As bugzilla.redhat.com/show_bug.cgi?id=2374106 provides, I’ve attempted:
#!/usr/bin/env bash passwd --help &> /root/output
However, sealert doesn’t list any new denials.
#!/usr/bin/env sh
cat /etc/os-release | jc --ini | jq 'with_entries(.value |= (if type=="string" and test("^[0-9]+$") then tonumber else . end))| {NAME, VARIANT, VERSION_ID}' | yq -P
NAME: Fedora Linux VARIANT: KDE Plasma Desktop Edition VERSION_ID: 44
Is it because you are running the command in an unconfined context? Does the following work?
systemd-run -q bash -c 'passwd --help &> /root/output'
works for me:
# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# passwd --help &> /root/output
# ausearch -m avc -ts recent
----
time->Fri May 15 09:38:45 2026
type=AVC msg=audit(1778830725.752:8349): avc: denied { write } for pid=3228768 comm="passwd" path="/root/output" dev="dm-0" ino=18363006 scontext=unconfined_u:unconfined_r:passwd_t:s0-s
0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
# sealert -l '*'
SELinux is preventing passwd from write access on the file /root/output.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that passwd should be allowed write access on the output file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'passwd' --raw | audit2allow -M my-passwd
# semodule -X 300 -i my-passwd.pp
Additional Information:
Source Context unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:admin_home_t:s0
Target Objects /root/output [ file ]
Source passwd
Source Path passwd
Port <Unknown>
Host p16v
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-44.1-1.fc44.noarch
Local Policy RPM selinux-policy-targeted-44.1-1.fc44.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name p16v
Platform Linux p16v 6.19.14-300.fc44.x86_64 #1 SMP
PREEMPT_DYNAMIC Thu Apr 23 15:17:50 UTC 2026
x86_64
Alert Count 1
First Seen 2026-05-15 09:41:53 CEST
Last Seen 2026-05-15 09:41:53 CEST
Local ID 417e1b6e-acdc-4d4f-8195-b8e6bf31396c
Raw Audit Messages
type=AVC msg=audit(1778830913.439:8360): avc: denied { write } for pid=3230398 comm="passwd" path="/root/output" dev="dm-0" ino=18363006 scontext=unconfined_u:unconfined_r:passwd_t:s0-s
0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
Hash: passwd,passwd_t,admin_home_t,file,write
Note, if you are in permissive mode, AVC denial messages are sent only once. You need to switch to enforcing and back to permissive to get AVC denial again
No, there’s a transition via passwd_t via passwd_exec_t:
# sesearch -T -s unconfined_t -t passwd_exec_t
type_transition unconfined_t passwd_exec_t:process passwd_t;
# ls -Z /usr/bin/passwd /usr/bin/id
system_u:object_r:bin_t:s0 /usr/bin/id
system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# chcon -t passwd_exec_t /usr/bin/id
# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
@glb, thanks; that works. It appears to confirm that the bug doesn’t reproduce, considering that, with:
#!/usr/bin/env sh
while :; do
systemd-run -q bash -c 'passwd --help &> /root/output'
done
…it doesn’t ANR. I don’t know whether that’s equivalent to what WayDroid was originally doing, [1] but that satisfies me.