Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1518655

Summary: Lots of SELinux denials with "passwd: compat"
Product: [Fedora] Fedora Reporter: Trond H. Amundsen <t.h.amundsen>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 27CC: dwalsh, mmalik
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-08 15:34:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Trond H. Amundsen 2017-11-29 12:16:27 UTC 
Description of problem:
When using "passwd: compat" in /etc/nsswitch.conf, various services need to read /etc/passwd. SELinux denies this, creating a steady stream of denials:

SELinux is preventing dbus-daemon from map access on the file /etc/passwd.
SELinux is preventing sshd from map access on the file /etc/passwd.
...etc...

Here is a summary of what we've had to add to our local policy for this to work:

allow NetworkManager_t passwd_file_t:file map;
allow abrt_dump_oops_t passwd_file_t:file map;
allow abrt_t passwd_file_t:file map;
allow accountsd_t passwd_file_t:file map;
allow automount_t passwd_file_t:file map;
allow avahi_t passwd_file_t:file map;
allow chkpwd_t passwd_file_t:file map;
allow chronyd_t passwd_file_t:file map;
allow colord_t passwd_file_t:file map;
allow cupsd_t passwd_file_t:file map;
allow firewalld_t passwd_file_t:file map;
allow init_t passwd_file_t:file map;
allow mcelog_t passwd_file_t:file map;
allow policykit_auth_t passwd_file_t:file map;
allow policykit_t passwd_file_t:file map;
allow postfix_master_t passwd_file_t:file map;
allow postfix_pickup_t passwd_file_t:file map;
allow postfix_qmgr_t passwd_file_t:file map;
allow rtkit_daemon_t passwd_file_t:file map;
allow setroubleshootd_t passwd_file_t:file map;
allow sshd_t passwd_file_t:file map;
allow sssd_t passwd_file_t:file map;
allow system_dbusd_t passwd_file_t:file map;
allow systemd_logind_t passwd_file_t:file map;
allow systemd_tmpfiles_t passwd_file_t:file map;
allow useradd_t passwd_file_t:file map;
allow xdm_t passwd_file_t:file map;

This is not an complete list. It would depend on how one configures nsswitch.conf beyond "passwd: compat", as well as which services are running.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-283.17.fc27.noarch

How reproducible:
Always.

Steps to Reproduce:
1. Configure "passwd: compat" in /etc/nsswitch.conf
2. Watch the flow of denials

Actual results:
Host becomes practically unusable, e.g. user can't log in.

Expected results:
No denials.
Comment 2 Fedora Update System 2018-07-27 09:23:05 UTC 
selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
Comment 3 Fedora Update System 2018-07-27 15:39:16 UTC 
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86
Comment 4 Fedora Update System 2018-08-08 15:34:09 UTC 
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.