Bug 1257057

Summary: AVC denial: scontext=system_u:unconfined_r:passwd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: lvrabec, mgrepl, mmalik, othstu, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-92.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:21:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2015-08-26 07:51:25 UTC 
Description of problem:
The following AVC denial appeared on some of our test machine, but I was not able to reproduce the issue again.
Anyhow, the denial looks like something that that could be allowed, so filing this bug.

time->Fri Aug 21 10:00:48 2015
type=SYSCALL msg=audit(1440165648.088:1538): arch=80000015 syscall=39 success=no exit=-13 a0=1003bf86a90 a1=1c0 a2=3fffd5b00db8 a3=65797269 items=0 ppid=9968 pid=9982 auid=4294967295 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts0 ses=4294967295 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=system_u:unconfined_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1440165648.088:1538): avc:  denied  { create } for  pid=9982 comm="gnome-keyring-d" name="keyring" scontext=system_u:unconfined_r:passwd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-44.el7.noarch

How reproducible:
seen once

Steps to Reproduce:
unknown
Comment 2 Miroslav Grepl 2015-08-26 16:10:43 UTC 
It happens if gnome-keyring-d is not running.
Comment 5 Frank 2016-05-04 05:38:59 UTC 
This error is reported in the /var/log/audit/audit.log after a user uses the passwd command to change their password while the gnome-keyring-daemon process is not running with thier user ID.

If a user logs into the GUI then the gnome-keyring-daemon process will be started with thier user ID on login, and there is no problem with passwd.

However our RHEL systems do not use the GUI so there is no gnome-keyring-daemon process running and so everytime a user changes their password this error appears in the audit log.  (A user base of more than 500 users means this error appears freqently.)

Even if the gnome-keyring-daemon process is running, but it is running as a different user ID to the user changing their password, the denied error will still be generated.
Comment 6 Frank 2016-05-04 07:24:59 UTC 
This denied error can be allow with a Module Policy.
grep -e '1462339594.221:775' /var/log/audit/audit.log | audit2allow -M mygnomekeyring
semodule -i mygnomekeyring.pp
semodule -B

however this gives rise to a new denied error
aureport -a
8. 04/05/16 15:28:37 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 49 sock_file create unconfined_u:object_r:user_tmp_t:s0 denied 858

if this error is also allowed it gives rise to 13 new denied errors
aureport -a
13. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 83 dir write unconfined_u:object_r:user_home_dir_t:s0 denied 562
14. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 83 dir write unconfined_u:object_r:user_home_dir_t:s0 denied 563
15. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 564
16. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 565
17. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 566
18. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 567
19. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 568
20. 04/05/16 16:12:39 dbus-launch unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 42 tcp_socket name_connect system_u:object_r:xserver_port_t:s0 denied 569
21. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 87 sock_file unlink unconfined_u:object_r:user_tmp_t:s0 denied 570
22. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 87 sock_file unlink unconfined_u:object_r:user_tmp_t:s0 denied 571
23. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 87 sock_file unlink unconfined_u:object_r:user_tmp_t:s0 denied 572
24. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 87 sock_file unlink unconfined_u:object_r:user_tmp_t:s0 denied 573
25. 04/05/16 16:12:39 gnome-keyring-d unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 84 dir rmdir unconfined_u:object_r:user_tmp_t:s0 denied 574


It seems everytime the process is not halted by SELinux but is allowed to continue, new problems are created because SELinux is not setup correctly for this feature of pasword maintenance.
Comment 8 Patrik Kis 2016-07-25 14:18:25 UTC 
There are more related AVC denials, please consider to add them to the policy.

type=SYSCALL msg=audit(1469007634.604:2112): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffe18c17970 a2=6e a3=2 items=0 ppid=19201 pid=19215 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts0 ses=4294967295 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=system_u:unconfined_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1469007634.604:2112): avc:  denied  { create } for  pid=19215 comm="gnome-keyring-d" name="control" scontext=system_u:unconfined_r:passwd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=sock_file


I'm not able to reproduce these AVC denials and they pop up randomly, so new related AVCs may appear in the future.
Comment 13 errata-xmlrpc 2016-11-04 02:21:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html