Bug 639373
| Summary: | SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin "execute" access on /usr/sbin/pcscd. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mads Kiilerich <mads> |
| Component: | pcsc-lite | Assignee: | Kalev Lember <kalevlember> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh, kalevlember, ludovic.rousseau, mgrepl, rrelyea |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:65a6c220de64e2d763384ce794d2352a3bccde2dfa968ffc2f649da28fc2dde4 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-15 08:35:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Mads Kiilerich
2010-10-01 15:16:57 UTC
Flash did this and probably shouldn't, but it could be nice if SElinux could control it somehow other than offering to report it. I guess flash access to smart card can be useful in some cases, so perhaps it deserves a bool. Boy that is strange. pcscd guys can you think of any reason to execute the daemon code from user space? Starting from pcsc-lite 1.6.0, upstream has added "autostart" support which means that libpcsclite tries to start pcscd when it's not running, expecting it to be setuid root. However, in Fedora package we are still using the init script to start it and pcscd binary is NOT setuid root. I suspect the reporter's pcscd had either crashed or the init script was disabled, causing libpcsclite to try to start it. What's your opinion about having pcscd as setuid root? I honestly don't like the idea at all at first glance. Correct, pcsc-lite was installed but the pcscd wasn't enabled/started. (FWIW I don't want anything other than systemd to start system services, neither on startup nor on demand.) > (FWIW I don't want anything other than systemd to start system services,
> neither on startup nor on demand.)
This leads to some interesting questions on how to fix this. Do we turn off autostart?
This requires pcscd to be started explicitly. I believe that's how it currently works in fedora.
The current code is accomplishing Mads Kiilerich's requirements: SELinux is preventing flash from starting pcscd.
bob
(In reply to comment #5) > This leads to some interesting questions on how to fix this. Do we turn off > autostart? In my opinion, yes. Or at least change it fundamentally. If something userspace wants to start a system service it shouldn't do that by forking it, but for example by asking some system process to start it - for example by sending a dbus message to for example systemd. > This requires pcscd to be started explicitly. I believe that's how it currently > works in fedora. Yes. That allows me to disable pcscd if I don't want it. > The current code is accomplishing Mads Kiilerich's requirements: SELinux is > preventing flash from starting pcscd. Yes, but SELinux is an extra and brutal safety guard that verifies that the system behaves correctly. The system should behave correctly even without SELinux and without hanging in the safety belt. In the next pcsc-lite version pcscd will not be suid root any more. But it will be sgid "pcscd". Mads, would that be ok for you or do you still want to use systemd? Suid root is very evil, but sometimes "necessary". Some kind of sgid is less evil - but still not good. AFAIK pcscd is a system service shared among all users. I think that it is very wrong that such a service is started as a fork from a user library. We have standard ways for starting system services, and when each subsystem implements its own way of doing it the system gets hard to manage and debug. I think the existing way of doing it was fine. What is the problem that motivated the change? But you should ask those who ensures that the whole system works consistent, secure and efficient. I guess that is mostly Dan and Lennart. The idea is that most of the time on most systems pcscd is not needed. So starting it on request is a good solution. What "standard ways" do you propose instead of a fork from a library? Maybe systemd could work. I did not know this software before. Is it used/available on all/most of the GNU systems? dbus activation would be the standard way. You could notice that it was not working and send a dbus message to ask the system to start the daemon. Do you have an URL describing the use of dbus in that specific case? A patch for pcsc-lite would be even better :-) Thanks. Sorry know. We use python interfaces, but I am sure there is lots of data out there for implementing this. Actually if you look at setroubleshoot package and seapplet, this is used to start the setroubleshootd daemon. (In reply to comment #11) > Do you have an URL describing the use of dbus in that specific case? > A patch for pcsc-lite would be even better :-) > Thanks. I just submitted patches for systemd socket activation to the muscle mailing list: http://archives.neohapsis.com/archives/dev/muscle/2011-q2/0138.html The way it works is that systemd opens a listening UNIX socket and when a request arrives on the socket from user space library, systemd starts up the pcscd daemon on demand. pcsc-lite-1.7.4-2.fc16 in rawhide is now built with systemd socket activation support. Upstream hasn't yet gotten around to reviewing the patches, but they should be good enough for use in Fedora. Autostarting pcscd by using systemd socket activation also plays nice with SELinux, compared to the previous way of autostarting pcscd by forking from user space library. Closing the ticket. |