View Issue Details

IDProjectCategoryView StatusLast Update
0013755CentOS-7selinux-policypublic2017-11-09 10:03
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0013755: SELinux is preventing /usr/sbin/unix_chkpwd from using the 'dac_read_search' capabilities.
DescriptionDescription of problem:
SELinux is preventing /usr/sbin/unix_chkpwd from using the 'dac_read_search' capabilities.

***** Plugin dac_override (91.4 confidence) suggests **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

***** Plugin catchall (9.59 confidence) suggests **************************

If you believe that unix_chkpwd should have the dac_read_search capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'unix_chkpwd' --raw | audit2allow -M my-unixchkpwd
# semodule -i my-unixchkpwd.pp

Additional Information:
Source Context system_u:system_r:chkpwd_t:s0-s0:c0.c1023
Target Context system_u:system_r:chkpwd_t:s0-s0:c0.c1023
Target Objects Unknown [ capability ]
Source unix_chkpwd
Source Path /usr/sbin/unix_chkpwd
Port <Unknown>
Host (removed)
Source RPM Packages pam-1.1.8-18.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.12.10-1.el7.elrepo.x86_64 #1 SMP
                              Wed Aug 30 13:00:07 EDT 2017 x86_64 x86_64
Alert Count 6
First Seen 2017-08-31 18:34:51 EDT
Last Seen 2017-08-31 18:50:01 EDT
Local ID 7bf9339b-fa88-4fa2-826b-aa3e8a37f365

Raw Audit Messages
type=AVC msg=audit(1504219801.671:340): avc: denied { dac_read_search } for pid=16188 comm="unix_chkpwd" capability=2 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=0

type=SYSCALL msg=audit(1504219801.671:340): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7f1a7889c453 a1=80000 a2=1b6 a3=24 items=0 ppid=16187 pid=16188 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 key=(null)

Hash: unix_chkpwd,chkpwd_t,chkpwd_t,capability,dac_read_search

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 4.12.10-1.el7.elrepo.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2017-11-09 10:03

reporter   ~0030547

Another user experienced a similar problem:

default policy is clearly not complete or aligned with packages installed, tools are cumbersome to work with if performing this as an occassional task

reporter: libreport-
hashmarkername: setroubleshoot
kernel: 4.13.10-1.el7.elrepo.x86_64
package: selinux-policy-3.13.1-166.el7_4.5.noarch
reason: SELinux is preventing unix_chkpwd from using the 'dac_read_search' capabilities.
reproducible: Not sure how to reproduce the problem
type: libreport

Issue History

Date Modified Username Field Change
2017-08-31 22:55 cryptoaddict1 New Issue
2017-11-09 10:03 JLambrecht Note Added: 0030547