Bug 1780796

Summary: SELinux is preventing dotlockfile from using the 'signull' accesses on a process.
Product: [Fedora] Fedora Reporter: jesusgll <jesusgll>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 31CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:fe78c418f375a0f0e112a437d9af6d2160742638f5bec9472345976ce0394742;
Fixed In Version: selinux-policy-3.14.4-50.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-02 09:54:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jesusgll 2019-12-07 00:11:41 UTC 
Description of problem:
My laptop suddenly disconnects from the Wi-Fi network,
and it shows me a message that says: Enter network password. 
I have to turn off my laptop to get it to work again, since it doesn't let me connect to the network.
SELinux is preventing dotlockfile from using the 'signull' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

Si cree que de manera predeterminada se debería permitir a dotlockfile el acceso signull sobre procesos etiquetados como pcscd_t.
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso temporalmente ejecutando:
# ausearch -c 'dotlockfile' --raw | audit2allow -M mi-dotlockfile
# semodule -X 300 -i mi-dotlockfile.pp

Additional Information:
Source Context                system_u:system_r:system_mail_t:s0
Target Context                system_u:system_r:pcscd_t:s0
Target Objects                Desconocido [ process ]
Source                        dotlockfile
Source Path                   dotlockfile
Port                          <Desconocido>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.4-40.fc31.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.3.13-300.fc31.x86_64 #1 SMP Mon
                              Nov 25 17:25:25 UTC 2019 x86_64 x86_64
Alert Count                   2
First Seen                    2019-12-05 21:12:11 CST
Last Seen                     2019-12-05 21:12:16 CST
Local ID                      3d6126a6-cd76-49fa-8573-63d665905d46

Raw Audit Messages
type=AVC msg=audit(1575601936.409:103): avc:  denied  { signull } for  pid=1148 comm="dotlockfile" scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=process permissive=0


Hash: dotlockfile,system_mail_t,pcscd_t,process,signull

Version-Release number of selected component:
selinux-policy-3.14.4-40.fc31.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.11.3
hashmarkername: setroubleshoot
kernel:         5.3.14-300.fc31.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2020-03-06 09:19:32 UTC 
commit 903f1bd5d9de277b5d88b157625f56f0c25ca1a3 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Nikola Knazekova <nknazeko>
Date:   Thu Feb 20 10:42:59 2020 +0100

    Allow system_mail_t to signull pcscd_t
    
    Allow system_mail_t to check for existence of processes labeled as pcscd_t.
    
    Used new macro:https://github.com/fedora-selinux/selinux-policy-contrib/pull/208
    
    Fixed Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1780796#

commit be4ec2e51fd693b329e329d23ff828caa2ff6ebb
Author: Nikola Knazekova <nknazeko>
Date:   Thu Feb 20 10:44:44 2020 +0100

    Create interface pcscd_signull
    
    Create interface which allows domain to send signulls to PC/SC Smart Card Daemon.
    
    Interface is used to allow system_mail_t to check for existence of processes labeled as pcscd_t: https://github.com/fedora-selinux/selinux-policy-contrib/pull/209
    
    Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780796#

Backported also to F31.
Comment 2 Fedora Update System 2020-03-24 09:40:32 UTC 
FEDORA-2020-5afc749ee7 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5afc749ee7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5afc749ee7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2020-04-02 09:54:30 UTC 
FEDORA-2020-5afc749ee7 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.