| Summary: | SELinux prevents gnome-keyring-daemon from writing to user home directory | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, pkis, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 09:59:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1534323 | ||
|
Description
Patrik Kis
2016-09-05 12:49:08 UTC
A similar AVC denial was seen:
time->Sat Jun 24 02:59:08 2017
type=PROCTITLE msg=audit(1498287548.569:258): proctitle=2F7573722F62696E2F676E6F6D652D6B657972696E672D6461656D6F6E002D2D6461656D6F6E697A65
type=SYSCALL msg=audit(1498287548.569:258): arch=c00000b7 syscall=34 success=no exit=-13 a0=ffffffffffffff9c a1=2aad4b09fc0 a2=1c0 a3=2aad4b09fc0 items=0 ppid=1 pid=28972 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1498287548.569:258): avc: denied { write } for pid=28972 comm="gnome-keyring-d" name="testuser_bz515809" dev="dm-2" ino=67159553 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
Here is a reproducer. It's triggered by installed gnome-keyring-pam when password of an user is changed.
[root@rhel74 ~]# rpm -q selinux-policy
selinux-policy-3.13.1-166.el7.noarch
[root@rhel74 ~]# su - -c 'echo -e "amdwdmwifmwf\nwdwfgbgrbgrtgrb\nwdwfgbgrbgrtgrb" | passwd' testuser
Changing password for user testuser.
Changing password for testuser.
(current) UNIX password: New password: Retype new password: passwd: all authentication tokens updated successfully.
[root@rhel74 ~]# ausearch -i -m avc -ts recent
<no matches>
[root@rhel74 ~]#
[root@rhel74 ~]#
[root@rhel74 ~]# yum install gnome-keyring-pam
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package gnome-keyring-pam.x86_64 0:3.20.0-3.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
... snip ...
Running transaction
Installing : gnome-keyring-pam-3.20.0-3.el7.x86_64 1/1
Verifying : gnome-keyring-pam-3.20.0-3.el7.x86_64 1/1
Installed:
gnome-keyring-pam.x86_64 0:3.20.0-3.el7
Complete!
[root@rhel74 ~]#
[root@rhel74 ~]#
[root@rhel74 ~]# su - -c 'echo -e "wdwfgbgrbgrtgrb\namdwdmwifmwf\namdwdmwifmwf" | passwd' testuser
Changing password for user testuser.
Changing password for testuser.
(current) UNIX password: New password: Retype new password: passwd: all authentication tokens updated successfully.
[root@rhel74 ~]# ausearch -i -m avc -ts recent
----
type=PROCTITLE msg=audit(10/27/2017 10:07:13.930:339) : proctitle=/usr/bin/gnome-keyring-daemon --daemonize
type=SYSCALL msg=audit(10/27/2017 10:07:13.930:339) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x56083a30e840 a1=0700 a2=0x0 a3=0x7ffe55306b40 items=0 ppid=10638 pid=10639 auid=root uid=testuser gid=testuser euid=testuser suid=testuser fsuid=testuser egid=testuser sgid=testuser fsgid=testuser tty=(none) ses=2 comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/27/2017 10:07:13.930:339) : avc: denied { write } for pid=10639 comm=gnome-keyring-d name=testuser dev="vda1" ino=7232650 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
[root@rhel74 ~]#
[root@rhel74 ~]#
Thank you for the reproducer, Patrik. *** Bug 1446158 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |