Bug 502462 - SELinux is preventing login (local_login_t) "read" sysfs_t
SELinux is preventing login (local_login_t) "read" sysfs_t
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-25 07:39 EDT by Michal Hlavinka
Modified: 2009-11-18 08:09 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 08:09:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Hlavinka 2009-05-25 07:39:00 EDT
Description of problem:
SELinux is preventing login (ecryptfs pam module) read sysfs_t. 
Ecryptfs pam module needs to read /sys/fs/ecryptfs/version to check what modes are supported by kernel module. Ecryptfs pam module (pam_ecryptfs.so) is used for login auto-mounting of encrypted directory.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-34.fc11.noarch
ecryptfs-utils-75-1.fc11.x86_64

How reproducible:
always

Steps to Reproduce:
1.use ecryptfs-setup-private
2.change /etc/pam.d/system-auth (see bug #479727 comment #4)
3.create some file under ~/Private
3.ecryptfs-umount-private
4.logout
5.login
6.ls ~/Private

Actual results:
file names are not decrypted, because pam module thinks file name encryption is not supported by kernel

Expected results:
file names decrypted

Additional info:
Source Context:  system_u:system_r:local_login_t:s0-s0:c0.c1023Target Context:  system_u:object_r:sysfs_t:s0Target Objects:  version [ file ]Source:  loginSource Path:  <Unknown>Port:  <Unknown>Host:  dhcp-lab-102.englab.brq.redhat.comSource RPM Packages:  util-linux-ng-2.14.2-8.fc11Target RPM Packages:  Policy RPM:  selinux-policy-3.6.12-34.fc11Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  catchallHost Name:  dhcp-lab-102.englab.brq.redhat.comPlatform:  Linux dhcp-lab-102.englab.brq.redhat.com 2.6.29.3-140.fc11.x86_64 #1 SMP Tue May 12 10:44:27 EDT 2009 x86_64 x86_64Alert Count:  14First Seen:  Thu 21 May 2009 03:59:52 PM CESTLast Seen:  Mon 25 May 2009 01:13:42 PM CESTLocal ID:  aa5f097d-d833-4ff5-a900-d285e25b2f69Line Numbers:  Raw Audit Messages :node=dhcp-lab-102.englab.brq.redhat.com type=AVC msg=audit(1243250022.69:16): avc: denied { read } for pid=1385 comm="login" name="version" dev=sysfs ino=7502 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file node=dhcp-lab-102.englab.brq.redhat.com type=AVC msg=audit(1243250022.69:16): avc: denied { open } for pid=1385 comm="login" name="version" dev=sysfs ino=7502 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file node=dhcp-lab-102.englab.brq.redhat.com type=SYSCALL msg=audit(1243250022.69:16): arch=c000003e syscall=2 success=yes exit=4 a0=1885730 a1=0 a2=0 a3=8 items=0 ppid=1 pid=1385 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-05-26 08:44:59 EDT
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
	
Fixed in selinux-policy-3.6.12-42.fc11.noarch
Comment 2 Bug Zapper 2009-06-09 12:31:49 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.