Bug 622078 - SELinux targeted policy blocks use of pam_pkcs11
Summary: SELinux targeted policy blocks use of pam_pkcs11
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-07 04:36 UTC by W. Michael Petullo
Modified: 2010-09-01 06:02 UTC (History)
0 users

Fixed In Version: selinux-policy-3.8.8-20.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-09-01 06:02:38 UTC


Attachments (Terms of Use)

Description W. Michael Petullo 2010-08-07 04:36:56 UTC
Description of problem:
SELinux targeted policy blocks use of pam_pkcs11

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.8.8-8.fc14.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Install and configure pam_pkcs11 to allow logging in to a system using a smartcard
2. Attempt to login at a text console using a smartcard
  
Actual results:
type=AVC msg=audit(1281155601.917:250): avc:  denied  { getattr } for  pid=1915 comm="login" path="/var/run/pcscd.comm" dev=dm-1 ino=5243616 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1281155601.917:250): arch=c000003e syscall=4 success=yes exit=0 a0=7fd806163c0b a1=7fff9a1d0d90 a2=7fff9a1d0d90 a3=7fff9a1d0a60 items=0 ppid=1 pid=1915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1281155601.917:251): avc:  denied  { read } for  pid=1915 comm="login" name="pcscd.pid" dev=dm-1 ino=5243615 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1281155601.917:251): avc:  denied  { open } for  pid=1915 comm="login" name="pcscd.pid" dev=dm-1 ino=5243615 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1281155601.917:251): arch=c000003e syscall=2 success=yes exit=7 a0=7fd806164203 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=1915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1281155601.917:252): avc:  denied  { getattr } for  pid=1915 comm="login" path="/var/run/pcscd.pid" dev=dm-1 ino=5243615 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1281155601.917:252): arch=c000003e syscall=5 success=yes exit=0 a0=7 a1=7fff9a1d0be0 a2=7fff9a1d0be0 a3=7fff9a1d0ac0 items=0 ppid=1 pid=1915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1281155601.918:253): avc:  denied  { write } for  pid=1915 comm="login" name="pcscd.comm" dev=dm-1 ino=5243616 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1281155601.918:253): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7fff9a1d0d90 a2=16 a3=7fff9a1d0ae0 items=0 ppid=1 pid=1915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1281155606.432:254): user pid=1915 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="mike" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=USER_ACCT msg=audit(1281155606.433:255): user pid=1915 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="mike" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=LOGIN msg=audit(1281155606.437:256): login pid=1915 uid=0 old auid=4294967295 new auid=1101 old ses=4294967295 new ses=3
type=USER_ROLE_CHANGE msg=audit(1281155606.537:257): user pid=1915 uid=0 auid=1101 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023: exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=USER_START msg=audit(1281155606.616:258): user pid=1915 uid=0 auid=1101 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="mike" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=CRED_ACQ msg=audit(1281155606.619:259): user pid=1915 uid=0 auid=1101 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="mike" exe="/bin/login" hostname=? addr=? terminal=tty2 res=success'
type=USER_LOGIN msg=audit(1281155606.620:260): user pid=1915 uid=0 auid=1101 ses=3 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=1101 exe="/bin/login" hostname=?

Expected results:
User login should be allowed

Additional info:
Login works after "echo 0 > /selinux/enforce"

When running pcscd manually using "service pcscd start," I get:

type=AVC msg=audit(1281156118.657:297): avc:  denied  { read } for  pid=2257 comm="pcscd" name="devices" dev=sysfs ino=3363 scontext=unconfined_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1281156118.657:297): arch=c000003e syscall=2 success=yes exit=6 a0=7f06a507b246 a1=90800 a2=7f06a507a680 a3=50 items=0 ppid=2256 pid=2257 auid=1101 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="pcscd" exe="/usr/sbin/pcscd" subj=unconfined_u:system_r:pcscd_t:s0 key=(null)
type=AVC msg=audit(1281156118.657:298): avc:  denied  { read } for  pid=2257 comm="pcscd" name="usb1" dev=sysfs ino=11895 scontext=unconfined_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file
type=AVC msg=audit(1281156118.657:298): avc:  denied  { getattr } for  pid=2257 comm="pcscd" path="/sys/devices/pci0000:00/0000:00:04.1/usb1/descriptors" dev=sysfs ino=11905 scontext=unconfined_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1281156118.657:298): arch=c000003e syscall=4 success=yes exit=0 a0=7fff33e39750 a1=7fff33e396b0 a2=7fff33e396b0 a3=7fff33e39410 items=0 ppid=2256 pid=2257 auid=1101 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="pcscd" exe="/usr/sbin/pcscd" subj=unconfined_u:system_r:pcscd_t:s0 key=(null)
type=AVC msg=audit(1281156118.658:299): avc:  denied  { read } for  pid=2257 comm="pcscd" name="busnum" dev=sysfs ino=11883 scontext=unconfined_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1281156118.658:299): avc:  denied  { open } for  pid=2257 comm="pcscd" name="busnum" dev=sysfs ino=11883 scontext=unconfined_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1281156118.658:299): arch=c000003e syscall=2 success=yes exit=7 a0=7fff33e39750 a1=0 a2=1b6 a3=0 items=0 ppid=2256 pid=2257 auid=1101 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="pcscd" exe="/usr/sbin/pcscd" subj=unconfined_u:system_r:pcscd_t:s0 key=(null)

Comment 1 Daniel Walsh 2010-08-10 15:51:09 UTC
Do not report bugs when you run pcscd outside of the init scripts.  

The other bugs should be fixed in the latest selinux policy

yum -y update selinux-policy

Comment 2 Fedora Update System 2010-08-25 03:10:49 UTC
selinux-policy-3.8.8-20.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14

Comment 3 Fedora Update System 2010-08-25 13:30:32 UTC
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14

Comment 4 Fedora Update System 2010-08-26 18:36:56 UTC
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14

Comment 5 W. Michael Petullo 2010-08-27 03:39:27 UTC
My smartcard setup now seems to work after I installed the most recent Fedora 14 policy with SELinux in enforcing mode.

Comment 6 Daniel Walsh 2010-08-27 15:45:02 UTC
Please update karma.

Comment 7 Fedora Update System 2010-09-01 06:01:06 UTC
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.