Bug 821189
Summary: | SELinux is preventing polkit-agent-he from using the 'setsched' accesses on a process. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dominic Cleal <dcleal> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:3812272878d6fbb9e0216ed1016214cd0d88c7e186cdccac00da25e31c9391a5 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-12-20 16:06:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dominic Cleal
2012-05-12 22:21:41 UTC
Second AVC denial: Additional Information: Source Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c 0.c1023 Target Objects [ capability ] Source polkit-agent-he Source Path /usr/libexec/polkit-1/polkit-agent-helper-1 Port <Unknown> Host iridium Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-121.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name iridium Platform Linux iridium 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64 Alert Count 54 First Seen Tue 10 Apr 2012 09:23:41 BST Last Seen Sat 12 May 2012 23:15:27 BST Local ID 0be0682e-3bbd-495c-8639-538c654af2bc Raw Audit Messages type=AVC msg=audit(1336860927.579:397): avc: denied { sys_nice } for pid=18367 comm="polkit-agent-he" capability=23 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tclass=capability Hash: polkit-agent-he,policykit_auth_t,policykit_auth_t,capability,sys_nice This seems to be caused by using pam_yubico (support for Yubikey OTP devices) with a PolicyKit-enabled application such as virt-manager. pam_yubico uses libyubikey, which uses libcurl to query the Yubikey server for authentication. I'm not sure of the details, but I think these syscalls are being triggered by NSPR inside libcurl. One example stacktrace from a sched_setscheduler syscall captured with systemtap: 0x7f9e9cd0d607 : __sched_setscheduler+0x7/0x30 [/usr/lib64/libc-2.15.so] 0x7f9e9cff52e1 : pthread_setschedparam+0x51/0xb0 [/usr/lib64/libpthread-2.15.so] 0x7f9e987065c3 : PR_SetThreadPriority+0x93/0xd0 [/usr/lib64/libnspr4.so] 0x7f9e9870690a : PR_Yield+0x14a/0x1a0 [/usr/lib64/libnspr4.so] 0x7f9e986f7b14 : PR_ErrorInstallCallback+0x1b4/0x220 [/usr/lib64/libnspr4.so] 0x7f9e9972aed5 : curl_getdate+0x9645/0xc0d0 [/usr/lib64/libcurl.so.4.2.0] 0x7f9e99714955 : curl_global_init+0x85/0xb0 [/usr/lib64/libcurl.so.4.2.0] 0x7f9e99714aaa : curl_easy_init+0x1a/0x50 [/usr/lib64/libcurl.so.4.2.0] 0x7f9e9a1b792f : ykclient_init+0x2f/0x150 [/usr/lib64/libykclient.so.3.3.3] 0x7f9e9a3c06b5 : pam_sm_authenticate+0x8b5/0x2400 [/usr/lib64/security/pam_yubico.so] 0x7f9e9d9920c4 [/usr/lib64/libpam.so.0.83.1+0x30c4/0x20e000] Thanks. Fixed in selinux-policy-3.10.0-126.fc17 selinux-policy-3.10.0-128.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-128.fc17 Package selinux-policy-3.10.0-128.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-128.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-8720/selinux-policy-3.10.0-128.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Miroslav, I still receive these AVC denials - did the two additions definitely go in? I can't find them in my loaded policy. $ rpm -qf /etc/selinux/targeted/policy/policy.27 selinux-policy-targeted-3.10.0-153.fc17.noarch $ sesearch --allow -s policykit_auth_t -t policykit_auth_t -c process Found 2 semantic av rules: allow policykit_auth_t policykit_auth_t : process { fork sigchld signal getsched getcap getattr } ; allow policykit_auth_t policykit_auth_t : process setfscreate ; (missing the setsched access vector) $ sesearch --allow -s policykit_auth_t -t policykit_auth_t -c capability Found 2 semantic av rules: allow policykit_auth_t policykit_auth_t : capability { setgid setuid ipc_lock audit_write } ; allow policykit_auth_t policykit_auth_t : capability net_bind_service ; (missing sys_nice) I apologized, it has not been added for policykit_auth_t Added. commit 44e47b64b08a0dbea9a43178d41d02a45ea3c53e Author: Miroslav Grepl <mgrepl> Date: Fri Oct 19 11:15:09 2012 +0200 policykit-auth wants sys_nice diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index 939fe6d..8971bdd 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -134,9 +134,9 @@ optional_policy(` # polkit_auth local policy # -allow policykit_auth_t self:capability { ipc_lock setgid setuid }; +allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice }; Ok, thanks. setsched was also required for the process class, could you add that please? Yes, it has been added with sys_nice. (In reply to comment #11) > Yes, it has been added with sys_nice. Good, thank you. selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17 Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |