Hi everyone,

 

I’m running selinux-policy-strict 2.4.6-279.el5_5.1 (Redhat), and I get a denial when a user logs on (via SSH) with an expired password. The procedure for getting the new password goes fine, but the update of shadow fails and the login is refused. The audit messages are the following:

 

type=USER_AUTH msg=audit(1282326913.918:472): user pid=14136 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: authentication acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=failed)'

type=USER_LOGIN msg=audit(1282326913.918:473): user pid=14136 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct="testupgrader": exe="/usr/sbin/sshd" (hostname=?, addr=xx.xx.xx.xx, terminal=sshd res=failed)'

type=USER_AUTH msg=audit(1282326917.387:474): user pid=14136 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: authentication acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=success)'

type=USER_ACCT msg=audit(1282326917.388:475): user pid=14136 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: accounting acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=failed)'

type=CRED_ACQ msg=audit(1282326917.393:476): user pid=14136 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: setcred acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=success)'

type=LOGIN msg=audit(1282326917.393:477): login pid=14136 uid=0 old auid=4294967295 new auid=508 old ses=4294967295 new ses=26

type=USER_START msg=audit(1282326917.393:478): user pid=14136 uid=0 auid=508 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: session open acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=success)'

type=CRED_REFR msg=audit(1282326917.394:479): user pid=14138 uid=0 auid=508 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: setcred acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=success)'

type=USER_LOGIN msg=audit(1282326917.397:480): user pid=14136 uid=0 auid=508 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='uid=508: exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=/dev/pts/7 res=success)'

type=AVC msg=audit(1282326929.157:481): avc:  denied  { create } for  pid=14139 comm="passwd" name="nshadow" scontext=e2ee_upgrader_u:e2ee_upgrader_r:e2ee_upgrader_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file

type=SYSCALL msg=audit(1282326929.157:481): arch=c000003e syscall=2 success=no exit=-13 a0=2ad97d295a33 a1=241 a2=1b6 a3=241 items=0 ppid=14138 pid=14139 auid=508 uid=508 gid=508 euid=0 suid=0 fsuid=0 egid=508 sgid=508 fsgid=508 tty=pts7 ses=26 comm="passwd" exe="/usr/bin/passwd" subj=e2ee_upgrader_u:e2ee_upgrader_r:e2ee_upgrader_t:s0 key=(null)

type=USER_CHAUTHTOK msg=audit(1282326931.330:482): user pid=14139 uid=508 auid=508 subj=e2ee_upgrader_u:e2ee_upgrader_r:e2ee_upgrader_t:s0 msg='PAM: chauthtok acct="testupgrader" : exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/7 res=failed)'

type=USER_CHAUTHTOK msg=audit(1282326931.330:483): user pid=14139 uid=508 auid=508 subj=e2ee_upgrader_u:e2ee_upgrader_r:e2ee_upgrader_t:s0 msg='op=change password id=508 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/7 res=failed)'

type=CRED_DISP msg=audit(1282326931.332:484): user pid=14136 uid=0 auid=508 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: setcred acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=success)'

type=USER_END msg=audit(1282326931.332:485): user pid=14136 uid=0 auid=508 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: session close acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=success)'

 

Audit2allow suggests to add auth_manage_shadow(e2ee_upgrader_t) to the local policy, but that doesn’t change anything. Neither does adding allow e2ee_upgrader_t shadow_t:file { create }.

 

What is really strange is that the very same user (after its password has been changed by root) can run passwd and set its password without any problem.

 

Any idea?

 

Thanks in advance for any suggestion,

 

Patrice.