Bug 500318 - authconfig run in vnc causes selinux alerts
Summary: authconfig run in vnc causes selinux alerts
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.3
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-12 09:06 UTC by Petr Šplíchal
Modified: 2016-06-01 01:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-21 21:10:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Petr Šplíchal 2009-05-12 09:06:27 UTC 
Description of problem:
When authconfig / system-config-authentication is run in a VNC session under regular user, there are AVC's reported in audit log.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-203.el5.noarch

Steps to Reproduce:
# useradd tester
# su - tester
# mkdir .vnc
# echo gnome-session > .vnc/xstartup
# chmod 755 .vnc/xstartup
# vncserver :77
* set vnc password

Starting applications specified in /home/tester/.vnc/xstartup
Log file is /home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log

* run vnc viewer and connect to remote-host:77
* click system > administration > authentication
* enable/disable caching
* click OK

The following AVC alert appear:

SELinux is preventing the nscd from using potentially mislabeled files
(/home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log).

Detailed Description:

SELinux has denied nscd access to potentially mislabeled file(s)
(/home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log). This means that
SELinux will not allow nscd to use these files. It is common for users to edit
files in their home directory or tmp directories and then move (mv) them to
system directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.

Allowing Access:

If you want nscd to access this files, you need to relabel them using restorecon
-v '/home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log'. You might want to
relabel the entire directory using restorecon -R -v '/home/tester/.vnc'.

Additional Information:

Source Context                root:system_r:nscd_t
Target Context                root:object_r:user_home_t
Target Objects                /home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:
                              77.log [ file ]
Source                        nscd
Source Path                   /usr/sbin/nscd
Port                          <Unknown>
Host                          x86-64-5s-m1.lab.bos.redhat.com
Source RPM Packages           nscd-2.5-34
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     x86-64-5s-m1.lab.bos.redhat.com
Platform                      Linux x86-64-5s-m1.lab.bos.redhat.com
                              2.6.18-128.1.6.el5xen #1 SMP Tue Mar 24 12:28:27
                              EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Tue May 12 04:55:36 2009
Last Seen                     Tue May 12 04:55:36 2009
Local ID                      368f68fa-2680-42a3-bfed-cba4ab0b3fa6
Line Numbers                  

Raw Audit Messages            

host=x86-64-5s-m1.lab.bos.redhat.com type=AVC msg=audit(1242118536.178:28817): avc:  denied  { append } for  pid=20666 comm="nscd" path="/home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log" dev=sdb1 ino=11010453 scontext=root:system_r:nscd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

host=x86-64-5s-m1.lab.bos.redhat.com type=AVC msg=audit(1242118536.178:28817): avc:  denied  { append } for  pid=20666 comm="nscd" path="/home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log" dev=sdb1 ino=11010453 scontext=root:system_r:nscd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

host=x86-64-5s-m1.lab.bos.redhat.com type=SYSCALL msg=audit(1242118536.178:28817): arch=c000003e syscall=59 success=yes exit=0 a0=67cb640 a1=67cb760 a2=67aec80 a3=8 items=0 ppid=20661 pid=20666 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4259 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null)

Similarly, there are AVC message for other services being stopped/started:

SELinux is preventing the pwconv from using potentially mislabeled files...
SELinux is preventing the grpconv from using potentially mislabeled files...
SELinux is preventing the pmap_dump from using potentially mislabeled files...
SELinux is preventing the portmap from using potentially mislabeled files...
SELinux is preventing the pmap_set from using potentially mislabeled files...
SELinux is preventing the setsebool from using potentially mislabeled files...
SELinux is preventing the ypbind from using potentially mislabeled files...
Comment 1 Daniel Walsh 2009-05-12 12:39:18 UTC 
The problem is that all of these confined domains have their stdout set to the vnc log file which is causing avcs, since they are not allowed to append to files lables as user_home_t.

THis is a tough problem to fix, and really is not a security problem since the output of these services will run fine.

I think we have fixes in F10/F11 that would make this problem go away, but I do not intend to back port to RHEL5.
Comment 2 Daniel Walsh 2009-08-21 21:10:06 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Note You need to log in before you can comment on or make changes to this bug.