Bug 990874 - SELinux is preventing /usr/bin/passwd from 'unlink' accesses on the file nshadow.
SELinux is preventing /usr/bin/passwd from 'unlink' accesses on the file nsha...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: 990870 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2013-08-01 02:50 EDT by Paul Fee
Modified: 2013-08-02 05:42 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-01 11:56:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Fee 2013-08-01 02:50:55 EDT
Description of problem:
Tried setting password of another user from root shell. 

# passwd <user>
SELinux is preventing /usr/bin/passwd from 'unlink' accesses on the file nshadow.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow passwd to have unlink access on the nshadow file
Then you need to change the label on nshadow
# semanage fcontext -a -t FILE_TYPE 'nshadow'
where FILE_TYPE is one of the following: faillog_t, krb5_host_rcache_t, passwd_file_t, pcscd_var_run_t, shadow_t. 
Then execute: 
restorecon -v 'nshadow'

*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that passwd should be allowed unlink access on the nshadow file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep passwd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                nshadow [ file ]
Source                        passwd
Source Path                   /usr/bin/passwd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           passwd-0.78.99-3.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-98.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.11-200.fc18.x86_64 #1 SMP Mon
                              Jul 22 21:04:50 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-08-01 07:47:29 BST
Last Seen                     2013-08-01 07:47:29 BST
Local ID                      0a94d677-3746-4493-9984-805e66a9b4c2

Raw Audit Messages
type=AVC msg=audit(1375339649.304:407): avc:  denied  { unlink } for  pid=2063 comm="passwd" name="nshadow" dev="dm-1" ino=16380 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

type=SYSCALL msg=audit(1375339649.304:407): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7fe3b0ab6c52 a1=0 a2=0 a3=6165726373662f72 items=0 ppid=1934 pid=2063 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts4 comm=passwd exe=/usr/bin/passwd subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)

Hash: passwd,passwd_t,etc_t,file,unlink


#============= passwd_t ==============
allow passwd_t etc_t:file unlink;

audit2allow -R
require {
	type passwd_t;

#============= passwd_t ==============

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.9.11-200.fc18.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-08-01 11:56:41 EDT
The alert tells you what to do.

restorecon /etc/nshadow
Comment 2 Daniel Walsh 2013-08-01 11:56:53 EDT
*** Bug 990870 has been marked as a duplicate of this bug. ***
Comment 3 Paul Fee 2013-08-01 12:15:10 EDT
It looks as though /etc/nshadow was a temporary file, hence using restorecon is not appropriate as the file doesn't exist before issuing the "passwd" command.

Not being overly familiar with SELinux security contexts, I'm wondering if nshadow inherits its context from a parent, e.g. the /etc directory.  Perhaps there's something wrong in that this new (temporary) file is created by the "passwd" program, but "passwd" is not then able to unlink it.

On another F18 system of mine I have no issues using passwd as root to modify other users' passwords.

There's something different about this problem machine, however I'm not sure if this bug should be closed just yet.
Comment 4 Daniel Walsh 2013-08-01 14:44:05 EDT
Well you had an /etc/nshadow file on disk which was labeled etc_t, might be gone now.

THe file transition rule referenced in the other bug report should label it correctly when run through passwd.

Not sure what went wrong.
Comment 5 Paul Fee 2013-08-02 05:42:08 EDT
I upgraded to F19 via fedup.  The problem has now disappeared and I can reset user passwords.  I'm happy to close this bug and move on.

Thanks for the feedback.

Note You need to log in before you can comment on or make changes to this bug.