Bug 1530118 - Coolkey module denied map causing segfault on x509 authentication
Summary: Coolkey module denied map causing segfault on x509 authentication
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 27
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-02 05:46 UTC by wibrown@redhat.com
Modified: 2018-01-10 02:05 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-01-10 02:05:31 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description wibrown@redhat.com 2018-01-02 05:46:31 UTC 
Description of problem:
Jan 02 15:36:53 franky.prd.blackhats.net.au audit[4217]: AVC avc:  denied  { map } for  pid=4217 comm="p11_child" path=2F7661722F63616368652F636F6F6C6B65792F636F6F6C6B6579706B31317359756269636F20597562696B65792034204F54502B5532462B434349442030302030302D30 dev="dm-1" ino=805404797 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:auth_cache_t:s0 tclass=file permissive=0
Jan 02 15:36:53 franky.prd.blackhats.net.au kernel: show_signal_msg: 164 callbacks suppressed
Jan 02 15:36:53 franky.prd.blackhats.net.au kernel: p11_child[4217]: segfault at 3 ip 00007f105ef4af4c sp 00007fffc658c978 error 4 in libcoolkeypk11.so[7f105ef32000+2d000]
Jan 02 15:36:53 franky.prd.blackhats.net.au audit[4217]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:sssd_t:s0 pid=4217 comm="p11_child" exe="/usr/libexec/sssd/p11_child" sig=11 res=1
Jan 02 15:36:53 franky.prd.blackhats.net.au systemd[1]: Created slice system-systemd\x2dcoredump.slice.
Jan 02 15:36:53 franky.prd.blackhats.net.au systemd[1]: Started Process Core Dump (PID 4219/UID 0).
Jan 02 15:36:53 franky.prd.blackhats.net.au audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@0-4219-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 02 15:36:53 franky.prd.blackhats.net.au systemd-coredump[4220]: Process 4217 (p11_child) of user 0 dumped core.
                                                                    
                                                                    Stack trace of thread 4217:
                                                                    #0  0x00007f105ef4af4c _ZNK14SlotMemSegment7isValidEv (libcoolkeypk11.so)
                                                                    #1  0x00007f105ef5009e _ZN4Slot11loadCACCertEh (libcoolkeypk11.so)
                                                                    #2  0x00007f105ef52a2a _ZN4Slot11loadObjectsEv (libcoolkeypk11.so)
                                                                    #3  0x00007f105ef52e08 _ZN4Slot17refreshTokenStateEv (libcoolkeypk11.so)
                                                                    #4  0x00007f105ef52e59 _ZN4Slot14isTokenPresentEv (libcoolkeypk11.so)
                                                                    #5  0x00007f105ef52ee3 _ZN8SlotList11getSlotListEhPmS0_ (libcoolkeypk11.so)
                                                                    #6  0x00007f105ef406b3 C_GetSlotList (libcoolkeypk11.so)
                                                                    #7  0x00007f1062e8292f secmod_LoadPKCS11Module (libnss3.so)
                                                                    #8  0x00007f1062e8f6b4 SECMOD_LoadModule (libnss3.so)
                                                                    #9  0x00007f1062e8f7ef SECMOD_LoadModule (libnss3.so)
                                                                    #10 0x00007f1062e5baf3 nss_Init (libnss3.so)
                                                                    #11 0x00007f1062e5c24e NSS_InitContext (libnss3.so)
                                                                    #12 0x0000555d888c93f1 do_work (p11_child)
                                                                    #13 0x0000555d888c8e00 main (p11_child)
                                                                    #14 0x00007f106174100a __libc_start_main (libc.so.6)
                                                                    #15 0x0000555d888c90ea _start (p11_child)



Version of SELinux:
selinux-policy-targeted-3.13.1-283.17.fc27.noarch
Comment 1 wibrown@redhat.com 2018-01-02 07:16:29 UTC 
As a follow up there are a large number of other denials that cause gdm to crash in a loop too:

type=AVC msg=audit(1514877060.919:434): avc:  denied  { map } for  pid=3409 comm="gsd-smartcard" path=2F7661722F63616368652F636F6F6C6B65792F636F6F6C6B6579706B31317359756269636F20597562696B65792034204F54502B5532462B434349442030302030302D3432 dev="dm-1" ino=805404771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auth_cache_t:s0 tclass=file permissive=0
type=AVC msg=audit(1514877061.549:438): avc:  denied  { map } for  pid=3476 comm="gsd-smartcard" path=2F7661722F63616368652F636F6F6C6B65792F636F6F6C6B6579706B31317359756269636F20597562696B65792034204F54502B5532462B434349442030302030302D3432 dev="dm-1" ino=805404771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auth_cache_t:s0 tclass=file permissive=0
type=AVC msg=audit(1514877246.845:276): avc:  denied  { map } for  pid=2478 comm="p11_child" path=2F7661722F63616368652F636F6F6C6B65792F636F6F6C6B6579706B31317359756269636F20597562696B65792034204F54502B5532462B434349442030302030302D30 dev="dm-1" ino=805404797 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:auth_cache_t:s0 tclass=file permissive=1
type=AVC msg=audit(1514877244.646:270): avc:  denied  { map } for  pid=2342 comm="gsd-smartcard" path=2F7661722F63616368652F636F6F6C6B65792F636F6F6C6B6579706B31317359756269636F20597562696B65792034204F54502B5532462B434349442030302030302D3432 dev="dm-1" ino=805404771 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auth_cache_t:s0 tclass=file permissive=1
Comment 2 Lukas Vrabec 2018-01-02 13:12:35 UTC 
commit c264231ee7360ffc61471aab9af29194a51eca72 (HEAD -> f27, origin/f27)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jan 2 14:11:47 2018 +0100

    Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118)
Comment 3 Fedora Update System 2018-01-04 12:08:43 UTC 
selinux-policy-3.13.1-283.20.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
Comment 4 Fedora Update System 2018-01-05 11:57:41 UTC 
selinux-policy-3.13.1-283.20.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
Comment 5 Fedora Update System 2018-01-05 14:47:31 UTC 
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
Comment 6 Fedora Update System 2018-01-06 21:07:42 UTC 
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
Comment 7 Fedora Update System 2018-01-10 02:05:31 UTC 
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.