Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 683367

Summary: avc: denied { search } for ... comm="polkit-agent-he" name="faillock" ... scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, jgalipea, mgrepl, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-78.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 12:24:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
modified /etc/pam.d/system-auth file
none
modified /etc/pam.d/password-auth file none

Description Milos Malik 2011-03-09 09:38:56 UTC 
Description of problem:
The AVC was found during testing of https://bugzilla.redhat.com/show_bug.cgi?id=644971 .

Version-Release number of selected component (if applicable):
pam-1.1.1-8.el6.x86_64
pam-devel-1.1.1-8.el6.x86_64
selinux-policy-3.7.19-73.el6.noarch
selinux-policy-targeted-3.7.19-73.el6.noarch

How reproducible:
not sure, but the AVC appears at least once every 10 minutes (default value of unlock_time)

Steps to Reproduce:
1) get a RHEL-6.1 machine
2) run "yum -y install tigervnc-server" as root
3) run "yum -y groupinstall Desktop Fonts" as root
4) run "useradd testuser" as root
5) run "passwd testuser" as root
6) run "vncserver" under the identity of testuser
7) replace /etc/pam.d/password-auth and /etc/pam.d/system-auth with attached files
8) connect via vncviewer from your machine to the VNC server running on the RHEL-6.1 machine
9) click on Menu->System-> Lock Screen
10) enter bad password at least 3 times
11) enter good password, the account is locked for 10 minutes
12) wait for the AVC
  
Actual results:
----
time->Wed Mar  9 04:12:50 2011
type=SYSCALL msg=audit(1299661970.158:223): arch=c000003e syscall=2 success=no exit=-13 a0=2162000 a1=2 a2=180 a3=8 items=0 ppid=3592 pid=6060 auid=501 uid=501 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=pts0 ses=6 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1299661970.158:223): avc:  denied  { search } for  pid=6060 comm="polkit-agent-he" name="faillock" dev=dm-0 ino=1835773 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir
----

Expected results:
no AVCs
Comment 1 Milos Malik 2011-03-09 09:40:41 UTC 
Created attachment 483137 [details]
modified /etc/pam.d/system-auth file
Comment 2 Milos Malik 2011-03-09 09:41:35 UTC 
Created attachment 483138 [details]
modified /etc/pam.d/password-auth file
Comment 3 Milos Malik 2011-03-09 09:56:43 UTC 
These AVCs are visible on all architectures.

I forgot the mention polkit packages:
polkit-gnome-0.96-3.el6.x86_64
polkit-0.96-2.el6.x86_64
polkit-desktop-policy-0.96-2.el6.noarch
Comment 4 Miroslav Grepl 2011-03-09 12:00:10 UTC 
Ok, so this is caused by 

account     required      pam_faillock.so

What all AVC msgs are you seeing?
Comment 5 Milos Malik 2011-03-09 12:37:10 UTC 
The only AVC I see is already mentioned above.
Comment 6 Miroslav Grepl 2011-03-09 13:13:55 UTC 
I guess we will need to allow it in auth_use_pam.

Milos is testing it in permissive mode.
Comment 7 Milos Malik 2011-03-09 13:21:20 UTC 
The AVC mentioned above appeared in enforcing mode. Following AVCs appeared in permissive mode:
----
time->Wed Mar  9 08:14:06 2011
type=SYSCALL msg=audit(1299676446.095:44): arch=c000003e syscall=2 success=yes exit=3 a0=a6d000 a1=2 a2=180 a3=8 items=0 ppid=2314 pid=2407 auid=501 uid=501 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=ttyS0 ses=2 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1299676446.095:44): avc:  denied  { open } for  pid=2407 comm="polkit-agent-he" name="root" dev=dm-0 ino=1836837 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file
type=AVC msg=audit(1299676446.095:44): avc:  denied  { read write } for  pid=2407 comm="polkit-agent-he" name="root" dev=dm-0 ino=1836837 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file
type=AVC msg=audit(1299676446.095:44): avc:  denied  { search } for  pid=2407 comm="polkit-agent-he" name="faillock" dev=dm-0 ino=1835773 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir
----
time->Wed Mar  9 08:14:06 2011
type=SYSCALL msg=audit(1299676446.095:45): arch=c000003e syscall=73 success=yes exit=0 a0=3 a1=2 a2=0 a3=8 items=0 ppid=2314 pid=2407 auid=501 uid=501 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=ttyS0 ses=2 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1299676446.095:45): avc:  denied  { lock } for  pid=2407 comm="polkit-agent-he" path="/var/run/faillock/root" dev=dm-0 ino=1836837 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file
----
time->Wed Mar  9 08:14:06 2011
type=SYSCALL msg=audit(1299676446.095:46): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff30298780 a2=7fff30298780 a3=8 items=0 ppid=2314 pid=2407 auid=501 uid=501 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=ttyS0 ses=2 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1299676446.095:46): avc:  denied  { getattr } for  pid=2407 comm="polkit-agent-he" path="/var/run/faillock/root" dev=dm-0 ino=1836837 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file
----
Comment 8 Tomas Mraz 2011-03-09 13:35:24 UTC 
Probably yes.
Comment 9 Miroslav Grepl 2011-03-09 14:46:57 UTC 
Actually

auth_rw_pam_pid($1)

to auth_domtrans_chk_passwd() would resolve this.

---


But how about add faillog_t label for pam_faillock dir/files. Then we would add

auth_manage_faillog($1)

to 

auth_login_pgm_domain()


And auth_domtrans_chk_passwd() already has

auth_rw_faillog($1)


Dan,
what do you think?
Comment 10 Daniel Walsh 2011-03-09 22:14:56 UTC 
Yes that looks good.
Comment 11 Miroslav Grepl 2011-03-10 00:45:06 UTC 
Fixed in selinux-policy-3.7.19-78.el6

Milos,
could you also test it with this release which is available from brew.
Comment 13 Milos Malik 2011-03-10 12:43:37 UTC 
No AVCs appeared when I tested with selinux-policy-3.7.19-78.el6.
Comment 15 errata-xmlrpc 2011-05-19 12:24:11 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html