992931 – SELinux is preventing /usr/lib64/ejabberd/priv/bin/epam from 'execute' accesses on the file /usr/sbin/unix_chkpwd.

Bug 992931 - SELinux is preventing /usr/lib64/ejabberd/priv/bin/epam from 'execute' accesses on the file /usr/sbin/unix_chkpwd.

Summary: SELinux is preventing /usr/lib64/ejabberd/priv/bin/epam from 'execute' access...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:997dac1999074e5270128fff9c4...
Duplicates (6):	992938 992946 992948 992949 992950 992952 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-05 08:55 UTC by Samium Gromoff
Modified:	2013-08-22 00:53 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.12.1-71.fc19
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-08-22 00:53:07 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Samium Gromoff 2013-08-05 08:55:20 UTC

Description of problem:
I'm trying to run ejabberd with PAM authentication, but SELinux shoots that down.

I have the following in my /etc/ejabberd/ejabberd.conf:
---- >8 ----
{auth_method, pam}.
{pam_service, "login"}.
---- 8< ----
SELinux is preventing /usr/lib64/ejabberd/priv/bin/epam from 'execute' accesses on the file /usr/sbin/unix_chkpwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that epam should be allowed execute access on the unix_chkpwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep epam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:rabbitmq_beam_t:s0
Target Context                system_u:object_r:chkpwd_exec_t:s0
Target Objects                /usr/sbin/unix_chkpwd [ file ]
Source                        epam
Source Path                   /usr/lib64/ejabberd/priv/bin/epam
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ejabberd-2.1.13-1.fc19.x86_64
Target RPM Packages           pam-1.1.6-12.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-66.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.5-301.fc19.x86_64 #1 SMP Tue
                              Jun 11 19:39:38 UTC 2013 x86_64 x86_64
Alert Count                   22
First Seen                    2013-08-02 17:55:42 MSK
Last Seen                     2013-08-05 11:59:25 MSK
Local ID                      2ca6cf7d-7c9c-4336-b951-f3fe41732f36

Raw Audit Messages
type=AVC msg=audit(1375689565.280:1588): avc:  denied  { execute } for  pid=9920 comm="epam" name="unix_chkpwd" dev="dm-3" ino=1598665 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1375689565.280:1588): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fdd33925b38 a1=7fff724213b0 a2=7fdd33b2c3a0 a3=0 items=0 ppid=28188 pid=9920 auid=4294967295 uid=991 gid=989 euid=0 suid=0 fsuid=0 egid=989 sgid=989 fsgid=989 ses=4294967295 tty=(none) comm=epam exe=/usr/lib64/ejabberd/priv/bin/epam subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)

Hash: epam,rabbitmq_beam_t,chkpwd_exec_t,file,execute

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2013-08-05 14:30:41 UTC

*** Bug 992938 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2013-08-05 14:30:55 UTC

*** Bug 992948 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2013-08-05 14:31:08 UTC

*** Bug 992946 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2013-08-05 14:31:09 UTC

*** Bug 992950 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Grepl 2013-08-05 14:31:11 UTC

*** Bug 992952 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2013-08-05 14:31:15 UTC

*** Bug 992949 has been marked as a duplicate of this bug. ***

Comment 7 Miroslav Grepl 2013-08-05 14:44:02 UTC

commit 4e2afb1784a0f572ccb0223dc825eb7b56d8a094
Author: Miroslav Grepl <mgrepl>
Date:   Mon Aug 5 16:43:34 2013 +0200

    Add fixes for rabbit to fix ##992920,#992931

Comment 8 Fedora Update System 2013-08-20 08:26:10 UTC

selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19

Comment 9 Fedora Update System 2013-08-21 00:15:18 UTC

Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2013-08-22 00:53:07 UTC

selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.