Bug 2015539

Summary: login produces an AVC checking /sys/fs/cgroup when fingerprint is configured
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.4CC: lvrabec, mmalik, ssekidde, tscherf, zpytela
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.6   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-86.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 15:15:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2021-10-19 13:11:05 UTC 
Description of problem:

When having the system configured for fingerprint authentication, login binary produces an AVC when trying to stat /sys/fs/cgroup (and sub-directories):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(10/19/2021 14:49:34.095:19264) : proctitle=/sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220 
type=PATH msg=audit(10/19/2021 14:49:34.095:19264) : item=0 name=/sys/fs/cgroup/ inode=11795 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/19/2021 14:49:34.095:19264) : cwd=/ 
type=SYSCALL msg=audit(10/19/2021 14:49:34.095:19264) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7fd2780e2c89 a1=0x7ffd75ae4a70 a2=0x5610e1723600 a3=0x0 items=1 ppid=1 pid=16023 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=unset comm=login exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/19/2021 14:49:34.095:19264) : avc:  denied  { getattr } for  pid=16023 comm=login name=/ dev="tmpfs" ino=11795 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Digging into this, it appears that pam_fprintd makes use of systemd library call sd_session_is_remote() to find out if the login is remote.
This code relies internally on checking the cgroup.

Below is full backtrace of operations for reference:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
(gdb) bt
#0  0x00007efdd1fbefdb in statfs64 () at ../sysdeps/unix/syscall-template.S:78
#1  0x00007efdc3dbc72a in cg_unified_update.part () from /lib64/libsystemd.so.0
#2  0x00007efdc3dbdea5 in cg_unified_controller () from /lib64/libsystemd.so.0
#3  0x00007efdc3dbdf23 in cg_pid_get_path () from /lib64/libsystemd.so.0
#4  0x00007efdc3dbe521 in cg_pid_get_path_shifted () from /lib64/libsystemd.so.0
#5  0x00007efdc3dbe84f in cg_pid_get_session () from /lib64/libsystemd.so.0
#6  0x00007efdc3d93706 in sd_pid_get_session () from /lib64/libsystemd.so.0
#7  0x00007efdc3d937f5 in file_of_session () from /lib64/libsystemd.so.0
#8  0x00007efdc3d94766 in sd_session_is_remote () from /lib64/libsystemd.so.0
#9  0x00007efdc40626f0 in is_remote (pamh=0x55fff7e72630) at ../pam/pam_fprintd.c:728
#10 pam_sm_authenticate (pamh=0x55fff7e72630, flags=<optimized out>, argc=0, argv=0x0) at ../pam/pam_fprintd.c:744
#11 0x00007efdd28f27b4 in _pam_dispatch_aux (use_cached_chain=<optimized out>, resumed=<optimized out>, 
    h=0x55fff7e82c90, flags=0, pamh=0x55fff7e72630) at pam_dispatch.c:110
#12 _pam_dispatch (pamh=pamh@entry=0x55fff7e72630, flags=0, choice=choice@entry=1) at pam_dispatch.c:426
#13 0x00007efdd28f2083 in pam_authenticate (pamh=0x55fff7e72630, flags=<optimized out>) at pam_auth.c:34
#14 0x000055fff6f50e4f in loginpam_auth (cxt=0x7ffdf0f697f0) at login-utils/login.c:771
#15 main (argc=<optimized out>, argv=<optimized out>) at login-utils/login.c:1229
(gdb) f 9
#9  0x00007efdc40626f0 in is_remote (pamh=0x55fff7e72630) at ../pam/pam_fprintd.c:728
728      if (sd_session_is_remote (NULL) > 0)
729     return true;
730 
731   return false;
732 }
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The AVC ends up having sd_session_is_remote() always return an error, causing code on line 729 to never be reachable.

The solution is to add allow rules to local_login_t type to allow this:
we cannot dontaudit here since potentially pam_fprintd really needs to know if the login is remote or not.

When moving to permissive, more such AVCs are seen on sub-directories of /sys/fs/cgroup, labeled similarly.


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-67.el8_4.2.noarch


How reproducible:

ALWAYS

Steps to Reproduce:
1. Configure system to use sssd + with-fingerprint

  # authselect select sssd --force
  # authselect enable-feature with-fingerprint


2. Login on the console or serial console

Actual results:

AVCs

Expected results:

No AVCs
Comment 1 Zdenek Pytela 2021-10-25 09:44:23 UTC 
This commit needs to be backported:

commit f60ceda859cc22c0f69570fdcd68b3be9abb71f9
Author: Zdenek Pytela <zpytela>
Date:   Fri Mar 19 16:55:32 2021 +0100

    Allow local_login_t get attributes of tmpfs filesystems

    This permission is required when the system booted with cgroups v1.

    Resolves: rhbz#1898386

and this one considered, too:
commit 6ee758e51c949c84f92dd221e24c9b4c20a46faf
Author: Zdenek Pytela <zpytela>
Date:   Thu Feb 25 22:24:15 2021 +0100

    Allow local_login_t get attributes of filesystems with ext attributes

    Resolves: rhbz#1932458
Comment 14 Renaud Métrich 2022-03-09 10:30:49 UTC 
*** Bug 2062163 has been marked as a duplicate of this bug. ***
Comment 16 errata-xmlrpc 2022-05-10 15:15:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995