Bug #44946
type=AVC msg=audit(1585577327.335:6407): avc: denied { getattr } for pid=27388 comm="unix_chkpwd" path="/etc/shadow" dev="sda1" ino=1014 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Status:
New
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:
0%
Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
# sealert -l 09ca7488-446d-4da2-8396-f7ce9a4aaed5 SELinux is preventing /usr/sbin/unix_chkpwd from getattr access on the file /etc/shadow. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that unix_chkpwd should be allowed getattr access on the shadow file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'unix_chkpwd' --raw | audit2allow -M my-unixchkpwd # semodule -X 300 -i my-unixchkpwd.pp Additional Information: Source Context system_u:system_r:ceph_t:s0 Target Context system_u:object_r:shadow_t:s0 Target Objects /etc/shadow [ file ] Source unix_chkpwd Source Path /usr/sbin/unix_chkpwd Port <Unknown> Host smithi203 Source RPM Packages pam-1.3.1-4.el8.x86_64 Target RPM Packages setup-2.12.2-2.el8_1.1.noarch Policy RPM selinux-policy-3.14.3-20.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name smithi203 Platform Linux smithi203 4.18.0-147.el8.x86_64 #1 SMP Wed Dec 4 21:51:45 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2020-04-06 01:37:58 UTC Last Seen 2020-04-06 01:37:58 UTC Local ID 09ca7488-446d-4da2-8396-f7ce9a4aaed5 Raw Audit Messages type=AVC msg=audit(1586137078.895:3327): avc: denied { getattr } for pid=18585 comm="unix_chkpwd" path="/etc/shadow" dev="sda1" ino=1146 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1586137078.895:3327): arch=x86_64 syscall=fstat success=yes exit=0 a0=4 a1=7fff0c613610 a2=7fff0c613610 a3=0 items=0 ppid=18582 pid=18585 auid=4294967295 uid=0 gid=167 euid=0 suid=0 fsuid=0 egid=167 sgid=167 fsgid=167 tty=(none) ses=4294967295 comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:ceph_t:s0 key=(null) Hash: unix_chkpwd,ceph_t,shadow_t,file,getattr # ausearch -c 'unix_chkpwd' --raw | audit2allow -M my-unixchkpwd && cat my-unixchkpwd.te ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-unixchkpwd.pp module my-unixchkpwd 1.0; require { type chkpwd_exec_t; type shadow_t; type ceph_t; class file { execute execute_no_trans getattr map open read }; } #============= ceph_t ============== #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow ceph_t chkpwd_exec_t:file map; allow ceph_t chkpwd_exec_t:file { execute execute_no_trans open read }; allow ceph_t shadow_t:file { getattr open read };
Related issues
History
#1 Updated by Brad Hubbard almost 4 years ago
- Related to Bug #44941: type=AVC msg=audit(1585577327.334:6406): avc: denied { open } for pid=27388 comm="unix_chkpwd" path="/etc/shadow" dev="sda1" ino=1014 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 added