Bug 712613

Summary: SELinux is preventing /usr/bin/who from using the 'signull' accesses on a process.
Product: [Fedora] Fedora Reporter: Charles Thomas <CharlesRThomasJr>
Component: smartmontoolsAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: adrin.jalali, dominick.grift, dwalsh, fb.commerce, ian, knowledgeispower80, mgrepl, mhlavink, mishu, old.uncle.z, slawomir.czarko, stefano.biagiotti, wjbealer
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:93085763e535a95b5c0a04470a98faf8665fcd4585e52243a1f593f5eb94c037
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
I had just done a clean, from-scratch, install of Fedora 15 on a microcomputer that had run Fedora 8 faithfully for years. I've not yet run anything since the install other than to load software updates and Firefox.
Last Closed: 2011-08-24 15:42:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Charles Thomas 2011-06-11 19:04:48 UTC 
SELinux is preventing /usr/bin/who from using the 'signull' accesses on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that who should be allowed signull access on processes labeled xdm_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep who /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fsdaemon_t:s0
Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        who
Source Path                   /usr/bin/who
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-8.10-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux thomasdenhutch 2.6.38.7-30.fc15.i686.PAE #1
                              SMP Fri May 27 05:44:56 UTC 2011 i686 i686
Alert Count                   4
First Seen                    Sat 11 Jun 2011 09:22:05 AM CDT
Last Seen                     Sat 11 Jun 2011 09:22:35 AM CDT
Local ID                      bbf13c0a-d50e-4c9b-865e-3e94e002d2d5

Raw Audit Messages
type=AVC msg=audit(1307802155.866:61): avc:  denied  { signull } for  pid=2170 comm="who" scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1307802155.866:61): arch=i386 syscall=kill success=no exit=EACCES a0=51e a1=0 a2=80537fc a3=9ee2860 items=0 ppid=2169 pid=2170 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=who exe=/usr/bin/who subj=system_u:system_r:fsdaemon_t:s0 key=(null)

Hash: who,fsdaemon_t,xdm_t,process,signull

audit2allow

#============= fsdaemon_t ==============
allow fsdaemon_t xdm_t:process signull;

audit2allow -R

#============= fsdaemon_t ==============
allow fsdaemon_t xdm_t:process signull;
Comment 1 Dominick Grift 2011-06-11 20:48:01 UTC 
This must be some kind of joke? why would smartd be running the who command, and why would be who command want to send a null signal to gdm?
Comment 2 Miroslav Grepl 2011-06-13 05:59:38 UTC 
Charles,
do you know what you were doing when this happened?
Comment 3 Ian Williams 2011-06-13 07:57:15 UTC 
This must be associated.

SELinux is preventing /usr/bin/who from using the kill capability.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that who should have the kill capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep who /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fsdaemon_t:s0
Target Context                system_u:system_r:fsdaemon_t:s0
Target Objects                Unknown [ capability ]
Source                        who
Source Path                   /usr/bin/who
Port                          <Unknown>
Host                          acer1705.ipw
Source RPM Packages           coreutils-8.10-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     acer1705.ipw
Platform                      Linux acer1705.ipw 2.6.38.7-30.fc15.i686 #1 SMP
                              Fri May 27 06:02:17 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Mon 13 Jun 2011 08:38:50 AM BST
Last Seen                     Mon 13 Jun 2011 08:38:50 AM BST
Local ID                      9cc8be0e-ebc3-44f5-b29a-1a9eabfefc32

Raw Audit Messages
type=AVC msg=audit(1307950730.5:72): avc:  denied  { kill } for  pid=4729 comm="who" capability=5  scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability


type=SYSCALL msg=audit(1307950730.5:72): arch=i386 syscall=kill success=no exit=EPERM a0=101d a1=0 a2=80537fc a3=87f1860 items=0 ppid=4728 pid=4729 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=who exe=/usr/bin/who subj=system_u:system_r:fsdaemon_t:s0 key=(null)

Hash: who,fsdaemon_t,fsdaemon_t,capability,kill

audit2allow

#============= fsdaemon_t ==============
allow fsdaemon_t self:capability kill;

audit2allow -R

#============= fsdaemon_t ==============
allow fsdaemon_t self:capability kill;


This also happened at the same time.

SELinux is preventing /bin/bash from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that bash should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep smartdnotify /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fsdaemon_t:s0
Target Context                system_u:system_r:fsdaemon_t:s0
Target Objects                Unknown [ capability ]
Source                        smartdnotify
Source Path                   /bin/bash
Port                          <Unknown>
Host                          acer1705.ipw
Source RPM Packages           bash-4.2.10-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     acer1705.ipw
Platform                      Linux acer1705.ipw 2.6.38.7-30.fc15.i686 #1 SMP
                              Fri May 27 06:02:17 UTC 2011 i686 i686
Alert Count                   3
First Seen                    Mon 13 Jun 2011 08:38:50 AM BST
Last Seen                     Mon 13 Jun 2011 08:38:50 AM BST
Local ID                      84effbcf-1b53-41a7-a7f1-5f6e259facff

Raw Audit Messages
type=AVC msg=audit(1307950730.16:78): avc:  denied  { dac_override } for  pid=4724 comm="smartdnotify" capability=1  scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:system_r:fsdaemon_t:s0 tclass=capability


type=SYSCALL msg=audit(1307950730.16:78): arch=i386 syscall=open success=no exit=EACCES a0=94ba6f0 a1=8201 a2=0 a3=0 items=0 ppid=4723 pid=4724 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=smartdnotify exe=/bin/bash subj=system_u:system_r:fsdaemon_t:s0 key=(null)

Hash: smartdnotify,fsdaemon_t,fsdaemon_t,capability,dac_override

audit2allow

#============= fsdaemon_t ==============
allow fsdaemon_t self:capability dac_override;

audit2allow -R

#============= fsdaemon_t ==============
allow fsdaemon_t self:capability dac_override;

I was reading an email at the time in thunderbird, the system was busy doing something at the time as there was a lot of disk activity. I am alsousing a clean install of FC15, only three days old.
Comment 4 Daniel Walsh 2011-06-13 13:31:35 UTC 
Is there a different executable named who?
Comment 5 Daniel Walsh 2011-06-13 13:33:20 UTC 
Maybe smartmon guys could explain what is going on.
Comment 6 Michal Hlavinka 2011-06-13 13:51:31 UTC 
(In reply to comment #5)
> Maybe smartmon guys could explain what is going on.

New feature: instead of just sending a mail to root (no one reads it on desktops) we send mail to root AND show notification when smartd finds some problem with your disk.

Because we can't use notify-send (I'll skip the details) and because sending message with 'wall' works in cases where notify-send can't be used, we've decided to use 'wall'. But because 'wall' adds quite big ugly header, we do 'wall' ourself by sending message to user terminals. Code can be found in :

/usr/libexec/smartmontools/smartdnotify

===============
#! /bin/sh

# Send mail
echo "$SMARTD_MESSAGE" | mail -s "$SMARTD_FAILTYPE" "$SMARTD_ADDRESS"

# Notify desktop user
MESSAGE="WARNING: Your hard drive is failing"

# direct write to terminals, do not use 'wall', because we don't want its ugly header
for t in $(who | awk '{ print $2; }' | grep -e '^tty' -e '^pts/')
do
  echo "$MESSAGE
$SMARTD_MESSAGE" >/dev/$t 2>/dev/null ||:
done
===============
Comment 7 Stefano Biagiotti 2011-07-21 08:11:28 UTC 
FWIW, same here with F14.

# rpm -q smartmontools
smartmontools-5.40-6.fc14.x86_64

Add '-M test' to /etc/smartd.conf and start smartd to trigger it.

/var/log/messages:
Jul 21 09:46:01 rotterdam smartd[3586]: smartd 5.40 2010-10-16 r3189 [x86_64-redhat-linux-gnu] (local build)#012Copyright (C) 2002-10 by Bruce Allen, http://smartmontools.sourceforge.net#012
Jul 21 09:46:01 rotterdam smartd[3586]: Opened configuration file /etc/smartd.conf
Jul 21 09:46:01 rotterdam smartd[3586]: Configuration file /etc/smartd.conf was parsed, found DEVICESCAN, scanning devices
Jul 21 09:46:01 rotterdam smartd[3586]: Device: /dev/sda, type changed from 'scsi' to 'sat'
Jul 21 09:46:01 rotterdam smartd[3586]: Device: /dev/sda [SAT], opened
Jul 21 09:46:01 rotterdam smartd[3586]: Device: /dev/sda [SAT], found in smartd database.
Jul 21 09:46:01 rotterdam smartd[3586]: Device: /dev/sda [SAT], is SMART capable. Adding to "monitor" list.
Jul 21 09:46:01 rotterdam smartd[3586]: Monitoring 1 ATA and 0 SCSI devices
Jul 21 09:46:01 rotterdam smartd[3586]: Executing test of /usr/libexec/smartmontools/smartdnotify to root ...
Jul 21 09:46:01 rotterdam smartd[3586]: Test of /usr/libexec/smartmontools/smartdnotify to root produced unexpected output (311 bytes) to STDOUT/STDERR: #012/usr/libexec/smartmontools/smartdnotify: line 13: /dev/tty1: Permesso negato#012/usr/libexec/smartmontools/smartdnotify: line 13: /dev/pts/0: Permesso negato#012/usr/libexec/smartmontools/smartdnotify: line 13: /dev/pts/1: Permesso negato#012/usr/libexec/smartmontools/smartdnotify: line 13: /dev/pts/2: Permesso negato#012
Jul 21 09:46:01 rotterdam smartd[3586]: Test of /usr/libexec/smartmontools/smartdnotify to root: successful
Jul 21 09:46:01 rotterdam smartd[3602]: smartd has fork()ed into background mode. New PID=3602.
Jul 21 09:46:03 rotterdam setroubleshoot: SELinux is preventing /usr/bin/who from using the signull access on a process. For complete SELinux messages. run sealert -l 43443471-0171-4fe7-8c47-418cc958b160
Jul 21 09:46:03 rotterdam setroubleshoot: SELinux is preventing /usr/bin/who from using the kill capability. For complete SELinux messages. run sealert -l 6b497703-f692-483a-ab2e-5e2639c3d1cb
Jul 21 09:46:03 rotterdam setroubleshoot: SELinux is preventing /usr/bin/who from using the kill capability. For complete SELinux messages. run sealert -l 6b497703-f692-483a-ab2e-5e2639c3d1cb
Jul 21 09:46:03 rotterdam setroubleshoot: SELinux is preventing /usr/bin/who from using the kill capability. For complete SELinux messages. run sealert -l 6b497703-f692-483a-ab2e-5e2639c3d1cb
Jul 21 09:46:03 rotterdam setroubleshoot: SELinux is preventing /bin/bash from using the dac_override capability. For complete SELinux messages. run sealert -l 99e008ac-560a-4b69-bbe8-b9c90cf4738a
Jul 21 09:46:03 rotterdam setroubleshoot: SELinux is preventing /bin/bash from using the dac_override capability. For complete SELinux messages. run sealert -l 99e008ac-560a-4b69-bbe8-b9c90cf4738a
Jul 21 09:46:03 rotterdam setroubleshoot: SELinux is preventing /bin/bash from using the dac_override capability. For complete SELinux messages. run sealert -l 99e008ac-560a-4b69-bbe8-b9c90cf4738a
Jul 21 09:46:03 rotterdam setroubleshoot: SELinux is preventing /bin/bash from using the dac_override capability. For complete SELinux messages. run sealert -l 99e008ac-560a-4b69-bbe8-b9c90cf4738a
Jul 21 09:46:03 rotterdam setroubleshoot: SELinux is preventing /bin/bash from using the dac_override capability. For complete SELinux messages. run sealert -l 99e008ac-560a-4b69-bbe8-b9c90cf4738a
Jul 21 09:46:03 rotterdam setroubleshoot: SELinux is preventing /bin/bash from using the dac_override capability. For complete SELinux messages. run sealert -l 99e008ac-560a-4b69-bbe8-b9c90cf4738a
Comment 8 Charles Thomas 2011-07-21 11:28:22 UTC 
I gave up on Fedora 15, obtained and installed Fedora 14 without incident.

Fedora 15 was (past tense) a bad, but brief experience for me--several failed installation attempts.


(In reply to comment #0)
> SELinux is preventing /usr/bin/who from using the 'signull' accesses on a
> process.
> 
> *****  Plugin catchall (100. confidence) suggests  ***************************
> 
> If you believe that who should be allowed signull access on processes labeled
> xdm_t by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep who /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> Additional Information:
> Source Context                system_u:system_r:fsdaemon_t:s0
> Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Objects                Unknown [ process ]
> Source                        who
> Source Path                   /usr/bin/who
> Port                          <Unknown>
> Host                          (removed)
> Source RPM Packages           coreutils-8.10-2.fc15
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.9.16-26.fc15
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     (removed)
> Platform                      Linux thomasdenhutch 2.6.38.7-30.fc15.i686.PAE #1
>                               SMP Fri May 27 05:44:56 UTC 2011 i686 i686
> Alert Count                   4
> First Seen                    Sat 11 Jun 2011 09:22:05 AM CDT
> Last Seen                     Sat 11 Jun 2011 09:22:35 AM CDT
> Local ID                      bbf13c0a-d50e-4c9b-865e-3e94e002d2d5
> 
> Raw Audit Messages
> type=AVC msg=audit(1307802155.866:61): avc:  denied  { signull } for  pid=2170
> comm="who" scontext=system_u:system_r:fsdaemon_t:s0
> tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
> 
> 
> type=SYSCALL msg=audit(1307802155.866:61): arch=i386 syscall=kill success=no
> exit=EACCES a0=51e a1=0 a2=80537fc a3=9ee2860 items=0 ppid=2169 pid=2170
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=4294967295 comm=who exe=/usr/bin/who
> subj=system_u:system_r:fsdaemon_t:s0 key=(null)
> 
> Hash: who,fsdaemon_t,xdm_t,process,signull
> 
> audit2allow
> 
> #============= fsdaemon_t ==============
> allow fsdaemon_t xdm_t:process signull;
> 
> audit2allow -R
> 
> #============= fsdaemon_t ==============
> allow fsdaemon_t xdm_t:process signull;
Comment 9 Daniel Walsh 2011-07-21 13:24:15 UTC 
+application_signull(fsdaemon_t)


has been added to F16
Comment 10 Miroslav Grepl 2011-07-25 11:47:17 UTC 
I have added it also to F15. Will be in selinux-policy-3.9.16-36.fc15