With passwd in recent shadow (4.1.5-r2), changes on /etc/shadow fail: """ ~# passwd -l jboss passwd: failure while writing changes to /etc/shadow """ In the denial logs, the following entries exist: """ Apr 22 14:25:26 testsys kernel: [ 5030.455760] type=1400 audit(1335097526.124:198): avc: denied { search } for pid=17961 comm="passwd" name="selinux" dev="vda1" ino=323 scontext=root:sysadm_r:passwd_t tcontext=system_u:object_r:selinux_config_t tclass=dir Apr 22 14:27:28 testsys kernel: [ 5152.991289] type=1400 audit(1335097648.659:217): avc: denied { search } for pid=18023 comm="passwd" name="contexts" dev="vda1" ino=1850 scontext=root:sysadm_r:passwd_t tcontext=system_u:object_r:default_context_t tclass=dir Apr 22 14:30:20 testsys kernel: [ 5324.353728] type=1400 audit(1335097820.022:252): avc: denied { search } for pid=18060 comm="passwd" name="files" dev="vda1" ino=1859 scontext=root:sysadm_r:passwd_t tcontext=system_u:object_r:file_context_t tclass=dir """ Similar as to the changes for groupadd_t, the following resolves the issues: """ seutil_read_config(passwd_t) seutil_read_file_contexts(passwd_t) Reproducible: Always
will be in -r9
-r9 is now in hardened-dev overlay
r9 is now ~arch in main tree
Stabilized