Description of problem: sssd is configured to use smart cards login. Invoking any authentication (for example sudo) will raise this error (and I think prevents smart card login from working) SELinux is preventing p11_child from 'getattr' accesses on the file /usr/sbin/pkcsslotd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that p11_child should be allowed getattr access on the pkcsslotd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'p11_child' --raw | audit2allow -M my-p11child # semodule -X 300 -i my-p11child.pp Additional Information: Source Context system_u:system_r:sssd_t:s0 Target Context system_u:object_r:pkcs_slotd_exec_t:s0 Target Objects /usr/sbin/pkcsslotd [ file ] Source p11_child Source Path p11_child Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages opencryptoki-3.14.0-6.fc33.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.6-37.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-37.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.10.22-200.fc33.x86_64 #1 SMP Tue Mar 9 22:05:08 UTC 2021 x86_64 x86_64 Alert Count 5 First Seen 2021-05-10 09:20:21 CEST Last Seen 2021-05-12 09:09:41 CEST Local ID f60c6737-0cfe-4e4a-aea3-3f19cbe91495 Raw Audit Messages type=AVC msg=audit(1620803381.118:24793): avc: denied { getattr } for pid=667312 comm="p11_child" path="/usr/sbin/pkcsslotd" dev="dm-1" ino=1581455 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0 Hash: p11_child,sssd_t,pkcs_slotd_exec_t,file,getattr Version-Release number of selected component: selinux-policy-targeted-3.14.6-37.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.10.22-200.fc33.x86_64 type: libreport
This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Jakube, Can you gather all denials in permissive mode? # setenforce 0
This is all I got on my updated Fedora 34 with opencryptoki installed and pkcsslotd running. I have system configured to allow sudo authentication using certificate on yubikey. I am not sure what the boolean `daemons_enable_cluster_mode` is supposed to do, but it does not sounds like anything related to what I did. [jjelen@t490s ~]$ sudo ausearch -m AVC -ts recent ---- time->Thu Jan 27 12:11:56 2022 type=AVC msg=audit(1643281916.864:41232): avc: denied { getattr } for pid=650645 comm="p11_child" path="/usr/sbin/pkcsslotd" dev="dm-1" ino=1581454 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0 ---- time->Thu Jan 27 12:11:58 2022 type=AVC msg=audit(1643281918.708:41233): avc: denied { getattr } for pid=650723 comm="p11_child" path="/usr/sbin/pkcsslotd" dev="dm-1" ino=1581454 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.384:41255): avc: denied { getattr } for pid=651883 comm="p11_child" path="/usr/sbin/pkcsslotd" dev="dm-1" ino=1581454 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.384:41256): avc: denied { unix_read unix_write } for pid=651883 comm="p11_child" key=1644241294 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=shm permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.384:41257): avc: denied { associate } for pid=651883 comm="p11_child" key=1644241294 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=shm permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.384:41258): avc: denied { read write } for pid=651883 comm="p11_child" key=1644241294 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=shm permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.384:41259): avc: denied { getattr } for pid=651883 comm="p11_child" path="/run/pkcsslotd.socket" dev="tmpfs" ino=80446 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_run_t:s0 tclass=sock_file permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.384:41260): avc: denied { write } for pid=651883 comm="p11_child" name="pkcsslotd.socket" dev="tmpfs" ino=80446 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_run_t:s0 tclass=sock_file permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.385:41261): avc: denied { connectto } for pid=651883 comm="p11_child" path="/run/pkcsslotd.socket" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=unix_stream_socket permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.395:41262): avc: denied { write } for pid=651883 comm="p11_child" name="swtok" dev="tmpfs" ino=1932 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=dir permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.395:41263): avc: denied { add_name } for pid=651883 comm="p11_child" name="LCK..swtok" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=dir permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.395:41264): avc: denied { create } for pid=651883 comm="p11_child" name="LCK..swtok" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.395:41265): avc: denied { setattr } for pid=651883 comm="p11_child" name="LCK..swtok" dev="tmpfs" ino=80507 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.395:41266): avc: denied { search } for pid=651883 comm="p11_child" name="opencryptoki" dev="dm-1" ino=1311486 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=dir permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.396:41267): avc: denied { write } for pid=651883 comm="p11_child" name="swtok" dev="dm-1" ino=1311490 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=dir permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.396:41268): avc: denied { add_name } for pid=651883 comm="p11_child" name="MK_SO" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=dir permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.396:41269): avc: denied { create } for pid=651883 comm="p11_child" name="MK_SO" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.396:41270): avc: denied { write open } for pid=651883 comm="p11_child" path="/var/lib/opencryptoki/swtok/MK_SO" dev="dm-1" ino=1310722 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.396:41271): avc: denied { setattr } for pid=651883 comm="p11_child" name="MK_SO" dev="dm-1" ino=1310722 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.396:41272): avc: denied { getattr } for pid=651883 comm="p11_child" path="/var/lib/opencryptoki/swtok/MK_SO" dev="dm-1" ino=1310722 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:18 2022 type=AVC msg=audit(1643281938.396:41273): avc: denied { read } for pid=651883 comm="p11_child" name="NVTOK.DAT" dev="dm-1" ino=1310723 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:20 2022 type=AVC msg=audit(1643281940.172:41274): avc: denied { connectto } for pid=651952 comm="p11_child" path="/run/pkcsslotd.socket" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=unix_stream_socket permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.161:41283): avc: denied { getattr } for pid=652573 comm="p11_child" path="/usr/sbin/pkcsslotd" dev="dm-1" ino=1581454 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.162:41284): avc: denied { unix_read unix_write } for pid=652573 comm="p11_child" key=1644241294 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=shm permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.162:41285): avc: denied { associate } for pid=652573 comm="p11_child" key=1644241294 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=shm permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.162:41286): avc: denied { read write } for pid=652573 comm="p11_child" key=1644241294 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=shm permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.162:41287): avc: denied { getattr } for pid=652573 comm="p11_child" path="/run/pkcsslotd.socket" dev="tmpfs" ino=80446 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_run_t:s0 tclass=sock_file permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.162:41288): avc: denied { write } for pid=652573 comm="p11_child" name="pkcsslotd.socket" dev="tmpfs" ino=80446 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_run_t:s0 tclass=sock_file permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.162:41289): avc: denied { connectto } for pid=652573 comm="p11_child" path="/run/pkcsslotd.socket" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=unix_stream_socket permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.165:41290): avc: denied { search } for pid=652573 comm="p11_child" name="opencryptoki" dev="dm-1" ino=1311486 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=dir permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.165:41291): avc: denied { read } for pid=652573 comm="p11_child" name="NVTOK.DAT" dev="dm-1" ino=1310723 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.165:41292): avc: denied { open } for pid=652573 comm="p11_child" path="/var/lib/opencryptoki/swtok/NVTOK.DAT" dev="dm-1" ino=1310723 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.165:41293): avc: denied { setattr } for pid=652573 comm="p11_child" name="NVTOK.DAT" dev="dm-1" ino=1310723 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=file permissive=1 ---- time->Thu Jan 27 12:12:33 2022 type=AVC msg=audit(1643281953.165:41294): avc: denied { getattr } for pid=652573 comm="p11_child" path="/var/lib/opencryptoki/swtok/NVTOK.DAT" dev="dm-1" ino=1310723 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_var_lib_t:s0 tclass=file permissive=1 [jjelen@t490s ~]$ sudo ausearch -m AVC -ts recent | audit2allow #============= sssd_t ============== allow sssd_t pkcs_slotd_exec_t:file getattr; allow sssd_t pkcs_slotd_lock_t:dir { add_name write }; allow sssd_t pkcs_slotd_lock_t:file { create setattr }; allow sssd_t pkcs_slotd_t:shm { associate read unix_read unix_write write }; #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow sssd_t pkcs_slotd_t:unix_stream_socket connectto; allow sssd_t pkcs_slotd_var_lib_t:dir { add_name search write }; allow sssd_t pkcs_slotd_var_lib_t:file { create getattr open read setattr write }; allow sssd_t pkcs_slotd_var_run_t:sock_file { getattr write };
Jakube, Will you be able to help further and insert a custom SELinux module? f35# cat local_sssd_pkcsslotd.cil (typetransition sssd_t pkcs_slotd_exec_t process pkcs_slotd_t) f35# semodule -i local_sssd_pkcsslotd.cil <reproduce> sudo ausearch -i -m AVC -ts recent Do I understand correctly the chain is like this? sudo - pam - sssd - pkcsslot - opencryptoki
Looks better: $ sudo ausearch -i -m AVC -ts recent ---- type=AVC msg=audit(01/31/2022 17:53:15.849:42972) : avc: denied { getattr } for pid=852018 comm=p11_child path=/usr/sbin/pkcsslotd dev="dm-1" ino=1581454 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(01/31/2022 17:53:17.694:42973) : avc: denied { getattr } for pid=852078 comm=p11_child path=/usr/sbin/pkcsslotd dev="dm-1" ino=1581454 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(01/31/2022 17:53:52.939:42999) : avc: denied { getattr } for pid=853440 comm=p11_child path=/usr/sbin/pkcsslotd dev="dm-1" ino=1581454 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(01/31/2022 17:53:54.332:43000) : avc: denied { getattr } for pid=853482 comm=p11_child path=/usr/sbin/pkcsslotd dev="dm-1" ino=1581454 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0 To be exactly correct, the chain is like this: sudo is using pam in pam stack, there is sssd pam module pam sssd module talks through some IPC to sssd's p11_child sssd's p11_child loads through p11-kit every pkcs11 module installed in the system including opencryptoki pkcs11 module opencryptoki pkcs11 module talks through some IPC to pkcsslotd daemon (handling the communication with HW devices or soft tokens)
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle. Changing version to 36.
FEDORA-2022-76963fee71 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-76963fee71
FEDORA-2022-76963fee71 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-76963fee71` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-76963fee71 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-76963fee71 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.