Bug 821189
| Summary: | SELinux is preventing polkit-agent-he from using the 'setsched' accesses on a process. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dominic Cleal <dcleal> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:3812272878d6fbb9e0216ed1016214cd0d88c7e186cdccac00da25e31c9391a5 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-12-20 16:06:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Second AVC denial:
Additional Information:
Source Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c
0.c1023
Target Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c
0.c1023
Target Objects [ capability ]
Source polkit-agent-he
Source Path /usr/libexec/polkit-1/polkit-agent-helper-1
Port <Unknown>
Host iridium
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.10.0-121.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name iridium
Platform Linux iridium 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7
17:29:34 UTC 2012 x86_64 x86_64
Alert Count 54
First Seen Tue 10 Apr 2012 09:23:41 BST
Last Seen Sat 12 May 2012 23:15:27 BST
Local ID 0be0682e-3bbd-495c-8639-538c654af2bc
Raw Audit Messages
type=AVC msg=audit(1336860927.579:397): avc: denied { sys_nice } for pid=18367 comm="polkit-agent-he" capability=23 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tclass=capability
Hash: polkit-agent-he,policykit_auth_t,policykit_auth_t,capability,sys_nice
This seems to be caused by using pam_yubico (support for Yubikey OTP devices) with a PolicyKit-enabled application such as virt-manager. pam_yubico uses libyubikey, which uses libcurl to query the Yubikey server for authentication. I'm not sure of the details, but I think these syscalls are being triggered by NSPR inside libcurl. One example stacktrace from a sched_setscheduler syscall captured with systemtap: 0x7f9e9cd0d607 : __sched_setscheduler+0x7/0x30 [/usr/lib64/libc-2.15.so] 0x7f9e9cff52e1 : pthread_setschedparam+0x51/0xb0 [/usr/lib64/libpthread-2.15.so] 0x7f9e987065c3 : PR_SetThreadPriority+0x93/0xd0 [/usr/lib64/libnspr4.so] 0x7f9e9870690a : PR_Yield+0x14a/0x1a0 [/usr/lib64/libnspr4.so] 0x7f9e986f7b14 : PR_ErrorInstallCallback+0x1b4/0x220 [/usr/lib64/libnspr4.so] 0x7f9e9972aed5 : curl_getdate+0x9645/0xc0d0 [/usr/lib64/libcurl.so.4.2.0] 0x7f9e99714955 : curl_global_init+0x85/0xb0 [/usr/lib64/libcurl.so.4.2.0] 0x7f9e99714aaa : curl_easy_init+0x1a/0x50 [/usr/lib64/libcurl.so.4.2.0] 0x7f9e9a1b792f : ykclient_init+0x2f/0x150 [/usr/lib64/libykclient.so.3.3.3] 0x7f9e9a3c06b5 : pam_sm_authenticate+0x8b5/0x2400 [/usr/lib64/security/pam_yubico.so] 0x7f9e9d9920c4 [/usr/lib64/libpam.so.0.83.1+0x30c4/0x20e000] Thanks. Fixed in selinux-policy-3.10.0-126.fc17 selinux-policy-3.10.0-128.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-128.fc17 Package selinux-policy-3.10.0-128.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-128.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-8720/selinux-policy-3.10.0-128.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Miroslav,
I still receive these AVC denials - did the two additions definitely go in? I can't find them in my loaded policy.
$ rpm -qf /etc/selinux/targeted/policy/policy.27
selinux-policy-targeted-3.10.0-153.fc17.noarch
$ sesearch --allow -s policykit_auth_t -t policykit_auth_t -c process
Found 2 semantic av rules:
allow policykit_auth_t policykit_auth_t : process { fork sigchld signal getsched getcap getattr } ;
allow policykit_auth_t policykit_auth_t : process setfscreate ;
(missing the setsched access vector)
$ sesearch --allow -s policykit_auth_t -t policykit_auth_t -c capability
Found 2 semantic av rules:
allow policykit_auth_t policykit_auth_t : capability { setgid setuid ipc_lock audit_write } ;
allow policykit_auth_t policykit_auth_t : capability net_bind_service ;
(missing sys_nice)
I apologized, it has not been added for policykit_auth_t Added.
commit 44e47b64b08a0dbea9a43178d41d02a45ea3c53e
Author: Miroslav Grepl <mgrepl>
Date: Fri Oct 19 11:15:09 2012 +0200
policykit-auth wants sys_nice
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 939fe6d..8971bdd 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -134,9 +134,9 @@ optional_policy(`
# polkit_auth local policy
#
-allow policykit_auth_t self:capability { ipc_lock setgid setuid };
+allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
Ok, thanks. setsched was also required for the process class, could you add that please? Yes, it has been added with sys_nice. (In reply to comment #11) > Yes, it has been added with sys_nice. Good, thank you. selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17 Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.4-5.fc17.x86_64 time: Sat 12 May 2012 23:21:24 BST description: :SELinux is preventing polkit-agent-he from using the 'setsched' accesses on a process. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that polkit-agent-he should be allowed setsched access on processes labeled policykit_auth_t by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep polkit-agent-he /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c : 0.c1023 :Target Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c : 0.c1023 :Target Objects [ process ] :Source polkit-agent-he :Source Path polkit-agent-he :Port <Unknown> :Host (removed) :Source RPM Packages :Target RPM Packages :Policy RPM selinux-policy-3.10.0-121.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 : 17:29:34 UTC 2012 x86_64 x86_64 :Alert Count 18 :First Seen Sat 12 May 2012 23:07:22 BST :Last Seen Sat 12 May 2012 23:15:27 BST :Local ID cfc2a164-845d-4e32-b8b6-27f14ad43e45 : :Raw Audit Messages :type=AVC msg=audit(1336860927.579:398): avc: denied { setsched } for pid=18367 comm="polkit-agent-he" scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tclass=process : : :Hash: polkit-agent-he,policykit_auth_t,policykit_auth_t,process,setsched : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :