Bug 2165996
| Summary: | SELinux is preventing cockpit-session from 'execute' accesses on the file /usr/bin/gnome-keyring-daemon. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | kb1000 <kaeptmblaubaer1000> |
| Component: | cockpit | Assignee: | Martin Pitt <mpitt> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 37 | CC: | k.koukiou, lvrabec, mmarusak, mpitt, patrick, stefw, user-cont-team+packit-fas, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:2a8aaca7549d8863b342cccc2c5f974c8256846b942335c15abbb4ba6ff95d06;VARIANT_ID=kde; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-04-19 12:48:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Lukas, Zdenek, do you have any guidance for us here? It's not clear to me how to write such gnome specific transitions in our https://github.com/cockpit-project/cockpit/blob/main/selinux/cockpit.te , it seems there is no previous case for that. Would that be something like can_exec(cockpit_session_t,gkeyringd_exec_t)? Can I just declare such "foreign"/external types? Thanks! This feels a bit odd -- certainly lots of people and our own developers have connected to their own laptop with GNOME.. There does not seem to be a generic domain to transition to, only user ones:
f37# sesearch -T -t gkeyringd_exec_t -c process
type_transition staff_dbusd_t gkeyringd_exec_t:process staff_gkeyringd_t;
type_transition staff_t gkeyringd_exec_t:process staff_gkeyringd_t;
type_transition sysadm_dbusd_t gkeyringd_exec_t:process sysadm_gkeyringd_t;
type_transition sysadm_t gkeyringd_exec_t:process sysadm_gkeyringd_t;
type_transition unconfined_dbusd_t gkeyringd_exec_t:process unconfined_t;
type_transition user_dbusd_t gkeyringd_exec_t:process user_gkeyringd_t;
type_transition user_t gkeyringd_exec_t:process user_gkeyringd_t;
type_transition xguest_dbusd_t gkeyringd_exec_t:process xguest_gkeyringd_t;
type_transition xguest_t gkeyringd_exec_t:process xguest_gkeyringd_t;
f37# seinfo -xa gkeyringd_domain
Type Attributes: 1
attribute gkeyringd_domain;
staff_gkeyringd_t
sysadm_gkeyringd_t
user_gkeyringd_t
xguest_gkeyringd_t
Do you think you need a transition and gnome_exec_keyringd() is not sufficient?
Zdenek: TBH I have absolutely no idea what I need here :-) Would that be something like in ssh.te?
optional_policy(`
gnome_exec_keyringd(cockpit_session_t)
')
This looks plausible at least and builds. I sent it to https://github.com/cockpit-project/cockpit/pull/18279 to get CI's opinion.
Thanks!
Martin, That's correct, I'm sorry a will be more verbose next time. That fix landed some months ago. |
Description of problem: Reproduction steps: Just connect to local cockpit using username/password SELinux is preventing cockpit-session from 'execute' accesses on the file /usr/bin/gnome-keyring-daemon. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that cockpit-session should be allowed execute access on the gnome-keyring-daemon file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cockpit-session' --raw | audit2allow -M my-cockpitsession # semodule -X 300 -i my-cockpitsession.pp Additional Information: Source Context system_u:system_r:cockpit_session_t:s0 Target Context system_u:object_r:gkeyringd_exec_t:s0 Target Objects /usr/bin/gnome-keyring-daemon [ file ] Source cockpit-session Source Path cockpit-session Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages gnome-keyring-42.1-2.fc37.x86_64 SELinux Policy RPM selinux-policy-targeted-37.18-1.fc37.noarch Local Policy RPM cockpit-ws-283-1.fc37.x86_64 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.1.7-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jan 18 17:11:49 UTC 2023 x86_64 x86_64 Alert Count 12 First Seen 2023-01-26 19:39:53 CET Last Seen 2023-01-31 17:18:49 CET Local ID bcfabe43-10d1-453a-bff4-4176d1543550 Raw Audit Messages type=AVC msg=audit(1675181929.352:978): avc: denied { execute } for pid=82943 comm="cockpit-session" name="gnome-keyring-daemon" dev="nvme0n1p5" ino=7645081 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file permissive=0 Hash: cockpit-session,cockpit_session_t,gkeyringd_exec_t,file,execute Version-Release number of selected component: selinux-policy-targeted-37.18-1.fc37.noarch Additional info: component: cockpit reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 6.1.7-200.fc37.x86_64 type: libreport