629897 – SELinux is preventing /usr/bin/chsh "write" access on /var/run/dbus/system_bus_socket.

Bug 629897 - SELinux is preventing /usr/bin/chsh "write" access on /var/run/dbus/system_bus_socket.

Summary: SELinux is preventing /usr/bin/chsh "write" access on /var/run/dbus/syst...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:4e64965b9db...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-09-03 08:29 UTC by Carl G.
Modified:	2010-09-22 07:54 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.9.3-1.fc14
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-09-11 03:42:19 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Carl G. 2010-09-03 08:29:46 UTC

Summary:

SELinux is preventing /usr/bin/chsh "write" access on
/var/run/dbus/system_bus_socket.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by chsh. It is not expected that this access is
required by chsh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                staff_u:staff_r:chfn_t:s0
Target Context                system_u:object_r:system_dbusd_var_run_t:s0
Target Objects                /var/run/dbus/system_bus_socket [ sock_file ]
Source                        chsh
Source Path                   /usr/bin/chsh
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           util-linux-ng-2.18-4.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.0-2.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.4-12.fc14.x86_64 #1 SMP
                              Fri Aug 27 07:45:05 UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 03 Sep 2010 03:11:54 AM EDT
Last Seen                     Fri 03 Sep 2010 03:12:02 AM EDT
Local ID                      7ef24d61-985c-46c0-a500-2a3cfff78ce6
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1283497922.605:26623): avc:  denied  { write } for  pid=15441 comm="chsh" name="system_bus_socket" dev=dm-1 ino=164 scontext=staff_u:staff_r:chfn_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file

node=(removed) type=SYSCALL msg=audit(1283497922.605:26623): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fff74199ca0 a2=21 a3=6e75722f7261762f items=0 ppid=15405 pid=15441 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts0 ses=3 comm="chsh" exe="/usr/bin/chsh" subj=staff_u:staff_r:chfn_t:s0 key=(null)



Hash String generated from  catchall,chsh,chfn_t,system_dbusd_var_run_t,sock_file,write
audit2allow suggests:

#============= chfn_t ==============
allow chfn_t system_dbusd_var_run_t:sock_file write;

Comment 1 Daniel Walsh 2010-09-03 13:52:36 UTC

What tool were you using when you saw this happen?  accountsdialog?

Comment 2 Carl G. 2010-09-03 16:03:46 UTC

Nope, i used chsh.

Comment 3 Daniel Walsh 2010-09-03 18:55:07 UTC

What does id -Z show?

Do you have a leak of system_dbusd_var_run_t into your session?

Comment 4 Carl G. 2010-09-03 19:10:44 UTC

staff_u:staff_r:staff_t:s0

staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r

I don't have any other system_dbusd_var_run_t AVC or anything related to dbus right now.

Comment 5 Daniel Walsh 2010-09-03 19:39:50 UTC

Well I will reassign to util-linux to see if those guys have any idea.

Comment 6 Karel Zak 2010-09-04 00:11:51 UTC

chsh uses PAM, what do you have in your /etc/pam.d/{chsh,system-auth} ?

Comment 7 Carl G. 2010-09-04 01:32:49 UTC

chsh :
#%PAM-1.0
auth       sufficient   pam_rootok.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth


system-auth :
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Comment 8 Karel Zak 2010-09-06 07:27:13 UTC

$ ldd /lib64/security/pam_fprintd.so | grep dbus
        libdbus-glib-1.so.2 => /usr/lib64/libdbus-glib-1.so.2 (0x00007ffc43852000)
        libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00007ffc4360d000)

Comment 9 Daniel Walsh 2010-09-07 19:25:52 UTC

Fixed in selinux-policy-3.9.3-1.fc14

Comment 10 Fedora Update System 2010-09-08 18:41:06 UTC

selinux-policy-3.9.3-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14

Comment 11 Fedora Update System 2010-09-09 04:11:31 UTC

selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14

Comment 12 Fedora Update System 2010-09-11 03:40:34 UTC

selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.