Bug 580585
| Summary: | SELinux is preventing /bin/login "sys_ptrace" access (pam_mount problem) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tomáš Trnka <tomastrnka> |
| Component: | pam_mount | Assignee: | Till Maas <opensource> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | jpazdziora, opensource, steve |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pam_mount-2.5-1.fc14 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-09-04 04:52:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
That would seem to be the best long term solution. Pam is already execing helper programs for access to shadow. Miroslav, for now can you add sys_ptrace to logallogin.te pam_mount-2.5-1.fc13,libHX-3.5-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc13,libHX-3.5-1.fc13 pam_mount-2.5-1.fc12,libHX-3.5-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc12,libHX-3.5-1.fc12 pam_mount-2.5-1.fc14,libHX-3.5-1.fc14 has been submitted as an update for Fedora 14. http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc14,libHX-3.5-1.fc14 pam_mount-2.5-1.fc14, libHX-3.6-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pam_mount libHX'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc14,libHX-3.6-1.fc14 pam_mount-2.5-1.fc12, libHX-3.6-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. pam_mount-2.5-1.fc13, libHX-3.6-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. pam_mount-2.5-1.fc14, libHX-3.6-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: When pam_mount is used to automatically mount/umount volumes on login/logout, the auto-umount requires the sys_ptrace capability to be allowed for the respective login program. That's because pam_mount walks /proc/<pid>/* to find processes accessing the mounted FS (in order to subsequently kill them). Under kdm everything works well (xdm does have the sys_ptrace access allowed), but tty logins using /bin/login cause an enormous burst of AVCs on logout. Version-Release number of selected component (if applicable): pam_mount-1.33-0.2T.x86_64 (my custom update fixing a segfault, but stock F12 pam_mount-1.32-1.fc12 exhibits the same bug) selinux-policy-3.6.32-106.fc12 How reproducible: On every TTY logout Steps to Reproduce: 1. Install pam_mount and set it to kill processes on logout (<logout term="1"/> or so) 2. Login via TTY 3. Logout and watch your machine grind to a halt for a few minutes as setroubleshoot happily crunches hundreds of AVCs Actual results: Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 Target Context system_u:system_r:local_login_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source login Source Path /bin/login Port <Unknown> Host <Unknown> Source RPM Packages util-linux-ng-2.16.2-7.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-106.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name Bellatrix Platform Linux Bellatrix 2.6.32.10-90.fc12.x86_64 #1 SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64 Alert Count 10 First Seen Sat Nov 28 13:13:22 2009 Last Seen Sat Nov 28 13:13:22 2009 Local ID 0fd67cff-b59d-4504-af72-ab83be3582b8 Line Numbers 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 Raw Audit Messages type=AVC msg=audit(1259410402.205:2496): avc: denied { sys_ptrace } for pid=2054 comm="login" capability=19 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1259410402.205:2496): arch=c000003e syscall=89 success=no exit=-13 a0=7fffbed1a5a0 a1=7fffbed1a290 a2=1ff a3=fffffffe items=0 ppid=1 pid=2054 auid=500 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 tty=(none) ses=7 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) (Please disregard the First/Last Seen dates, this is made from a snippet of the resulting huge audit log.) Expected results: No AVCs reported, automatic killing on logout working. Additional info: A simple workaround: allow local_login_t self:capability sys_ptrace; I'm currently using this but I think it's not a good solution since it requires us to grant sys_ptrace privileges to each and every program able to use pam_mount. The correct fix IMHO is to make pam_mount.so use an external binary to do the killing (it even currently provides one such binary, pmt-ofl, but doesn't use it) and grant sys_ptrace only to that binary. I know this is more of an pam_mount bug than a policy one, but I wanted you SELinux guys to comment on which solution do you feel is the best. I've already reported this upstream (but got no response) here: http://sourceforge.net/tracker/?func=detail&aid=2932814&group_id=41452&atid=430596