Bug 992950 - SELinux is preventing /usr/sbin/unix_chkpwd from using the 'dac_override' capabilities.
SELinux is preventing /usr/sbin/unix_chkpwd from using the 'dac_override' cap...
Status: CLOSED DUPLICATE of bug 992931
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:eda07c7c2e9f93a6a49a8d66b75...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-05 05:28 EDT by Samium Gromoff
Modified: 2013-08-05 10:31 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-05 10:31:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Samium Gromoff 2013-08-05 05:28:02 EDT
Description of problem:
I am trying to run ejabberd with PAM authentication, but SELinux shoots down PAM-related machinery
during client authentication.

I have the following in my /etc/ejabberd/ejabberd.conf:
---- >8 ----
{auth_method, pam}.
{pam_service, "login"}.
---- 8< ----
SELinux is preventing /usr/sbin/unix_chkpwd from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that unix_chkpwd should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep unix_chkpwd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:rabbitmq_beam_t:s0
Target Context                system_u:system_r:rabbitmq_beam_t:s0
Target Objects                 [ capability ]
Source                        unix_chkpwd
Source Path                   /usr/sbin/unix_chkpwd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           pam-1.1.6-12.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-69.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.5-301.fc19.x86_64 #1 SMP Tue
                              Jun 11 19:39:38 UTC 2013 x86_64 x86_64
Alert Count                   4
First Seen                    2013-08-05 13:26:24 MSK
Last Seen                     2013-08-05 13:26:31 MSK
Local ID                      2b38c612-c47a-45af-b90a-58a35452340a

Raw Audit Messages
type=AVC msg=audit(1375694791.125:2106): avc:  denied  { dac_override } for  pid=16560 comm="unix_chkpwd" capability=1  scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:system_r:rabbitmq_beam_t:s0 tclass=capability


type=AVC msg=audit(1375694791.125:2106): avc:  denied  { dac_read_search } for  pid=16560 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:system_r:rabbitmq_beam_t:s0 tclass=capability


type=SYSCALL msg=audit(1375694791.125:2106): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff87b5a243b a1=80000 a2=1b6 a3=0 items=0 ppid=16249 pid=16560 auid=4294967295 uid=0 gid=989 euid=0 suid=0 fsuid=0 egid=989 sgid=989 fsgid=989 ses=4294967295 tty=(none) comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)

Hash: unix_chkpwd,rabbitmq_beam_t,rabbitmq_beam_t,capability,dac_override

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2013-08-05 10:31:09 EDT

*** This bug has been marked as a duplicate of bug 992931 ***

Note You need to log in before you can comment on or make changes to this bug.