Bug 1305236
Summary: | RFE: SELinux wrongly blocks xlogin session | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Raphael Groner <projects.rg> | ||||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | rawhide | CC: | amessina, dominick.grift, dwalsh, lvrabec, marcandre.lureau, plautrba, projects.rg, ssekidde | ||||||
Target Milestone: | --- | Keywords: | FutureFeature | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | https://github.com/joukewitteveen/xlogin/issues/10 | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Enhancement | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2019-05-07 12:00:19 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1404667 | ||||||||
Attachments: |
|
Description
Raphael Groner
2016-02-06 10:35:19 UTC
Can we allow xlogin (via bash) in selinux-policy by default? What does $ sesearch -A -s init_t -t unconfined_t -c process on your system? $ sesearch -A -s init_t -t unconfined_t -c process Found 4 semantic av rules: allow domain unconfined_t : process sigchld ; allow init_t domain : process { sigchld sigkill sigstop signull signal getpgid getattr } ; allow unconfined_domain_type domain : process { fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate ptrace_child } ; allow unconfined_domain_type domain : process ptrace ; OK and $ rpm -q selinux-policy-targeted ? $ rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-158.6.fc23.noarch We have fixes in Rawhide. Could you try to test it with the following local policy # cat mypol.cil (allow init_t unconfined_t (process (transition))) # semodule -i mypol.cil Sorry for my delayed response, I'll come back to this RFE later. Still an issue for me. selinux-policy-3.13.1-158.11.fc23.noarch selinux-policy-targeted-3.13.1-158.11.fc23.noarch xlogin-0-0.1.20160114git97667d7.fc23.noarch (In reply to Miroslav Grepl from comment #6) > We have fixes in Rawhide. Could you try to test it with the following local > policy # echo '(allow init_t unconfined_t (process (transition)))' >/tmp/mypol.cli && semodule -i /tmp/mypol.cli libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/cli failed with code: 1. (No such file or directory). mypol: libsemanage.semanage_pipe_data: Unable to execute /usr/libexec/selinux/hll/cli : No such file or directory mypol: (No such file or directory). libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No such file or directory). semodule: Failed! # LC_ALL=C dnf install /usr/libexec/selinux/hll/cli Last metadata expiration check: 0:48:53 ago on Wed Mar 30 16:09:41 2016. No package /usr/libexec/selinux/hll/cli available. Error: Unable to find a match. # LC_ALL=C dnf whatprovides /usr/libexec/selinux/hll/cli Last metadata expiration check: 0:49:13 ago on Wed Mar 30 16:09:41 2016. Error: No Matches found If of any help: # journalctl |grep xlogin Feb 06 11:13:36 poldy systemd[1]: Removed slice system-xlogin.slice. Feb 06 11:13:36 poldy systemd[1]: Stopping system-xlogin.slice. Feb 06 11:14:24 poldy audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 06 11:14:24 poldy audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Feb 06 11:14:24 poldy systemd[963]: xlogin: Failed at step EXEC spawning /usr/bin/bash: Permission denied Feb 06 11:14:24 poldy systemd[1]: xlogin: Main process exited, code=exited, status=203/EXEC Feb 06 11:14:24 poldy systemd[1]: xlogin: Unit entered failed state. Feb 06 11:14:24 poldy systemd[1]: xlogin: Failed with result 'exit-code'. Feb 06 11:16:26 poldy systemd[1]: Removed slice system-xlogin.slice. Feb 06 11:16:26 poldy systemd[1]: Stopping system-xlogin.slice. Feb 06 11:17:16 poldy audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 06 11:17:16 poldy audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Feb 06 11:17:16 poldy systemd[963]: xlogin: Failed at step EXEC spawning /usr/bin/bash: Permission denied Feb 06 11:17:16 poldy systemd[1]: xlogin: Main process exited, code=exited, status=203/EXEC Feb 06 11:17:16 poldy systemd[1]: xlogin: Unit entered failed state. Feb 06 11:17:16 poldy systemd[1]: xlogin: Failed with result 'exit-code'. Feb 06 13:40:51 poldy systemd[1]: Removed slice system-xlogin.slice. Feb 06 13:40:51 poldy systemd[1]: Stopping system-xlogin.slice. Mär 30 09:59:46 poldy audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Mär 30 09:59:46 poldy audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Mär 30 09:59:46 poldy systemd[1060]: xlogin: Failed at step EXEC spawning /usr/bin/bash: Permission denied Mär 30 09:59:46 poldy systemd[1]: xlogin: Main process exited, code=exited, status=203/EXEC Mär 30 09:59:46 poldy systemd[1]: xlogin: Unit entered failed state. Mär 30 09:59:46 poldy systemd[1]: xlogin: Failed with result 'exit-code'. Could you test it with $ cat mypol.te policy_module(mypol, 1.0) require{ type init_t; type unconfined_t; } allow init_t unconfined_t:process transition; And run # make -f /usr/share/selinux/devel/Makefile mypol.pp # semodule -i mypol.pp Thank you. Your suggestion from comment #10 changes EXEC fail in a PAM fail. # journalctl -b |grep xlogin Mai 08 23:21:09 builder24 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@builder comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Mai 08 23:21:09 builder24 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@builder comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Mai 08 23:21:09 builder24 systemd[854]: xlogin: Failed at step PAM spawning /usr/bin/bash: Operation not permitted Mai 08 23:21:09 builder24 systemd[1]: xlogin: Main process exited, code=exited, status=224/PAM Mai 08 23:21:09 builder24 systemd[1]: xlogin: Unit entered failed state. Mai 08 23:21:09 builder24 systemd[1]: xlogin: Failed with result 'exit-code'. # journalctl -u xlogin@builder -- Logs begin at So 2016-04-24 20:22:30 CEST, end at So 2016-05-08 23:31:29 CEST. -- Mai 08 23:21:09 builder24 systemd[1]: Started Direct X login for user builder. Mai 08 23:21:09 builder24 systemd[854]: pam_console(login:session): Could not open lock file /var/run/console/builder, disallowing console access Mai 08 23:21:09 builder24 systemd[854]: pam_selinux(login:session): Failed to compute new context for /dev/tty7: Permission denied Mai 08 23:21:09 builder24 systemd[1]: xlogin: Main process exited, code=exited, status=224/PAM Mai 08 23:21:09 builder24 systemd[1]: xlogin: Unit entered failed state. Mai 08 23:21:09 builder24 systemd[1]: xlogin: Failed with result 'exit-code'. Ping, any news here? (In reply to Raphael Groner from comment #12) > Ping, any news here? What policy package version are you running now? allow init_t login_userdomain : process { transition sigchld noatsecure } ; Is included in the latest rawhide build xlogin-0-0.1.20160114git97667d7.fc23.noarch selinux-policy-3.13.1-158.15.fc23.noarch Jul 12 20:34:51 poldy audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jul 12 20:34:51 poldy audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Jul 12 20:34:51 poldy systemd[1066]: xlogin: Failed at step EXEC spawning /usr/bin/bash: Permission denied Jul 12 20:34:51 poldy systemd[1]: xlogin: Unit entered failed state. Jul 12 20:34:51 poldy systemd[1]: xlogin: Failed with result 'exit-code'. xlogin-0-0.1.20160114git97667d7.fc24.noarch selinux-policy-3.13.1-191.5.fc24.noarch Jul 12 21:10:21 fedora24lxqt systemd[1]: Created slice system-xlogin.slice. Jul 12 21:10:21 fedora24lxqt audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@test comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jul 12 21:10:21 fedora24lxqt systemd[1129]: xlogin: Failed at step PAM spawning /usr/bin/bash: Operation not permitted Jul 12 21:10:21 fedora24lxqt systemd[1]: xlogin: Main process exited, code=exited, status=224/PAM Jul 12 21:10:21 fedora24lxqt audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@test comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Jul 12 21:10:21 fedora24lxqt systemd[1]: xlogin: Unit entered failed state. Jul 12 21:10:21 fedora24lxqt systemd[1]: xlogin: Failed with result 'exit-code'. Could you attach audit logs? (/var/log/audit/audit.log) Thank you. (In reply to Lukas Vrabec from comment #16) > Could you attach audit logs? (/var/log/audit/audit.log) > > Thank you. Can I grep it for something? The log files here have several MB in size. You can run: # cat /var/log/audit/audit.log | grep AVC You can use ausearch tool to filter audit events based on time and type, e.g.: # ausearch -m avc,user_avc,selinux_err -ts 07/12/2016 21:00:00 -te 07/12/2016 22:00:00 Created attachment 1179213 [details]
audit-AVC.log
Fedora 23:
$ grep AVC /var/log/audit/audit.log
(In reply to Petr Lautrbach from comment #19) > You can use ausearch tool to filter audit events based on time and type, > e.g.: > > # ausearch -m avc,user_avc,selinux_err -ts 07/12/2016 21:00:00 -te > 07/12/2016 22:00:00 # ausearch -m avc,user_avc,selinux_err -ts 07/12/2016 21:00:00 -te 07/12/2016 22:00:00 Error parsing start date (07/12/2016) # ausearch -m avc,user_avc,selinux_err -ts 07.12.2016 21:00:00 -te 07.12.2016 22:00:00 <no matches> # ausearch -m avc,user_avc,selinux_err -ts 2016-07-12 21:00:00 -te 2016-07-12 22:00:00 Invalid start date (2016-07-12). Month, Day, and Year are required. (In reply to Raphael Groner from comment #21) > # ausearch -m avc,user_avc,selinux_err -ts 07/12/2016 21:00:00 -te > 07/12/2016 22:00:00 > Error parsing start date (07/12/2016) > # ausearch -m avc,user_avc,selinux_err -ts 07.12.2016 21:00:00 -te > 07.12.2016 22:00:00 > <no matches> > # ausearch -m avc,user_avc,selinux_err -ts 2016-07-12 21:00:00 -te > 2016-07-12 22:00:00 > Invalid start date (2016-07-12). Month, Day, and Year are required. The format of -ts and -te depends on your current locale. Try 'date +%x' to get the right format or use LC_ALL=en_US.UTF-8 ausearch -m avc,user_avc,selinux_err -ts 07/12/2016 21:00:00 -te 07/12/2016 22:00:00 poldy is the Fedora 23 machine from comment #14. [root@poldy ~]# LC_ALL=en_US.UTF-8 ausearch -m avc,user_avc,selinux_err -ts 07/12/2016 20:00:00 -te 07/12/2016 22:00:00 ---- time->Tue Jul 12 21:00:01 2016 type=USER_AVC msg=audit(1468350001.520:216): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:00:01 2016 type=USER_AVC msg=audit(1468350001.521:217): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:00:01 2016 type=USER_AVC msg=audit(1468350001.537:218): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:00:01 2016 type=USER_AVC msg=audit(1468350001.542:219): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:00:01 2016 type=USER_AVC msg=audit(1468350001.594:231): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:00:01 2016 type=USER_AVC msg=audit(1468350001.595:232): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:15:01 2016 type=USER_AVC msg=audit(1468350901.619:251): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:15:01 2016 type=USER_AVC msg=audit(1468350901.638:252): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:15:01 2016 type=USER_AVC msg=audit(1468350901.639:253): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:15:01 2016 type=USER_AVC msg=audit(1468350901.643:254): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:15:01 2016 type=USER_AVC msg=audit(1468350901.693:266): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:15:01 2016 type=USER_AVC msg=audit(1468350901.693:267): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:19:17 2016 type=USER_AVC msg=audit(1468351157.468:272): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:19:17 2016 type=USER_AVC msg=audit(1468351157.469:273): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:30:01 2016 type=USER_AVC msg=audit(1468351801.705:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:30:01 2016 type=USER_AVC msg=audit(1468351801.706:284): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:30:01 2016 type=USER_AVC msg=audit(1468351801.724:285): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:30:01 2016 type=USER_AVC msg=audit(1468351801.729:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:30:01 2016 type=USER_AVC msg=audit(1468351801.771:298): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:30:01 2016 type=USER_AVC msg=audit(1468351801.771:299): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:45:01 2016 type=USER_AVC msg=audit(1468352701.788:307): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:45:01 2016 type=USER_AVC msg=audit(1468352701.788:308): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:45:01 2016 type=USER_AVC msg=audit(1468352701.803:309): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:45:01 2016 type=USER_AVC msg=audit(1468352701.807:310): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:45:01 2016 type=USER_AVC msg=audit(1468352701.844:322): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Jul 12 21:45:01 2016 type=USER_AVC msg=audit(1468352701.844:323): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission stop for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Ping? Any news here? Raphael, Do you have the latest selinux-policy package installed? It looks that all AVC are fixed. My apologise for the delay of an answer. Because of lack of time, I must postpone the verification with latest selinux-policy package. See also bug 1404667. I'm thinking about orphaning xlogin because really lack of free time to actively maintain it. Closing, I orphaned xlogin. |