Bug 1373186 - SELinux prevents gnome-keyring-daemon from writing to user home directory
Summary: SELinux prevents gnome-keyring-daemon from writing to user home directory
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1446158 (view as bug list)
Depends On:
Blocks: 1534323
TreeView+ depends on / blocked
 
Reported: 2016-09-05 12:49 UTC by Patrik Kis
Modified: 2018-10-30 10:00 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 09:59:46 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1257057 0 medium CLOSED AVC denial: scontext=system_u:unconfined_r:passwd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1446158 0 low CLOSED SELinux prevents gnome-keyring-daemon from writing to user home directory 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2018:3111 0 None None None 2018-10-30 10:00:50 UTC

Internal Links: 1257057 1446158

Description Patrik Kis 2016-09-05 12:49:08 UTC 
Description of problem:
This is a follow up bug report for bug 1257057.
A new AVC denial appeared again:

time->Fri Sep  2 05:21:18 2016
type=PROCTITLE msg=audit(1472808078.302:2828): proctitle=2F7573722F62696E2F676E6F6D652D6B657972696E672D6461656D6F6E002D2D6461656D6F6E697A65
type=SYSCALL msg=audit(1472808078.302:2828): arch=c00000b7 syscall=34 success=no exit=-13 a0=ffffffffffffff9c a1=2aace0c8a20 a2=1c0 a3=2aace0c8a20 items=0 ppid=1 pid=3107 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=system_u:unconfined_r:passwd_t:s0 key=(null)
type=AVC msg=audit(1472808078.302:2828): avc:  denied  { write } for  pid=3107 comm="gnome-keyring-d" name="testuser_bz515809" dev="dm-2" ino=537243809 scontext=system_u:unconfined_r:passwd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0

I don't think the issue is serious enough to fix it in RHEL-7.3 and it can wait till 7.4.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-96.el7.noarch

How reproducible:
seen once
Comment 3 Patrik Kis 2017-06-26 12:32:54 UTC 
A similar AVC denial was seen:

time->Sat Jun 24 02:59:08 2017
type=PROCTITLE msg=audit(1498287548.569:258): proctitle=2F7573722F62696E2F676E6F6D652D6B657972696E672D6461656D6F6E002D2D6461656D6F6E697A65
type=SYSCALL msg=audit(1498287548.569:258): arch=c00000b7 syscall=34 success=no exit=-13 a0=ffffffffffffff9c a1=2aad4b09fc0 a2=1c0 a3=2aad4b09fc0 items=0 ppid=1 pid=28972 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1498287548.569:258): avc:  denied  { write } for  pid=28972 comm="gnome-keyring-d" name="testuser_bz515809" dev="dm-2" ino=67159553 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
Comment 6 Patrik Kis 2017-10-27 14:11:33 UTC 
Here is a reproducer. It's triggered by installed gnome-keyring-pam when password of an user is changed.

[root@rhel74 ~]# rpm -q selinux-policy
selinux-policy-3.13.1-166.el7.noarch
[root@rhel74 ~]# su - -c 'echo -e "amdwdmwifmwf\nwdwfgbgrbgrtgrb\nwdwfgbgrbgrtgrb" | passwd' testuser
Changing password for user testuser.
Changing password for testuser.
(current) UNIX password: New password: Retype new password: passwd: all authentication tokens updated successfully.
[root@rhel74 ~]# ausearch -i -m avc -ts recent
<no matches>
[root@rhel74 ~]# 
[root@rhel74 ~]# 
[root@rhel74 ~]# yum install gnome-keyring-pam
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package gnome-keyring-pam.x86_64 0:3.20.0-3.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

... snip ...

Running transaction
  Installing : gnome-keyring-pam-3.20.0-3.el7.x86_64                                                                                                                                                                                     1/1 
  Verifying  : gnome-keyring-pam-3.20.0-3.el7.x86_64                                                                                                                                                                                     1/1 
Installed:
  gnome-keyring-pam.x86_64 0:3.20.0-3.el7                                                                                                                                                                                                    
Complete!
[root@rhel74 ~]# 
[root@rhel74 ~]# 
[root@rhel74 ~]# su - -c 'echo -e "wdwfgbgrbgrtgrb\namdwdmwifmwf\namdwdmwifmwf" | passwd' testuser
Changing password for user testuser.
Changing password for testuser.
(current) UNIX password: New password: Retype new password: passwd: all authentication tokens updated successfully.
[root@rhel74 ~]# ausearch -i -m avc -ts recent
----
type=PROCTITLE msg=audit(10/27/2017 10:07:13.930:339) : proctitle=/usr/bin/gnome-keyring-daemon --daemonize 
type=SYSCALL msg=audit(10/27/2017 10:07:13.930:339) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x56083a30e840 a1=0700 a2=0x0 a3=0x7ffe55306b40 items=0 ppid=10638 pid=10639 auid=root uid=testuser gid=testuser euid=testuser suid=testuser fsuid=testuser egid=testuser sgid=testuser fsgid=testuser tty=(none) ses=2 comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/27/2017 10:07:13.930:339) : avc:  denied  { write } for  pid=10639 comm=gnome-keyring-d name=testuser dev="vda1" ino=7232650 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir 
[root@rhel74 ~]# 
[root@rhel74 ~]#
Comment 7 Milos Malik 2017-10-27 15:40:09 UTC 
Thank you for the reproducer, Patrik.
Comment 11 Lukas Vrabec 2018-06-13 15:23:45 UTC 
*** Bug 1446158 has been marked as a duplicate of this bug. ***
Comment 14 errata-xmlrpc 2018-10-30 09:59:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111
Note You need to log in before you can comment on or make changes to this bug.