close this bug and move on. Thanks for the feedback.