6

I combined the detailed instructions from the original blog post, and the more up to date instructions from the man page (using dnf instead of yum).

# sudo dnf -y --releasever=24 --installroot=$HOME/fedora-24 --disablerepo='*' --enablerepo=fedora --enablerepo=updates install systemd passwd dnf fedora-release vim-minimal

# sudo systemd-nspawn -D fedora-24
Spawning container fedora-24 on /home/alan-sysop/fedora-24
Press ^] three times within 1s to kill container.
-bash-4.3# passwd
Changing password for user root.
New password:
Retype new password:

Result:

passwd: Authentication token manipulation error

and an AVC popup, i.e. SELinux error. It says passwd is not allowed to unlink (replace) /etc/passwd. One of the suggestions from the "Troubleshoot" button is that I could assign the label passwd_file_t to /etc/passwd.

What's wrong, how can I fix it?

sourcejedi
  • 48,311
  • 17
  • 143
  • 296

2 Answers2

8

For some reason, dnf didn't set the "right" SELinux label on /etc/passwd. But it did set a label on /bin/passwd. That mismatch is what causes the problem. Further explanations welcomed :).

$ ls -Z fedora-24/etc/passwd
unconfined_u:object_r:etc_t:s0 fedora-24/etc/passwd
$ ls -Z /etc/passwd
system_u:object_r:passwd_file_t:s0 /etc/passwd

$ ls -Z fedora-24/bin/passwd
system_u:object_r:passwd_exec_t:s0 fedora-24/bin/passwd
$ ls -Z /usr/bin/passwd
system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd

Attempting to run restorecon -Rv / inside the container does nothing. IIRC libselinux detects when it's run in a container, and will not do anything.

Solution

We need to run from outside the container:

restorecon -Rv fedora-24/

It makes sure all the SELinux labels are reset. (To the value expected by the container host, i.e. unlabelled). Then we can set the root password successfully.

sourcejedi
  • 48,311
  • 17
  • 143
  • 296
  • 1
    Testing Fedora 23 (host) looks very similar. In the process, I noticed `etc/passwd-` (the backup copy) _is_ labelled `passwd_file_t`. So I think the mismatch is explained by an rpm script running `useradd`. It must be run with libselinux disabled, same as when running inside the container. https://bugzilla.redhat.com/show_bug.cgi?id=1374427#c2 – sourcejedi Sep 10 '16 at 11:13
0

Same issue with a bootstrapped Cent OS 8 userspace.

Identified problems with

[root@- bootstrapped_base_systems]# ls -Z centos8/bin/passwd
system_u:object_r:passwd_exec_t:s0 centos8/bin/passwd
[root@- bootstrapped_base_systems]# ls -Z centos8/etc/passwd
unconfined_u:object_r:etc_t:s0 centos8/etc/passwd

(etc/passwd was good in this case)

Fixed with

[root@- bootstrapped_base_systems]# chcon -v unconfined_u:object_r:etc_t:s0 centos8/bin/passwd
changing security context of 'centos8/bin/passwd'

Verified changed with

[root@- bootstrapped_base_systems]# ls -Z centos8/bin/passwd
unconfined_u:object_r:etc_t:s0 centos8/bin/passwd
Jonathan Komar
  • 5,974
  • 7
  • 33
  • 52