Bug 684225
| Summary: | gnome keyring pam module is starting gnome-keyring with the wrong SELinux context. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> | ||||||||
| Component: | gnome-keyring | Assignee: | Tomáš Bžatek <tbzatek> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 15 | CC: | mgrepl, selinux, tbzatek, tsmetana, walters | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | gnome-keyring-2.91.92-3.fc15 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2011-03-19 05:50:22 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 483766 [details]
Updated patch
Thanks for the patch, looks good to me though I haven't tested it locally (don't have a staff_u user set up). An updated patch is attached, removed config.h garbage and fixed the --disable-selinux configure case.
*** Bug 683154 has been marked as a duplicate of this bug. *** Ok, I could not get the configure to work without hacking config.h.in? But if it works and builds the SELinux code in then I am happy. Once you have a package in Koji I will test and ask Thomas to test. (In reply to comment #3) > Ok, I could not get the configure to work without hacking config.h.in? But if > it works and builds the SELinux code in then I am happy. Automake is often a mess, don't worry. Basically .in files and files without suffix are autogenerated, only .am and configure.{ac,in} are supposed to be touched. > Once you have a package in Koji I will test and ask Thomas to test. Built as gnome-keyring-2.91.92-2.fc15 gnome-keyring-2.91.92-2.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/gnome-keyring-2.91.92-2.fc15 I downloaded/installed gnome-keyring-2.91.92-2.fc15 and rebooted (permissive).
I'm still seeing:
type=AVC msg=audit(1300199281.115:59): avc: denied { getattr } for pid=1827 comm="gnome-keyring-d" path="/tmp/keyring-CVYjKl/control" dev=dm-0 ino=18 scontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1300199281.119:60): avc: denied { write } for pid=1826 comm="gnome-keyring-d" name="control" dev=dm-0 ino=18 scontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1300199281.119:60): avc: denied { connectto } for pid=1826 comm="gnome-keyring-d" path="/tmp/keyring-CVYjKl/control" scontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1300199281.119:60): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fff75341540 a2=6e a3=7fff75341220 items=0 ppid=1727 pid=1826 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1300199281.115:59): arch=c000003e syscall=6 success=yes exit=0 a0=2601150 a1=7fff7baad870 a2=7fff7baad870 a3=7fff7baad5f0 items=0 ppid=1727 pid=1827 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 key=(null)
Should these 'be gone'?
Yes Oh, looks like the detection of required selinux functions is not working properly. I don't usually check koji output. > checking for getfilecon in -lselinux... no (this is coming from missing libselinux-devel BuildRequire however the > SELinux: yes configure summary is wrong. Looking into it... Created attachment 485554 [details]
Updated patch
Attaching updated patch with slightly changed configure.in structure. Now we're checking for both getfilecon() and setexeccon() functions presence in libselinux, I hope that was a desired intention.
Built as gnome-keyring-2.91.92-3.fc15
gnome-keyring-2.91.92-3.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/gnome-keyring-2.91.92-3.fc15 OK. I downloaded/installed gnome-keyring-2.91.92-3.fc15 and rebooted permissive. I get the AVCs below:
type=AVC msg=audit(1300246246.279:49): avc: denied { transition } for pid=1717 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev=dm-0 ino=277774 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1300246246.279:49): avc: denied { rlimitinh } for pid=1717 comm="gnome-keyring-d" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1300246246.279:49): avc: denied { siginh } for pid=1717 comm="gnome-keyring-d" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1300246246.279:49): avc: denied { noatsecure } for pid=1717 comm="gnome-keyring-d" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1300246246.279:49): arch=c000003e syscall=59 success=yes exit=0 a0=7f1615cc42a1 a1=7fffbe3b1700 a2=128b980 a3=fffffffffffffff0 items=0 ppid=1708 pid=1717 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1300246246.498:50): avc: denied { sigchld } for pid=1708 comm="gdm-session-wor" scontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1300246246.498:50): arch=c000003e syscall=61 success=yes exit=1717 a0=6b5 a1=7fffbe3b176c a2=0 a3=0 items=0 ppid=1471 pid=1708 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
I'll try enforcing mode and see what I get.
In enforcing mode, I only get this one AVC:
type=AVC msg=audit(1300246684.163:55): avc: denied { transition } for pid=1716 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev=dm-0 ino=277774 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1300246684.163:55): arch=c000003e syscall=59 success=no exit=-13 a0=7f92f017a2a1 a1=7fffb6a33d70 a2=122b980 a3=fffffffffffffff0 items=0 ppid=1707 pid=1716 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
or
#============= xdm_t ==============
allow xdm_t gkeyringd_staff_t:process transition;
Forgot to add this: these messages were in /var/log/messages:
Mar 15 20:38:19 tlondon setroubleshoot: SELinux is preventing /usr/bin/gnome-keyring-daemon from using the transition access on a process. For complete SELinux messages. run sealert -l 3db35756-bb61-4f6e-99f4-f20d34033daa
Mar 15 20:38:24 tlondon dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Secret.Service member=SearchItems dest=org.freedesktop.secrets spid=1939 tpid=1831 scontext=staff_u:staff_r:telepathy_mission_control_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tclass=dbus
Mar 15 20:38:24 tlondon dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Secret.Service member=SearchItems dest=org.freedesktop.secrets spid=1939 tpid=1831 scontext=staff_u:staff_r:telepathy_mission_control_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tclass=dbus
Mar 15 20:38:24 tlondon dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Secret.Service member=SearchItems dest=org.freedesktop.secrets spid=1939 tpid=1831 scontext=staff_u:staff_r:telepathy_mission_control_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tclass=dbus
Mar 15 20:38:24 tlondon dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Secret.Service member=SearchItems dest=org.freedesktop.secrets spid=1939 tpid=1831 scontext=staff_u:staff_r:telepathy_mission_control_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tclass=dbus
Mar 15 20:38:24 tlondon dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Secret.Service member=SearchItems dest=org.freedesktop.secrets spid=1939 tpid=1831 scontext=staff_u:staff_r:telepathy_mission_control_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:gkeyringd_staff_t:s0-s0:c0.c1023 tclass=dbus
Fixed in selinux-policy-3.9.16-5.fc15 Patch pushed to upstream git master. Set bodhi automation to close this bugreport once the update is pushed to stable. gnome-keyring-2.91.92-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 483734 [details] Patch to attempt to set correct SELinux context on keyring With confined users we want to run the F15 gnome-keyring as sgkeyringd_staff_t, but currently this does not work properly from the pam module. The attached patch will fix the problem. We are ignoring error conditions since for most users the errors will not effect unconfined users, and on a confined user it would still partially work but generate an AVC.