Bug 1432645 - selinux-policy should reflect gdm behavior changes
Summary: selinux-policy should reflect gdm behavior changes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1448295 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-15 20:41 UTC by Tomas Pelka
Modified: 2017-08-01 15:24 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 15:24:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Tomas Pelka 2017-03-15 20:41:58 UTC
Description of problem:
<halfline> tpelka: that means selinux isn't allowing gdm to read the kernel keyring
<halfline> gdm will try to use the kernel keyring if autologin is enabled
<halfline> it grabs the disk encryption password from the kernel keyring and tries to use it to unlock the gnome keyring
<halfline> in the chance they match
<halfline> tpelka: so i guess we need an selinux policy update

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-125.el7.noarch
gdm-3.22.3-2.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1. autologin gdm
2.
3.

Actual results:
time->Wed Mar 15 12:27:22 2017
type=SYSCALL msg=audit(1489595242.898:155): arch=c000003e syscall=0 success=yes exit=0 a0=a a1=7fa3fe5bc000 a2=400 a3=22 items=0 ppid=14111 pid=14133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1489595242.898:155): avc:  denied  { view } for  pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key
type=AVC msg=audit(1489595242.898:155): avc:  denied  { view } for  pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key
type=AVC msg=audit(1489595242.898:155): avc:  denied  { view } for  pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key
type=AVC msg=audit(1489595242.898:155): avc:  denied  { view } for  pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key
type=AVC msg=audit(1489595242.898:155): avc:  denied  { view } for  pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key
type=AVC msg=audit(1489595242.898:155): avc:  denied  { view } for  pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key
type=AVC msg=audit(1489595242.898:155): avc:  denied  { view } for  pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key
type=AVC msg=audit(1489595242.898:155): avc:  denied  { view } for  pid=14133 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key


Expected results:
No AVC

Additional info:

Comment 2 Ray Strode [halfline] 2017-04-10 18:35:04 UTC
actually not a big deal, I don't think systemd in 7.4 supports the feature anyway come to think of it.

Comment 3 Lukas Vrabec 2017-05-09 14:57:37 UTC
*** Bug 1448295 has been marked as a duplicate of this bug. ***

Comment 4 Matěj Cepl 2017-06-01 19:24:54 UTC
audit2allow says that the only change required is:

#============= xdm_t ==============
allow xdm_t kernel_t:key view;

That doesn't seem to be too demanding, does it?

Comment 5 Lukas Vrabec 2017-06-01 21:12:46 UTC
Matej,
It's not but we need rhel-7.4 blocker + || exception + if we need to have it in rhel-7.4.

Comment 8 errata-xmlrpc 2017-08-01 15:24:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.