Bug 580585 - SELinux is preventing /bin/login "sys_ptrace" access (pam_mount problem)
SELinux is preventing /bin/login "sys_ptrace" access (pam_mount problem)
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pam_mount (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Till Maas
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-08 11:11 EDT by Tomáš Trnka
Modified: 2010-10-28 18:20 EDT (History)
3 users (show)

See Also:
Fixed In Version: pam_mount-2.5-1.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-04 00:52:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomáš Trnka 2010-04-08 11:11:40 EDT
Description of problem:
When pam_mount is used to automatically mount/umount volumes on login/logout, the auto-umount requires the sys_ptrace capability to be allowed for the respective login program. That's because pam_mount walks /proc/<pid>/* to find processes accessing the mounted FS (in order to subsequently kill them). Under kdm everything works well (xdm does have the sys_ptrace access allowed), but tty logins using /bin/login cause an enormous burst of AVCs on logout.

Version-Release number of selected component (if applicable):
pam_mount-1.33-0.2T.x86_64 (my custom update fixing a segfault, but stock F12 pam_mount-1.32-1.fc12 exhibits the same bug)
selinux-policy-3.6.32-106.fc12

How reproducible:
On every TTY logout

Steps to Reproduce:
1. Install pam_mount and set it to kill processes on logout (<logout term="1"/> or so)
2. Login via TTY
3. Logout and watch your machine grind to a halt for a few minutes as setroubleshoot happily crunches hundreds of AVCs
  
Actual results:
Source Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        login
Source Path                   /bin/login
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           util-linux-ng-2.16.2-7.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-106.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     Bellatrix
Platform                      Linux Bellatrix 2.6.32.10-90.fc12.x86_64 #1 SMP
                              Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64
Alert Count                   10
First Seen                    Sat Nov 28 13:13:22 2009
Last Seen                     Sat Nov 28 13:13:22 2009
Local ID                      0fd67cff-b59d-4504-af72-ab83be3582b8
Line Numbers                  2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
                              16, 17, 18, 19, 20

Raw Audit Messages            

type=AVC msg=audit(1259410402.205:2496): avc:  denied  { sys_ptrace } for  pid=2054 comm="login" capability=19 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability

type=SYSCALL msg=audit(1259410402.205:2496): arch=c000003e syscall=89 success=no exit=-13 a0=7fffbed1a5a0 a1=7fffbed1a290 a2=1ff a3=fffffffe items=0 ppid=1 pid=2054 auid=500 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 tty=(none) ses=7 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

(Please disregard the First/Last Seen dates, this is made from a snippet of the resulting huge audit log.)

Expected results:
No AVCs reported, automatic killing on logout working.

Additional info:
A simple workaround: 
allow local_login_t self:capability sys_ptrace;
I'm currently using this but I think it's not a good solution since it requires us to grant sys_ptrace privileges to each and every program able to use pam_mount. The correct fix IMHO is to make pam_mount.so use an external binary to do the killing (it even currently provides one such binary, pmt-ofl, but doesn't use it) and grant sys_ptrace only to that binary.

I know this is more of an pam_mount bug than a policy one, but I wanted you SELinux guys to comment on which solution do you feel is the best. I've already reported this upstream (but got no response) here: http://sourceforge.net/tracker/?func=detail&aid=2932814&group_id=41452&atid=430596
Comment 1 Daniel Walsh 2010-04-08 15:46:23 EDT
That would seem to be the best long term solution.  Pam is already execing helper programs for access to shadow.

Miroslav, for now can you add sys_ptrace to logallogin.te
Comment 2 Fedora Update System 2010-08-16 16:43:06 EDT
pam_mount-2.5-1.fc13,libHX-3.5-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc13,libHX-3.5-1.fc13
Comment 3 Fedora Update System 2010-08-16 16:43:24 EDT
pam_mount-2.5-1.fc12,libHX-3.5-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc12,libHX-3.5-1.fc12
Comment 4 Fedora Update System 2010-08-16 16:43:44 EDT
pam_mount-2.5-1.fc14,libHX-3.5-1.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc14,libHX-3.5-1.fc14
Comment 5 Fedora Update System 2010-08-17 15:36:07 EDT
pam_mount-2.5-1.fc14, libHX-3.6-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pam_mount libHX'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pam_mount-2.5-1.fc14,libHX-3.6-1.fc14
Comment 6 Fedora Update System 2010-09-04 00:52:28 EDT
pam_mount-2.5-1.fc12, libHX-3.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2010-09-04 00:56:27 EDT
pam_mount-2.5-1.fc13, libHX-3.6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-10-28 18:20:09 EDT
pam_mount-2.5-1.fc14, libHX-3.6-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.