Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 413065 - passwd command fails to edit /etc/passwd on selinux
Summary: passwd command fails to edit /etc/passwd on selinux
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
Whiteboard: sec-policy r9
Depends on:
Reported: 2012-04-22 12:33 UTC by Sven Vermeulen (RETIRED)
Modified: 2012-07-30 16:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sven Vermeulen (RETIRED) gentoo-dev 2012-04-22 12:33:33 UTC
With passwd in recent shadow (4.1.5-r2), changes on /etc/shadow fail:

~# passwd -l jboss
passwd: failure while writing changes to /etc/shadow

In the denial logs, the following entries exist:
Apr 22 14:25:26 testsys kernel: [ 5030.455760] type=1400 audit(1335097526.124:198): avc:  denied  { search } for  pid=17961 comm="passwd" name="selinux" dev="vda1" ino=323 scontext=root:sysadm_r:passwd_t tcontext=system_u:object_r:selinux_config_t tclass=dir
Apr 22 14:27:28 testsys kernel: [ 5152.991289] type=1400 audit(1335097648.659:217): avc:  denied  { search } for  pid=18023 comm="passwd" name="contexts" dev="vda1" ino=1850 scontext=root:sysadm_r:passwd_t tcontext=system_u:object_r:default_context_t tclass=dir
Apr 22 14:30:20 testsys kernel: [ 5324.353728] type=1400 audit(1335097820.022:252): avc:  denied  { search } for  pid=18060 comm="passwd" name="files" dev="vda1" ino=1859 scontext=root:sysadm_r:passwd_t tcontext=system_u:object_r:file_context_t tclass=dir

Similar as to the changes for groupadd_t, the following resolves the issues:


Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-22 12:45:57 UTC
will be in -r9
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-15 18:09:37 UTC
-r9 is now in hardened-dev overlay
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-20 18:42:20 UTC
r9 is now ~arch in main tree
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-30 16:37:03 UTC