2017-12-11 13:13 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0013755CentOS-7selinux-policypublic2017-11-09 10:03
Reportercryptoaddict1 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusnewResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0013755: SELinux is preventing /usr/sbin/unix_chkpwd from using the 'dac_read_search' capabilities.
DescriptionDescription of problem:
SELinux is preventing /usr/sbin/unix_chkpwd from using the 'dac_read_search' capabilities.

***** Plugin dac_override (91.4 confidence) suggests **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

***** Plugin catchall (9.59 confidence) suggests **************************

If you believe that unix_chkpwd should have the dac_read_search capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'unix_chkpwd' --raw | audit2allow -M my-unixchkpwd
# semodule -i my-unixchkpwd.pp

Additional Information:
Source Context system_u:system_r:chkpwd_t:s0-s0:c0.c1023
Target Context system_u:system_r:chkpwd_t:s0-s0:c0.c1023
Target Objects Unknown [ capability ]
Source unix_chkpwd
Source Path /usr/sbin/unix_chkpwd
Port <Unknown>
Host (removed)
Source RPM Packages pam-1.1.8-18.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.12.10-1.el7.elrepo.x86_64 #1 SMP
                              Wed Aug 30 13:00:07 EDT 2017 x86_64 x86_64
Alert Count 6
First Seen 2017-08-31 18:34:51 EDT
Last Seen 2017-08-31 18:50:01 EDT
Local ID 7bf9339b-fa88-4fa2-826b-aa3e8a37f365

Raw Audit Messages
type=AVC msg=audit(1504219801.671:340): avc: denied { dac_read_search } for pid=16188 comm="unix_chkpwd" capability=2 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability permissive=0


type=SYSCALL msg=audit(1504219801.671:340): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7f1a7889c453 a1=80000 a2=1b6 a3=24 items=0 ppid=16187 pid=16188 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 key=(null)

Hash: unix_chkpwd,chkpwd_t,chkpwd_t,capability,dac_read_search

Version-Release number of selected component:
selinux-policy-3.13.1-102.el7_3.16.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 4.12.10-1.el7.elrepo.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash6273a4068d4a412edf218f10c67e55f54ea074edf5acc8e0c9ce29d3e03e8f4b
URL
Attached Files

-Relationships
+Relationships

-Notes

~0030547

JLambrecht (reporter)

Another user experienced a similar problem:

default policy is clearly not complete or aligned with packages installed, tools are cumbersome to work with if performing this as an occassional task

reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 4.13.10-1.el7.elrepo.x86_64
package: selinux-policy-3.13.1-166.el7_4.5.noarch
reason: SELinux is preventing unix_chkpwd from using the 'dac_read_search' capabilities.
reproducible: Not sure how to reproduce the problem
type: libreport
+Notes

-Issue History
Date Modified Username Field Change
2017-08-31 22:55 cryptoaddict1 New Issue
2017-11-09 10:03 JLambrecht Note Added: 0030547
+Issue History