Bug 704152

Summary: SELinux is preventing /usr/sbin/userhelper from 'search' accesses on the directory /dev/pts.
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 15CC: dwalsh, dwmw2, mcepl, mgrepl, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:af3adf70e00211a02bdd0064bc8e6ed848fbbd14e8b13ea522eb8114bec47df3
Fixed In Version: selinux-policy-3.9.16-24.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-25 03:30:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output of ausearch -m AVC -ts today none

Description Matěj Cepl 2011-05-12 09:50:47 UTC
SELinux is preventing /usr/sbin/userhelper from 'search' accesses on the directory /dev/pts.

Not sure, what's going on, but I have a lot of consolehelper AVC denials, will attach a list.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that userhelper should be allowed search access on the pts directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep userhelper /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_consolehelper_t:s0-s0:c0.c10
                              23
Target Context                system_u:object_r:devpts_t:s0
Target Objects                /dev/pts [ dir ]
Source                        userhelper
Source Path                   /usr/sbin/userhelper
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           usermode-1.107-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-23.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.5-24.fc15.x86_64 #1 SMP Fri
                              May 6 08:00:28 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Čt 12. květen 2011, 09:34:18 CEST
Last Seen                     Čt 12. květen 2011, 09:34:18 CEST
Local ID                      7879217b-ca18-4762-bc80-19281464f520

Raw Audit Messages
type=AVC msg=audit(1305185658.529:4153): avc:  denied  { search } for  pid=4223 comm="userhelper" name="/" dev=devpts ino=1 scontext=staff_u:staff_r:staff_consolehelper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir


type=SYSCALL msg=audit(1305185658.529:4153): arch=x86_64 syscall=stat success=no exit=EACCES a0=6a1300 a1=7fff6290a980 a2=7fff6290a980 a3=7fff6290a830 items=0 ppid=4222 pid=4223 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts0 ses=488 comm=userhelper exe=/usr/sbin/userhelper subj=staff_u:staff_r:staff_consolehelper_t:s0-s0:c0.c1023 key=(null)

Hash: userhelper,staff_consolehelper_t,devpts_t,dir,search

audit2allow

#============= staff_consolehelper_t ==============
allow staff_consolehelper_t devpts_t:dir search;

audit2allow -R

#============= staff_consolehelper_t ==============
allow staff_consolehelper_t devpts_t:dir search;

Comment 1 Matěj Cepl 2011-05-12 09:56:44 UTC
Created attachment 498497 [details]
output of ausearch -m AVC -ts today

Which boils down to:

bradford:~# audit2allow < /tmp/ausearch-today.txt


#============= crond_t ==============
#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'

allow crond_t self:capability chown;

#============= staff_consolehelper_t ==============
allow staff_consolehelper_t agp_device_t:chr_file getattr;
allow staff_consolehelper_t apm_bios_t:chr_file getattr;
allow staff_consolehelper_t autofs_device_t:chr_file getattr;
allow staff_consolehelper_t clock_device_t:chr_file getattr;
allow staff_consolehelper_t devpts_t:dir { getattr search };
allow staff_consolehelper_t event_device_t:chr_file getattr;
allow staff_consolehelper_t fixed_disk_device_t:blk_file getattr;
allow staff_consolehelper_t framebuf_device_t:chr_file getattr;
allow staff_consolehelper_t fuse_device_t:chr_file getattr;
allow staff_consolehelper_t gpmctl_t:sock_file getattr;
allow staff_consolehelper_t hugetlbfs_t:dir getattr;
allow staff_consolehelper_t initctl_t:fifo_file getattr;
allow staff_consolehelper_t kmsg_device_t:chr_file getattr;
allow staff_consolehelper_t kvm_device_t:chr_file getattr;
allow staff_consolehelper_t lvm_control_t:chr_file getattr;
allow staff_consolehelper_t memory_device_t:chr_file getattr;
allow staff_consolehelper_t netcontrol_device_t:chr_file getattr;
allow staff_consolehelper_t nvram_device_t:chr_file getattr;
allow staff_consolehelper_t ppp_device_t:chr_file getattr;
allow staff_consolehelper_t proc_kcore_t:file getattr;
allow staff_consolehelper_t ptmx_t:chr_file getattr;
allow staff_consolehelper_t removable_device_t:blk_file getattr;
allow staff_consolehelper_t scsi_generic_device_t:chr_file getattr;
allow staff_consolehelper_t tpm_device_t:chr_file getattr;
allow staff_consolehelper_t tty_device_t:chr_file getattr;
allow staff_consolehelper_t usb_device_t:chr_file getattr;
allow staff_consolehelper_t usbmon_device_t:chr_file getattr;
allow staff_consolehelper_t watchdog_device_t:chr_file getattr;
allow staff_consolehelper_t wireless_device_t:chr_file getattr;
allow staff_consolehelper_t xserver_misc_device_t:chr_file getattr;

#============= staff_gkeyringd_t ==============
#!!!! This avc is allowed in the current policy

allow staff_gkeyringd_t self:process setcap;

#============= staff_t ==============
allow staff_t system_map_t:file read;
bradford:~#

Comment 2 Miroslav Grepl 2011-05-12 14:50:52 UTC
Matej,
which tool were you running?

Comment 3 Daniel Walsh 2011-05-12 16:30:08 UTC
Matej, Do you think there is anything we should protect from staff_t that perf reads?

I am not sure what userhelper is doing, but we should probably just dontaudit the access.

Comment 4 Matěj Cepl 2011-05-12 21:20:14 UTC
(In reply to comment #3)
> I am not sure what userhelper is doing, but we should probably just dontaudit
> the access.

More “modern” version of (I trust) your best friend consolehelper.

Comment 5 Miloslav Trmač 2011-05-14 00:25:24 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > I am not sure what userhelper is doing, but we should probably just dontaudit
> > the access.
> 
> More “modern” version of (I trust) your best friend consolehelper.

userhelper is the underlying privilege escalation mechanism used by consolehelper.  However userhelper does not itself perform any search of /dev ; I guess that this is done by some PAM module.

Matej, could you

* collect timestamps of the denials, using e.g. (ausearch -i) to get readable data out of audit.log,

* identify the related userhelper log entries in /var/log/secure, e.g.
> May 14 02:22:59 kulicka userhelper[11381]: running '/usr/share/system-config-users/system-config-users ' with root privileges on behalf of 'mitr'

* from the command name in that log entry, identify the relevant file in /etc/security/console.apps ,

* attach the contents of the /etc/pam.d/* file with the same name,

please?

Comment 10 Matěj Cepl 2011-05-14 09:15:57 UTC
I believe it will be better for everybody, when I won't be doing much of analysis on data I have no clue about ;).

Comment 12 Miloslav Trmač 2011-05-16 22:16:02 UTC
I'm afraid I haven't found the code that is doing the accesses in /dev ; I was not able to reproduce the accesses either.

The only noticeable thing about the logs is that these AVCs cannot happen with the default setup where users run as unconfined_t, because unconfined_t is allowed to access device files.  These messages are related to using staff_t (but, AFAICT, not directly caused by this).

The only thing I can tell is that userhelper itself is not performing these accesses.  Tomas, can you think of a PAM module that would do this?

Comment 14 Tomas Mraz 2011-05-17 06:08:51 UTC
Well many PAM modules are looking at the file attributes of the tty devices including the pseudo ttys, so the access to the inode attributes should be definitely allowed.

Comment 15 Daniel Walsh 2011-05-17 08:00:09 UTC
Miroslav just add

dev_getattr_all_chr_files(consolehelper_domain)


To RHEL6, F14,F15

Comment 16 Miroslav Grepl 2011-05-17 13:09:04 UTC
Fixed in selinux-policy-3.9.16-24.fc15

Comment 17 Fedora Update System 2011-05-17 16:12:21 UTC
selinux-policy-3.9.16-24.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-24.fc15

Comment 18 Fedora Update System 2011-05-18 18:41:04 UTC
Package selinux-policy-3.9.16-24.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-24.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-24.fc15
then log in and leave karma (feedback).

Comment 19 Fedora Update System 2011-05-25 03:29:23 UTC
selinux-policy-3.9.16-24.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.