301351 – SELinux issue at smart card login screen

Bug 301351 - SELinux issue at smart card login screen

Summary: SELinux issue at smart card login screen

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-doc
Sub Component:
Version:	8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Radek Vokál
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	bzcl34nup
Depends On:	299481
Blocks:
TreeView+	depends on / blocked

Reported:	2007-09-21 20:44 UTC by Jack Magne
Modified:	2008-11-26 17:36 UTC (History)
CC List:	5 users (show)
Fixed In Version:	F8
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-11-26 17:36:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jack Magne 2007-09-21 20:44:48 UTC

+++ This bug was initially created as a clone of Bug #299481 +++

Description of problem:

We have found a case where the SELinux system is issuing a specific error
message when attempting to use a smart card at the login screen.

Originally I thought that this might have bearing on some token detection issues
that we have been having. It turns out that putting SELinux into "Permissive
Mode" does not change this detection behavior. Anyway, it might be useful to
still file this issue in case it is of interest.

When either removing or inserting a smart card at the login screen the following
log message has shown up in the system log:

Summary
    SELinux is preventing the gdm-binary from using potentially mislabeled files
    (.pk11ipc1).







Version-Release number of selected component (if applicable):

F8 test2 updated to development as of today 9-20.

How reproducible:

Always

Steps to Reproduce:
1. Configure Fedora for smart card login.
2. Proceed to the login page.
3. Insert an enrolled smart card.
4. Observer the system log on /var/log/messages
5. Notice the above SELinux complaint very close to instances of inserting or
removing the key.  
Actual results:

The presence of a log message of SELinux complaining about access to the
file/directory .pk11ipc1.

Expected results:

If all is well, SELinux should have no reason to complain.

Additional info:

Attachment of the entire report to be enclosed.

-- Additional comment from jmagne on 2007-09-20 19:13 EST --
Created an attachment (id=201511)
SELinux alert report of the issue.


-- Additional comment from rrelyea on 2007-09-20 19:57 EST --
Arg,

If coolkey is trying to access .pk11ipc1, then we need to update it. The latest
version puts the cache in /var/cache/coolkey.


bob

-- Additional comment from rstrode on 2007-09-20 21:17 EST --
So, just to summarize (tell me if I got this wrong)

coolkey at one point, put a cache file in 

/tmp/.pk11ipc1

since it's in /tmp it doesn't get the proper label

new versions of coolkey use /var/cache/coolkey where it can get a proper label,
but we're shipping old versions.

I'm going to move this to coolkey, so it can get appropriate acks, etc.

Jack, would you mind trying the latest coolkey package to see if you still get
SELinux denial errors?  If so, we may need to clone this bug report to get an
selinux-policy update as well.

-- Additional comment from jmagne on 2007-09-21 13:21 EST --
Created an attachment (id=202641)
SELinux report with latest CoolKey


-- Additional comment from jmagne on 2007-09-21 13:22 EST --
I tried a test with the latest compiled (tip) libcoolkeypk11.so dropped in place
and got the following:

Summary
    SELinux is preventing /usr/sbin/gdm-binary (xdm_t) "write" to cache (var_t).

The full report is in the post just above.

-- Additional comment from rstrode on 2007-09-21 13:53 EST --
so we need a policy update, Jack, would you mind cloning this bug against
selinux-policy?

We can keep this report for getting the latest coolkey into the next update, and
have the other report for getting selinux-policy updated to work with the latest
coolkey.

-- Additional comment from jmagne on 2007-09-21 14:10 EST --
Ray: I can do that no problem.

Bob has informed me that it would be best to run another test on the latest
CoolKey using the full RPM instead of a quick drop-in test. I will do that and
report any different results here.

-- Additional comment from jmagne on 2007-09-21 16:33 EST --
I was able to do the following:

1. Compile a latest version of the coolkey RPM with the desired cache functionality.

2. Test it on F8.

3. The message we get this time is:

Summary
    SELinux is preventing /usr/sbin/gdm-binary (xdm_t) "write" to coolkey
    (var_t).


When we get in the updated CoolKey RPM this should be the behavior encountered.

Attachment of the full report on the way.

-- Additional comment from jmagne on 2007-09-21 16:36 EST --
Created an attachment (id=202801)
Latest CoolKey SELinux report

This attachment shows the latest behavior using an updated test version of
CoolKey. Note that the file/dir being complained about this time is:

/var/cache/coolkey

Comment 1 Daniel Walsh 2007-09-24 19:32:39 UTC

Fixed in selinux-policy-3.0.8-13

Comment 2 Bug Zapper 2008-04-04 13:53:34 UTC

Based on the date this bug was created, it appears to have been reported
during the development of Fedora 8. In order to refocus our efforts as
a project we are changing the version of this bug to '8'.

If this bug still exists in rawhide, please change the version back to
rawhide.
(If you're unable to change the bug's version, add a comment to the bug
and someone will change it for you.)

Thanks for your help and we apologize for the interruption.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

Comment 3 Tony Fu 2008-10-06 01:27:40 UTC

User jkubin's account has been closed

Comment 4 Bug Zapper 2008-11-26 07:50:21 UTC

This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 5 Jon Stanley 2008-11-26 17:36:40 UTC

As this bug is in MODIFIED, Fedora believes that a fix has been committed that resolves the problem listed in this bug report.

If this is not the case, please re-open this report, noting the version of the package that you reproduced the bug against.

Thanks for the report!

Note You need to log in before you can comment on or make changes to this bug.