Error setting user password after package layering with rpm-ostree

[mike-nguyen]

I am getting "Authentication token manipulation error" when changing user's password after using rpm-ostree package layering (I was able to change it before package layering) on Fedora Atomic Host Continuous. The logs point to an selinux issue. If I setenforce 0, I am able to change the password. This might be related to e8efd1c

#  echo $pw | passwd atomic-user-2014 --stdin
Changing password for user atomic-user-2014.
passwd: Authentication token manipulation error
# setenforce 0
# echo $pw | passwd atomic-user-2014 --stdin
Changing password for user atomic-user-2014.
passwd: all authentication tokens updated successfully.

# rpm-ostree status
State: idle
Deployments:
● custom:fahc/25/x86_64/buildmaster
             Version: 25.175 (2017-04-25 17:27:37)
          BaseCommit: 0f9110627862710a40b2c701ee1a829dfadf7e62b3793bd3c9c2e1054f339622
     LayeredPackages: wget

  custom:fahc/25/x86_64/buildmaster
             Version: 25.175 (2017-04-25 17:27:37)
              Commit: 0f9110627862710a40b2c701ee1a829dfadf7e62b3793bd3c9c2e1054f339622

# rpm -q ostree
ostree-2017.4.20-e8efd1c8dcaad8fbd3b05c400972d237406263e7.d8b864b502c5853efda6e8f7d1b0ebff84b581a3.fc25.x86_64

Journal during error:

Apr 26 14:16:57 fedora.localdomain audit[2057]: AVC avc:  denied  { write } for  pid=2057 comm="passwd" name="etc" dev="dm-0" ino=16873451 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
Apr 26 14:16:57 fedora.localdomain audit[2057]: SYSCALL arch=c000003e syscall=2 success=no exit=-13 a0=7f0908ff8693 a1=241 a2=1b6 a3=1 items=0 ppid=2035 pid=2057 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=7 comm="passwd" exe="/usr/bin/passwd" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
Apr 26 14:16:57 fedora.localdomain audit: PROCTITLE proctitle=7061737377640061746F6D69632D757365722D32303134002D2D737464696E
Apr 26 14:16:57 fedora.localdomain audit[2057]: USER_CHAUTHTOK pid=2057 uid=0 auid=1000 ses=7 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok grantors=? acct="atomic-user-2014" exe="/usr/bin/passwd" hostname=fedora.localdomain addr=? terminal=pts/1 res=failed'
Apr 26 14:17:00 fedora.localdomain audit[2057]: USER_CHAUTHTOK pid=2057 uid=0 auid=1000 ses=7 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=change password id=2014 exe="/usr/bin/passwd" hostname=fedora.localdomain addr=? terminal=pts/1 res=failed'

Test Run Log: log

[cgwalters]

Yep, very likely to be a regression from e8efd1c indeed. Will look.

[dustymabe]

wow, great test and investigation

[mike-nguyen]

@miabbott tracked down the commit based on the info I found. He is a 🕵️‍♂️

[cgwalters]

The root cause here (so to speak) is that a lot of files and directories are labeled root_t instead of etc_t.

Still debugging this; it's pretty interesting that doing:

ostree admin deploy fahc:fahc/25/x86_64/buildmaster

doesn't trigger the behavior, but it should be the same code path via rpm-ostree layering.

[cgwalters]

Somehow, is_selinux_enabled() is returning 0 on the second sepolicy initialization for rpm-ostree. We do a first initialization for package layering. Possibly related to setting the root twice?

[cgwalters]

PR in #815

[mike-nguyen]

The tests are passing again on Fedora Atomic Host Continuous. Awesome work @cgwalters!