| Summary: | passwd command fails to edit /etc/passwd on selinux | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Sven Vermeulen (RETIRED) <swift> |
| Component: | Hardened | Assignee: | Sven Vermeulen (RETIRED) <swift> |
| Status: | VERIFIED FIXED | ||
| Severity: | normal | CC: | selinux |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | sec-policy r9 | ||
| Package list: | Runtime testing required: | --- | |
will be in -r9 -r9 is now in hardened-dev overlay r9 is now ~arch in main tree Stabilized |
With passwd in recent shadow (4.1.5-r2), changes on /etc/shadow fail: """ ~# passwd -l jboss passwd: failure while writing changes to /etc/shadow """ In the denial logs, the following entries exist: """ Apr 22 14:25:26 testsys kernel: [ 5030.455760] type=1400 audit(1335097526.124:198): avc: denied { search } for pid=17961 comm="passwd" name="selinux" dev="vda1" ino=323 scontext=root:sysadm_r:passwd_t tcontext=system_u:object_r:selinux_config_t tclass=dir Apr 22 14:27:28 testsys kernel: [ 5152.991289] type=1400 audit(1335097648.659:217): avc: denied { search } for pid=18023 comm="passwd" name="contexts" dev="vda1" ino=1850 scontext=root:sysadm_r:passwd_t tcontext=system_u:object_r:default_context_t tclass=dir Apr 22 14:30:20 testsys kernel: [ 5324.353728] type=1400 audit(1335097820.022:252): avc: denied { search } for pid=18060 comm="passwd" name="files" dev="vda1" ino=1859 scontext=root:sysadm_r:passwd_t tcontext=system_u:object_r:file_context_t tclass=dir """ Similar as to the changes for groupadd_t, the following resolves the issues: """ seutil_read_config(passwd_t) seutil_read_file_contexts(passwd_t) Reproducible: Always