Project

General

Profile

Bug #44946

type=AVC msg=audit(1585577327.335:6407): avc: denied { getattr } for pid=27388 comm="unix_chkpwd" path="/etc/shadow" dev="sda1" ino=1014 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1

Added by Brad Hubbard almost 4 years ago.

Status:
New
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

http://pulpito.ceph.com/bhubbard-2020-03-30_11:17:25-ceph-ansible-wip-badone-testing-distro-basic-smithi/4906560/

# sealert -l 09ca7488-446d-4da2-8396-f7ce9a4aaed5
SELinux is preventing /usr/sbin/unix_chkpwd from getattr access on the file /etc/shadow.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that unix_chkpwd should be allowed getattr access on the shadow file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'unix_chkpwd' --raw | audit2allow -M my-unixchkpwd
# semodule -X 300 -i my-unixchkpwd.pp

Additional Information:
Source Context                system_u:system_r:ceph_t:s0
Target Context                system_u:object_r:shadow_t:s0
Target Objects                /etc/shadow [ file ]
Source                        unix_chkpwd
Source Path                   /usr/sbin/unix_chkpwd
Port                          <Unknown>
Host                          smithi203
Source RPM Packages           pam-1.3.1-4.el8.x86_64
Target RPM Packages           setup-2.12.2-2.el8_1.1.noarch
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     smithi203
Platform                      Linux smithi203 4.18.0-147.el8.x86_64 #1 SMP Wed
                              Dec 4 21:51:45 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2020-04-06 01:37:58 UTC
Last Seen                     2020-04-06 01:37:58 UTC
Local ID                      09ca7488-446d-4da2-8396-f7ce9a4aaed5

Raw Audit Messages
type=AVC msg=audit(1586137078.895:3327): avc:  denied  { getattr } for  pid=18585 comm="unix_chkpwd" path="/etc/shadow" dev="sda1" ino=1146 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1

type=SYSCALL msg=audit(1586137078.895:3327): arch=x86_64 syscall=fstat success=yes exit=0 a0=4 a1=7fff0c613610 a2=7fff0c613610 a3=0 items=0 ppid=18582 pid=18585 auid=4294967295 uid=0 gid=167 euid=0 suid=0 fsuid=0 egid=167 sgid=167 fsgid=167 tty=(none) ses=4294967295 comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:ceph_t:s0 key=(null)

Hash: unix_chkpwd,ceph_t,shadow_t,file,getattr

# ausearch -c 'unix_chkpwd' --raw | audit2allow -M my-unixchkpwd && cat my-unixchkpwd.te
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-unixchkpwd.pp

module my-unixchkpwd 1.0;

require {
        type chkpwd_exec_t;
        type shadow_t;
        type ceph_t;
        class file { execute execute_no_trans getattr map open read };
}

#============= ceph_t ==============

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow ceph_t chkpwd_exec_t:file map;
allow ceph_t chkpwd_exec_t:file { execute execute_no_trans open read };
allow ceph_t shadow_t:file { getattr open read };

Related issues

Related to Ceph - Bug #44941: type=AVC msg=audit(1585577327.334:6406): avc: denied { open } for pid=27388 comm="unix_chkpwd" path="/etc/shadow" dev="sda1" ino=1014 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 New

History

#1 Updated by Brad Hubbard almost 4 years ago

  • Related to Bug #44941: type=AVC msg=audit(1585577327.334:6406): avc: denied { open } for pid=27388 comm="unix_chkpwd" path="/etc/shadow" dev="sda1" ino=1014 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 added

Also available in: Atom PDF