Bug 704152
Summary: | SELinux is preventing /usr/sbin/userhelper from 'search' accesses on the directory /dev/pts. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 15 | CC: | dwalsh, dwmw2, mcepl, mgrepl, tmraz | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | setroubleshoot_trace_hash:af3adf70e00211a02bdd0064bc8e6ed848fbbd14e8b13ea522eb8114bec47df3 | ||||||
Fixed In Version: | selinux-policy-3.9.16-24.fc15 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2011-05-25 03:30:14 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Matěj Cepl
2011-05-12 09:50:47 UTC
Created attachment 498497 [details]
output of ausearch -m AVC -ts today
Which boils down to:
bradford:~# audit2allow < /tmp/ausearch-today.txt
#============= crond_t ==============
#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
allow crond_t self:capability chown;
#============= staff_consolehelper_t ==============
allow staff_consolehelper_t agp_device_t:chr_file getattr;
allow staff_consolehelper_t apm_bios_t:chr_file getattr;
allow staff_consolehelper_t autofs_device_t:chr_file getattr;
allow staff_consolehelper_t clock_device_t:chr_file getattr;
allow staff_consolehelper_t devpts_t:dir { getattr search };
allow staff_consolehelper_t event_device_t:chr_file getattr;
allow staff_consolehelper_t fixed_disk_device_t:blk_file getattr;
allow staff_consolehelper_t framebuf_device_t:chr_file getattr;
allow staff_consolehelper_t fuse_device_t:chr_file getattr;
allow staff_consolehelper_t gpmctl_t:sock_file getattr;
allow staff_consolehelper_t hugetlbfs_t:dir getattr;
allow staff_consolehelper_t initctl_t:fifo_file getattr;
allow staff_consolehelper_t kmsg_device_t:chr_file getattr;
allow staff_consolehelper_t kvm_device_t:chr_file getattr;
allow staff_consolehelper_t lvm_control_t:chr_file getattr;
allow staff_consolehelper_t memory_device_t:chr_file getattr;
allow staff_consolehelper_t netcontrol_device_t:chr_file getattr;
allow staff_consolehelper_t nvram_device_t:chr_file getattr;
allow staff_consolehelper_t ppp_device_t:chr_file getattr;
allow staff_consolehelper_t proc_kcore_t:file getattr;
allow staff_consolehelper_t ptmx_t:chr_file getattr;
allow staff_consolehelper_t removable_device_t:blk_file getattr;
allow staff_consolehelper_t scsi_generic_device_t:chr_file getattr;
allow staff_consolehelper_t tpm_device_t:chr_file getattr;
allow staff_consolehelper_t tty_device_t:chr_file getattr;
allow staff_consolehelper_t usb_device_t:chr_file getattr;
allow staff_consolehelper_t usbmon_device_t:chr_file getattr;
allow staff_consolehelper_t watchdog_device_t:chr_file getattr;
allow staff_consolehelper_t wireless_device_t:chr_file getattr;
allow staff_consolehelper_t xserver_misc_device_t:chr_file getattr;
#============= staff_gkeyringd_t ==============
#!!!! This avc is allowed in the current policy
allow staff_gkeyringd_t self:process setcap;
#============= staff_t ==============
allow staff_t system_map_t:file read;
bradford:~#
Matej, which tool were you running? Matej, Do you think there is anything we should protect from staff_t that perf reads? I am not sure what userhelper is doing, but we should probably just dontaudit the access. (In reply to comment #3) > I am not sure what userhelper is doing, but we should probably just dontaudit > the access. More “modern” version of (I trust) your best friend consolehelper. (In reply to comment #4) > (In reply to comment #3) > > I am not sure what userhelper is doing, but we should probably just dontaudit > > the access. > > More “modern” version of (I trust) your best friend consolehelper. userhelper is the underlying privilege escalation mechanism used by consolehelper. However userhelper does not itself perform any search of /dev ; I guess that this is done by some PAM module. Matej, could you * collect timestamps of the denials, using e.g. (ausearch -i) to get readable data out of audit.log, * identify the related userhelper log entries in /var/log/secure, e.g. > May 14 02:22:59 kulicka userhelper[11381]: running '/usr/share/system-config-users/system-config-users ' with root privileges on behalf of 'mitr' * from the command name in that log entry, identify the relevant file in /etc/security/console.apps , * attach the contents of the /etc/pam.d/* file with the same name, please? I believe it will be better for everybody, when I won't be doing much of analysis on data I have no clue about ;). I'm afraid I haven't found the code that is doing the accesses in /dev ; I was not able to reproduce the accesses either. The only noticeable thing about the logs is that these AVCs cannot happen with the default setup where users run as unconfined_t, because unconfined_t is allowed to access device files. These messages are related to using staff_t (but, AFAICT, not directly caused by this). The only thing I can tell is that userhelper itself is not performing these accesses. Tomas, can you think of a PAM module that would do this? Well many PAM modules are looking at the file attributes of the tty devices including the pseudo ttys, so the access to the inode attributes should be definitely allowed. Miroslav just add dev_getattr_all_chr_files(consolehelper_domain) To RHEL6, F14,F15 Fixed in selinux-policy-3.9.16-24.fc15 selinux-policy-3.9.16-24.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-24.fc15 Package selinux-policy-3.9.16-24.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-24.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-24.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-24.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |