Bug 502462 - SELinux is preventing login (local_login_t) "read" sysfs_t
Summary: SELinux is preventing login (local_login_t) "read" sysfs_t
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-25 11:39 UTC by Michal Hlavinka
Modified: 2009-11-18 13:09 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-18 13:09:45 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Michal Hlavinka 2009-05-25 11:39:00 UTC 
Description of problem:
SELinux is preventing login (ecryptfs pam module) read sysfs_t. 
Ecryptfs pam module needs to read /sys/fs/ecryptfs/version to check what modes are supported by kernel module. Ecryptfs pam module (pam_ecryptfs.so) is used for login auto-mounting of encrypted directory.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-34.fc11.noarch
ecryptfs-utils-75-1.fc11.x86_64

How reproducible:
always

Steps to Reproduce:
1.use ecryptfs-setup-private
2.change /etc/pam.d/system-auth (see bug #479727 comment #4)
3.create some file under ~/Private
3.ecryptfs-umount-private
4.logout
5.login
6.ls ~/Private

Actual results:
file names are not decrypted, because pam module thinks file name encryption is not supported by kernel

Expected results:
file names decrypted

Additional info:
Source Context:  system_u:system_r:local_login_t:s0-s0:c0.c1023Target Context:  system_u:object_r:sysfs_t:s0Target Objects:  version [ file ]Source:  loginSource Path:  <Unknown>Port:  <Unknown>Host:  dhcp-lab-102.englab.brq.redhat.comSource RPM Packages:  util-linux-ng-2.14.2-8.fc11Target RPM Packages:  Policy RPM:  selinux-policy-3.6.12-34.fc11Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  catchallHost Name:  dhcp-lab-102.englab.brq.redhat.comPlatform:  Linux dhcp-lab-102.englab.brq.redhat.com 2.6.29.3-140.fc11.x86_64 #1 SMP Tue May 12 10:44:27 EDT 2009 x86_64 x86_64Alert Count:  14First Seen:  Thu 21 May 2009 03:59:52 PM CESTLast Seen:  Mon 25 May 2009 01:13:42 PM CESTLocal ID:  aa5f097d-d833-4ff5-a900-d285e25b2f69Line Numbers:  Raw Audit Messages :node=dhcp-lab-102.englab.brq.redhat.com type=AVC msg=audit(1243250022.69:16): avc: denied { read } for pid=1385 comm="login" name="version" dev=sysfs ino=7502 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file node=dhcp-lab-102.englab.brq.redhat.com type=AVC msg=audit(1243250022.69:16): avc: denied { open } for pid=1385 comm="login" name="version" dev=sysfs ino=7502 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file node=dhcp-lab-102.englab.brq.redhat.com type=SYSCALL msg=audit(1243250022.69:16): arch=c000003e syscall=2 success=yes exit=4 a0=1885730 a1=0 a2=0 a3=8 items=0 ppid=1 pid=1385 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-05-26 12:44:59 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
	
Fixed in selinux-policy-3.6.12-42.fc11.noarch
Comment 2 Bug Zapper 2009-06-09 16:31:49 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Note You need to log in before you can comment on or make changes to this bug.