Bug 312651

Summary: SELinux is preventing /usr/bin/gnome-keyring-daemon (xdm_t) "ptrace" to (xdm_t).
Product: [Fedora] Fedora Reporter: Matthew Saltzman <mjs>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: christoph.wickert
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:05:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Saltzman 2007-09-29 21:01:56 UTC 
Description of problem:
SELinux denied access requested by /usr/bin/gnome-keyring-daemon. It is not
expected that this access is required by /usr/bin/gnome-keyring-daemon and this
access may signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require additional
access.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-14.fc8.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install pam_keyring and configure /etc/pam.d/gdm as shown below.
2. Log in via gdm.
3.
  
Actual results:
AVC

Expected results:
No AVC

Additional info:
Source Context:  system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context:  system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects:  None [ process ]
Affected RPM Packages:  gnome-keyring-2.19.90-1.fc8 [application]
Policy RPM:  selinux-policy-3.0.8-14.fc8Selinux 
Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  valkyrie.localdomain
Platform:  Linux valkyrie.localdomain 2.6.23-0.214.rc8.git2.fc8 #1 SMP Fri Sep
28 17:10:49 EDT 2007 x86_64 x86_64
Alert Count:  12
First Seen:  Fri 28 Sep 2007 07:28:11 PM EDT
Last Seen:  Sat 29 Sep 2007 04:38:40 PM EDT
Local ID:  11aacd48-c5e5-4bd2-b422-86d85bedf2e9
Line Numbers:  
Raw Audit Messages :avc: denied { ptrace } for comm=gnome-keyring-d egid=500
euid=500 exe=/usr/bin/gnome-keyring-daemon exit=-13 fsgid=500 fsuid=500 gid=500
items=0 pid=3252 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=500 tclass=process
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tty=(none) uid=500 

/etc/pam.d/gdm:

#%PAM-1.0
auth       required    pam_env.so
auth       optional    pam_keyring.so try_first_pass
#auth       sufficient  pam_unix.so likeauth nullok
auth       include     system-auth
auth       optional    pam_gnome_keyring.so auto_start
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    required    pam_selinux.so open
session    optional    pam_gnome_keyring.so
session    optional    pam_keyring.so
Comment 1 Daniel Walsh 2007-10-01 19:49:54 UTC 
Fixed in selinux-policy-3.0.8-16
Comment 2 Christoph Wickert 2007-12-02 22:19:07 UTC 
I'm still seeing these errors in selinux-policy-3.0.8-58.fc8.
Comment 3 Daniel Walsh 2007-12-03 01:47:13 UTC 
Please attach the errors.  Either the update failed or you are seeing different
errors.
Comment 4 Christoph Wickert 2007-12-05 13:35:01 UTC 
Zusammenfassung
    SELinux hindert /usr/bin/gnome-keyring-daemon (xdm_t) "ptrace" am Zugriff
    auf <Unknown> (unconfined_t).

Detaillierte Beschreibung
    SELinux verweigerte den von /usr/bin/gnome-keyring-daemon angeforderten
    Zugriff. Da nicht davon ausgegangen wird, dass dieser Zugriff von /usr/bin
    /gnome-keyring-daemon benötigt wird, signalisiert dies möglicherweise
    einen Einbruchsversuch. Es ist außerdem möglich, dass diese spezielle
    Version oder Konfiguration der Anwendung den zusätzlichen Zugriff
    verursacht.

Zugriff erlauben
    Sie können ein lokales Richtlinienmodul generieren, um diesen Zugriff zu
    erlauben - siehe http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Sie können den SELinux-Schutz auch komplett deaktivieren. Dies wird jedoch
    nicht empfohlen. Bitte reichen Sie einen
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi für dieses Paket ein.

Zusätzliche Informationen    

Quellkontext                  system_u:system_r:xdm_t:SystemLow-SystemHigh
Zielkontext                   user_u:system_r:unconfined_t
Zielobjekte                   None [ process ]
Betroffene RPM-Pakete         gnome-keyring-2.20.1-3.fc8 [application]
RPM-Richtlinie                selinux-policy-3.0.8-62.fc8
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Permissive
Plugin-Name                   plugins.catchall
Hostname                      wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.23.1-49.fc8 #1 SMP
                              Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
Anzahl der Alarme             121
First Seen                    Mi 28 Nov 2007 15:45:50 CET
Last Seen                     Mi 05 Dez 2007 14:28:22 CET
Local ID                      0a9a1d6f-66ba-4d14-9804-bc8970c39a26
Zeilennummern                 

Raw-Audit-Meldungen           

avc: denied { ptrace } for comm=gnome-keyring-d egid=500 euid=500 exe=/usr/bin
/gnome-keyring-daemon exit=18 fsgid=500 fsuid=500 gid=500 items=0 pid=3241
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=500 tclass=process
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
Comment 5 Daniel Walsh 2008-01-30 19:05:26 UTC 
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.