1028696 – SELinux is preventing /usr/bin/pwauth from 'write' accesses on the file lastlog.

Bug 1028696 - SELinux is preventing /usr/bin/pwauth from 'write' accesses on the file lastlog.

Summary: SELinux is preventing /usr/bin/pwauth from 'write' accesses on the file lastlog.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:73df8611dc8a19e0596b37c95bc...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-09 17:27 UTC by Rok Mandeljc
Modified:	2013-12-03 10:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.12.1-74.14.fc19
Clone Of:
Environment:
Last Closed:	2013-12-03 10:33:04 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Rok Mandeljc 2013-11-09 17:27:01 UTC

Description of problem:
On our Fedora 19 server, I have set up SVN repositories served through Apache, with mod_authnz_external + pwauth to handle authentication. When checking out a repository, the logs get flooded with "setroubleshoot: SELinux is preventing /usr/bin/pwauth from write access on the file /var/log/lastlog..." messages, which eventually get replaced by "audispd: queue is full - dropping event". The message itself does not appear to be critical, but is annoying, especially since it means that on our server VM, setroubleshoot keeps hogging CPU during repository checkouts.

This can be reproduced by setting up apache with mod_authnz_external + pwauth on any content it serves:
1. install pwauth, httpd, mod_authnz_external
2. set up some content to be served, and set up authentication. For example, create index.html in /var/www/html, and modify /etc/httpd/conf/httpd.conf:
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AuthType Basic
    AuthName "PWauth test"
    AuthBasicProvider external
    AuthExternal pwauth
    Require valid-user
</Directory>
3. access the served content, log in with local username/password
=> a denial message pops up

NOTE: it seems pwauth requires both 'write' and 'open' access (i.e., if 'write' access is fixed with local policy, the messages about 'open' access start popping up)
SELinux is preventing /usr/bin/pwauth from 'write' accesses on the file lastlog.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that pwauth should be allowed write access on the lastlog file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pwauth /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:pwauth_t:s0
Target Context                system_u:object_r:lastlog_t:s0
Target Objects                lastlog [ file ]
Source                        pwauth
Source Path                   /usr/bin/pwauth
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           pwauth-2.3.10-5.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.11.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.7-200.fc19.x86_64 #1 SMP Mon
                              Nov 4 14:09:03 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-11-09 18:06:54 CET
Last Seen                     2013-11-09 18:06:54 CET
Local ID                      5f12bbc8-fd14-424a-9eb5-1fa81b4bfa64

Raw Audit Messages
type=AVC msg=audit(1384016814.645:562): avc:  denied  { write } for  pid=4152 comm="pwauth" name="lastlog" dev="dm-1" ino=262220 scontext=system_u:system_r:pwauth_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file


type=SYSCALL msg=audit(1384016814.645:562): arch=x86_64 syscall=open success=no exit=EACCES a0=7f43066014c3 a1=1 a2=0 a3=7f4304040dd0 items=0 ppid=4146 pid=4152 auid=4294967295 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=pwauth exe=/usr/bin/pwauth subj=system_u:system_r:pwauth_t:s0 key=(null)

Hash: pwauth,pwauth_t,lastlog_t,file,write

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.7-200.fc19.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2013-11-11 12:45:42 UTC

commit cfbed5a126d9a7a86783dd6f756709b18376b407
Author: Miroslav Grepl <mgrepl>
Date:   Mon Nov 11 13:45:16 2013 +0100

    pwauth uses lastlog() to update system's lastlog

Comment 2 Fedora Update System 2013-11-26 14:22:41 UTC

selinux-policy-3.12.1-74.14.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.14.fc19

Comment 3 Fedora Update System 2013-11-27 04:29:58 UTC

Package selinux-policy-3.12.1-74.14.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.14.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-22197/selinux-policy-3.12.1-74.14.fc19
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2013-12-03 10:33:04 UTC

selinux-policy-3.12.1-74.14.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.