1487984 – SELinux is preventing passwd map access to /etc/passwd and /etc/shadow

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1487984 - SELinux is preventing passwd map access to /etc/passwd and /etc/shadow

Summary: SELinux is preventing passwd map access to /etc/passwd and /etc/shadow

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1496716 (view as bug list)
Depends On:
Blocks:	F27BetaFreezeException 1481454
TreeView+	depends on / blocked

Reported:	2017-09-04 03:45 UTC by Dusty Mabe
Modified:	2017-09-28 13:21 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-283.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-16 05:55:18 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dusty Mabe 2017-09-04 03:45:50 UTC

Description of problem:

$subject

See: 

[fedora@ip-10-0-213-131 ~]$ sudo ausearch -m avc,user_avc
----
time->Mon Sep  4 03:26:21 2017
type=PROCTITLE msg=audit(1504495581.030:116): proctitle=706173737764002D6C006665646F7261
type=SYSCALL msg=audit(1504495581.030:116): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=51 a2=1 a3=1 items=0 ppid=800 pid=974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="passwd" exe="/usr/bin/passwd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1504495581.030:116): avc:  denied  { map } for  pid=974 comm="passwd" path="/etc/passwd" dev="dm-0" ino=4228024 scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
----
time->Mon Sep  4 03:26:21 2017
type=PROCTITLE msg=audit(1504495581.030:117): proctitle=706173737764002D6C006665646F7261
type=SYSCALL msg=audit(1504495581.030:117): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=198 a2=1 a3=1 items=0 ppid=800 pid=974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="passwd" exe="/usr/bin/passwd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1504495581.030:117): avc:  denied  { map } for  pid=974 comm="passwd" path="/etc/shadow" dev="dm-0" ino=4219637 scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
----
time->Mon Sep  4 03:26:21 2017
type=PROCTITLE msg=audit(1504495581.036:118): proctitle=706173737764002D6C006665646F7261
type=SYSCALL msg=audit(1504495581.036:118): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=51 a2=1 a3=1 items=0 ppid=800 pid=974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="passwd" exe="/usr/bin/passwd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1504495581.036:118): avc:  denied  { map } for  pid=974 comm="passwd" path="/etc/passwd+" dev="dm-0" ino=4228017 scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
----
time->Mon Sep  4 03:26:21 2017
type=PROCTITLE msg=audit(1504495581.042:119): proctitle=706173737764002D6C006665646F7261
type=SYSCALL msg=audit(1504495581.042:119): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=198 a2=1 a3=1 items=0 ppid=800 pid=974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="passwd" exe="/usr/bin/passwd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1504495581.042:119): avc:  denied  { map } for  pid=974 comm="passwd" path="/etc/shadow+" dev="dm-0" ino=4228017 scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
----
time->Mon Sep  4 03:26:21 2017
type=PROCTITLE msg=audit(1504495581.045:120): proctitle=706173737764002D6C006665646F7261
type=SYSCALL msg=audit(1504495581.045:120): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=51 a2=1 a3=1 items=0 ppid=800 pid=974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="passwd" exe="/usr/bin/passwd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1504495581.045:120): avc:  denied  { map } for  pid=974 comm="passwd" path="/etc/passwd" dev="dm-0" ino=4228024 scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
----
time->Mon Sep  4 03:26:21 2017
type=PROCTITLE msg=audit(1504495581.045:121): proctitle=706173737764002D6C006665646F7261
type=SYSCALL msg=audit(1504495581.045:121): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=198 a2=1 a3=1 items=0 ppid=800 pid=974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="passwd" exe="/usr/bin/passwd" subj=system_u:system_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1504495581.045:121): avc:  denied  { map } for  pid=974 comm="passwd" path="/etc/shadow" dev="dm-0" ino=4228017 scontext=system_u:system_r:passwd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
[fedora@ip-10-0-213-131 ~]$ 
[fedora@ip-10-0-213-131 ~]$ 
[fedora@ip-10-0-213-131 ~]$ 



Version-Release number of selected component (if applicable):

[fedora@ip-10-0-213-131 ~]$ rpm-ostree status
State: idle
Deployments:
● fedora-atomic:fedora/27/x86_64/atomic-host
                   Version: 27.20170903.n.0 (2017-09-03 17:26:23)
                    Commit: 0be94e70ae37a630518174af0f86a2f02cfdaab940f1d226423c4cc418e58d83
              GPGSignature: (unsigned)
[fedora@ip-10-0-213-131 ~]$ rpm -q selinux-policy
selinux-policy-3.13.1-277.fc27.noarch

Comment 1 Fedora Update System 2017-09-12 13:01:58 UTC

selinux-policy-3.13.1-283.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5aefc0255f

Comment 2 Fedora Update System 2017-09-12 13:02:30 UTC

selinux-policy-3.13.1-283.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5aefc0255f

Comment 3 Fedora Blocker Bugs Application 2017-09-12 13:06:57 UTC

Proposed as a Freeze Exception for 27-beta by Fedora user dustymabe using the blocker tracking app because:

 selinux: allow map access to /etc/passwd and /etc/shadow

Seeing these denials on Fedora 27 Atomic Host

Comment 4 Fedora Update System 2017-09-12 19:56:12 UTC

selinux-policy-3.13.1-283.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5aefc0255f

Comment 5 Fedora Update System 2017-09-16 05:55:18 UTC

selinux-policy-3.13.1-283.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Dusty Mabe 2017-09-20 20:02:10 UTC

confirmed this is now fixed!

Comment 7 Peter 2017-09-28 13:21:41 UTC

*** Bug 1496716 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.