Bug 622078

Summary: SELinux targeted policy blocks use of pam_pkcs11
Product: [Fedora] Fedora Reporter: W. Michael Petullo <mike>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.8.8-20.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-01 06:02:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description W. Michael Petullo 2010-08-07 04:36:56 UTC 
Description of problem:
SELinux targeted policy blocks use of pam_pkcs11

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.8.8-8.fc14.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Install and configure pam_pkcs11 to allow logging in to a system using a smartcard
2. Attempt to login at a text console using a smartcard
  
Actual results:
type=AVC msg=audit(1281155601.917:250): avc:  denied  { getattr } for  pid=1915 comm="login" path="/var/run/pcscd.comm" dev=dm-1 ino=5243616 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1281155601.917:250): arch=c000003e syscall=4 success=yes exit=0 a0=7fd806163c0b a1=7fff9a1d0d90 a2=7fff9a1d0d90 a3=7fff9a1d0a60 items=0 ppid=1 pid=1915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1281155601.917:251): avc:  denied  { read } for  pid=1915 comm="login" name="pcscd.pid" dev=dm-1 ino=5243615 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1281155601.917:251): avc:  denied  { open } for  pid=1915 comm="login" name="pcscd.pid" dev=dm-1 ino=5243615 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1281155601.917:251): arch=c000003e syscall=2 success=yes exit=7 a0=7fd806164203 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1281155601.917:252): avc:  denied  { getattr } for  pid=1915 comm="login" path="/var/run/pcscd.pid" dev=dm-1 ino=5243615 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1281155601.917:252): arch=c000003e syscall=5 success=yes exit=0 a0=7 a1=7fff9a1d0be0 a2=7fff9a1d0be0 a3=7fff9a1d0ac0 items=0 ppid=1 pid=1915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1281155601.918:253): avc:  denied  { write } for  pid=1915 comm="login" name="pcscd.comm" dev=dm-1 ino=5243616 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1281155601.918:253): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7fff9a1d0d90 a2=16 a3=7fff9a1d0ae0 items=0 ppid=1 pid=1915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1281155606.432:254): user pid=1915 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="mike" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=USER_ACCT msg=audit(1281155606.433:255): user pid=1915 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="mike" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=LOGIN msg=audit(1281155606.437:256): login pid=1915 uid=0 old auid=4294967295 new auid=1101 old ses=4294967295 new ses=3
type=USER_ROLE_CHANGE msg=audit(1281155606.537:257): user pid=1915 uid=0 auid=1101 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023: exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=USER_START msg=audit(1281155606.616:258): user pid=1915 uid=0 auid=1101 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="mike" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=CRED_ACQ msg=audit(1281155606.619:259): user pid=1915 uid=0 auid=1101 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="mike" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=USER_LOGIN msg=audit(1281155606.620:260): user pid=1915 uid=0 auid=1101 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=1101 exe="/bin/login" hostname=?

Expected results:
User login should be allowed

Additional info:
Login works after "echo 0 > /selinux/enforce"

When running pcscd manually using "service pcscd start," I get:

type=AVC msg=audit(1281156118.657:297): avc:  denied  { read } for  pid=2257 comm="pcscd" name="devices" dev=sysfs ino=3363 scontext=unconfined_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1281156118.657:297): arch=c000003e syscall=2 success=yes exit=6 a0=7f06a507b246 a1=90800 a2=7f06a507a680 a3=50 items=0 ppid=2256 pid=2257 auid=1101 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="pcscd" exe="/usr/sbin/pcscd" subj=unconfined_u:system_r:pcscd_t:s0 key=(null)
type=AVC msg=audit(1281156118.657:298): avc:  denied  { read } for  pid=2257 comm="pcscd" name="usb1" dev=sysfs ino=11895 scontext=unconfined_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file
type=AVC msg=audit(1281156118.657:298): avc:  denied  { getattr } for  pid=2257 comm="pcscd" path="/sys/devices/pci0000:00/0000:00:04.1/usb1/descriptors" dev=sysfs ino=11905 scontext=unconfined_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1281156118.657:298): arch=c000003e syscall=4 success=yes exit=0 a0=7fff33e39750 a1=7fff33e396b0 a2=7fff33e396b0 a3=7fff33e39410 items=0 ppid=2256 pid=2257 auid=1101 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="pcscd" exe="/usr/sbin/pcscd" subj=unconfined_u:system_r:pcscd_t:s0 key=(null)
type=AVC msg=audit(1281156118.658:299): avc:  denied  { read } for  pid=2257 comm="pcscd" name="busnum" dev=sysfs ino=11883 scontext=unconfined_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1281156118.658:299): avc:  denied  { open } for  pid=2257 comm="pcscd" name="busnum" dev=sysfs ino=11883 scontext=unconfined_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1281156118.658:299): arch=c000003e syscall=2 success=yes exit=7 a0=7fff33e39750 a1=0 a2=1b6 a3=0 items=0 ppid=2256 pid=2257 auid=1101 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="pcscd" exe="/usr/sbin/pcscd" subj=unconfined_u:system_r:pcscd_t:s0 key=(null)
Comment 1 Daniel Walsh 2010-08-10 15:51:09 UTC 
Do not report bugs when you run pcscd outside of the init scripts.  

The other bugs should be fixed in the latest selinux policy

yum -y update selinux-policy
Comment 2 Fedora Update System 2010-08-25 03:10:49 UTC 
selinux-policy-3.8.8-20.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14
Comment 3 Fedora Update System 2010-08-25 13:30:32 UTC 
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14
Comment 4 Fedora Update System 2010-08-26 18:36:56 UTC 
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14
Comment 5 W. Michael Petullo 2010-08-27 03:39:27 UTC 
My smartcard setup now seems to work after I installed the most recent Fedora 14 policy with SELinux in enforcing mode.
Comment 6 Daniel Walsh 2010-08-27 15:45:02 UTC 
Please update karma.
Comment 7 Fedora Update System 2010-09-01 06:01:06 UTC 
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.