Bug 683367

Summary: avc: denied { search } for ... comm="polkit-agent-he" name="faillock" ... scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, jgalipea, mgrepl, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-78.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 12:24:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
modified /etc/pam.d/system-auth file
none
modified /etc/pam.d/password-auth file none

Description Milos Malik 2011-03-09 09:38:56 UTC 
Description of problem:
The AVC was found during testing of https://bugzilla.redhat.com/show_bug.cgi?id=644971 .

Version-Release number of selected component (if applicable):
pam-1.1.1-8.el6.x86_64
pam-devel-1.1.1-8.el6.x86_64
selinux-policy-3.7.19-73.el6.noarch
selinux-policy-targeted-3.7.19-73.el6.noarch

How reproducible:
not sure, but the AVC appears at least once every 10 minutes (default value of unlock_time)

Steps to Reproduce:
1) get a RHEL-6.1 machine
2) run "yum -y install tigervnc-server" as root
3) run "yum -y groupinstall Desktop Fonts" as root
4) run "useradd testuser" as root
5) run "passwd testuser" as root
6) run "vncserver" under the identity of testuser
7) replace /etc/pam.d/password-auth and /etc/pam.d/system-auth with attached files
8) connect via vncviewer from your machine to the VNC server running on the RHEL-6.1 machine
9) click on Menu->System-> Lock Screen
10) enter bad password at least 3 times
11) enter good password, the account is locked for 10 minutes
12) wait for the AVC
  
Actual results:
----
time->Wed Mar  9 04:12:50 2011
type=SYSCALL msg=audit(1299661970.158:223): arch=c000003e syscall=2 success=no exit=-13 a0=2162000 a1=2 a2=180 a3=8 items=0 ppid=3592 pid=6060 auid=501 uid=501 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=pts0 ses=6 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1299661970.158:223): avc:  denied  { search } for  pid=6060 comm="polkit-agent-he" name="faillock" dev=dm-0 ino=1835773 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir
----

Expected results:
no AVCs
Comment 1 Milos Malik 2011-03-09 09:40:41 UTC 
Created attachment 483137 [details]
modified /etc/pam.d/system-auth file
Comment 2 Milos Malik 2011-03-09 09:41:35 UTC 
Created attachment 483138 [details]
modified /etc/pam.d/password-auth file
Comment 3 Milos Malik 2011-03-09 09:56:43 UTC 
These AVCs are visible on all architectures.

I forgot the mention polkit packages:
polkit-gnome-0.96-3.el6.x86_64
polkit-0.96-2.el6.x86_64
polkit-desktop-policy-0.96-2.el6.noarch
Comment 4 Miroslav Grepl 2011-03-09 12:00:10 UTC 
Ok, so this is caused by 

account     required      pam_faillock.so

What all AVC msgs are you seeing?
Comment 5 Milos Malik 2011-03-09 12:37:10 UTC 
The only AVC I see is already mentioned above.
Comment 6 Miroslav Grepl 2011-03-09 13:13:55 UTC 
I guess we will need to allow it in auth_use_pam.

Milos is testing it in permissive mode.
Comment 7 Milos Malik 2011-03-09 13:21:20 UTC 
The AVC mentioned above appeared in enforcing mode. Following AVCs appeared in permissive mode:
----
time->Wed Mar  9 08:14:06 2011
type=SYSCALL msg=audit(1299676446.095:44): arch=c000003e syscall=2 success=yes exit=3 a0=a6d000 a1=2 a2=180 a3=8 items=0 ppid=2314 pid=2407 auid=501 uid=501 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=ttyS0 ses=2 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1299676446.095:44): avc:  denied  { open } for  pid=2407 comm="polkit-agent-he" name="root" dev=dm-0 ino=1836837 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file
type=AVC msg=audit(1299676446.095:44): avc:  denied  { read write } for  pid=2407 comm="polkit-agent-he" name="root" dev=dm-0 ino=1836837 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file
type=AVC msg=audit(1299676446.095:44): avc:  denied  { search } for  pid=2407 comm="polkit-agent-he" name="faillock" dev=dm-0 ino=1835773 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir
----
time->Wed Mar  9 08:14:06 2011
type=SYSCALL msg=audit(1299676446.095:45): arch=c000003e syscall=73 success=yes exit=0 a0=3 a1=2 a2=0 a3=8 items=0 ppid=2314 pid=2407 auid=501 uid=501 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=ttyS0 ses=2 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1299676446.095:45): avc:  denied  { lock } for  pid=2407 comm="polkit-agent-he" path="/var/run/faillock/root" dev=dm-0 ino=1836837 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file
----
time->Wed Mar  9 08:14:06 2011
type=SYSCALL msg=audit(1299676446.095:46): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff30298780 a2=7fff30298780 a3=8 items=0 ppid=2314 pid=2407 auid=501 uid=501 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=ttyS0 ses=2 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1299676446.095:46): avc:  denied  { getattr } for  pid=2407 comm="polkit-agent-he" path="/var/run/faillock/root" dev=dm-0 ino=1836837 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=file
----
Comment 8 Tomas Mraz 2011-03-09 13:35:24 UTC 
Probably yes.
Comment 9 Miroslav Grepl 2011-03-09 14:46:57 UTC 
Actually

auth_rw_pam_pid($1)

to auth_domtrans_chk_passwd() would resolve this.

---


But how about add faillog_t label for pam_faillock dir/files. Then we would add

auth_manage_faillog($1)

to 

auth_login_pgm_domain()


And auth_domtrans_chk_passwd() already has

auth_rw_faillog($1)


Dan,
what do you think?
Comment 10 Daniel Walsh 2011-03-09 22:14:56 UTC 
Yes that looks good.
Comment 11 Miroslav Grepl 2011-03-10 00:45:06 UTC 
Fixed in selinux-policy-3.7.19-78.el6

Milos,
could you also test it with this release which is available from brew.
Comment 13 Milos Malik 2011-03-10 12:43:37 UTC 
No AVCs appeared when I tested with selinux-policy-3.7.19-78.el6.
Comment 15 errata-xmlrpc 2011-05-19 12:24:11 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html