699465 – SELinux is preventing /bin/systemd-tty-ask-password-agent from 'read' accesses on the fifo_file 136:0.

Bug 699465 - SELinux is preventing /bin/systemd-tty-ask-password-agent from 'read' accesses on the fifo_file 136:0.

Summary: SELinux is preventing /bin/systemd-tty-ask-password-agent from 'read' accesse...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	15
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:09ba32ed0e2...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-25 18:27 UTC by James Laska
Modified:	2013-09-02 06:56 UTC (History)
CC List:	30 users (show)
Fixed In Version:	selinux-policy-3.9.16-32.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-07-08 18:10:32 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description James Laska 2011-04-25 18:27:07 UTC

SELinux is preventing /bin/systemd-tty-ask-password-agent from 'read' accesses on the fifo_file 136:0.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-tty-ask-password-agent should be allowed read access on the 136:0 fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tty-ask /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:systemd_passwd_agent_t:s0
Target Context                unconfined_u:object_r:init_var_run_t:s0
Target Objects                136:0 [ fifo_file ]
Source                        systemd-tty-ask
Source Path                   /bin/systemd-tty-ask-password-agent
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-25-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-15.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.3-18.fc15.i686.PAE #1 SMP Fri Apr 22
                              13:30:58 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Mon 25 Apr 2011 02:25:52 PM EDT
Last Seen                     Mon 25 Apr 2011 02:25:52 PM EDT
Local ID                      e532d015-a9dc-4dc5-9e61-59bedb82c605

Raw Audit Messages
type=AVC msg=audit(1303755952.813:48): avc:  denied  { read } for  pid=1879 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=24411 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file


type=AVC msg=audit(1303755952.813:48): avc:  denied  { open } for  pid=1879 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=24411 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file


type=SYSCALL msg=audit(1303755952.813:48): arch=i386 syscall=open success=yes exit=ESRCH a0=9984080 a1=80900 a2=8051d94 a3=bfc1ef44 items=0 ppid=1878 pid=1879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)

Hash: systemd-tty-ask,systemd_passwd_agent_t,init_var_run_t,fifo_file,read

audit2allow

#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };

audit2allow -R

#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };

Comment 1 Daniel Walsh 2011-04-25 19:29:26 UTC

Fixed in selinux-policy-3.9.16-17.fc15

Comment 2 Fedora Update System 2011-05-02 10:57:17 UTC

selinux-policy-3.9.16-21.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-21.fc15

Comment 3 Fedora Update System 2011-05-03 04:28:58 UTC

Package selinux-policy-3.9.16-21.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-21.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-21.fc15
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2011-05-05 05:02:36 UTC

selinux-policy-3.9.16-21.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Niki Guldbrand 2011-05-20 09:10:22 UTC

I have the same/similar issue right after installing nscd.

SELinux is preventing /bin/systemd-tty-ask-password-agent from read access on the fifo_file 136:3.

Plugin: catchall 
you want to allow systemd-tty-ask-password-agent to have read access on the
136:3 fifo_fileIf you believe that systemd-tty-ask-password-agent should be allowed read access on the 136:3 fifo_file by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep systemd-tty-ask /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


And I have selinux-policy-3.9.16-23.fc15 installed.

Comment 6 Daniel Walsh 2011-05-23 15:40:39 UTC

Niki what AVC are you seeing?

Could you attach mypol.te

Comment 7 Sebastian Krämer 2011-06-11 09:04:37 UTC

I still have selinux-policiy-3.9.16-26.fc15 installed. I got an error when restarting avahi-daemon and the selinux alert browser linked the problem to this bug report.
Something is not fixed, it appears.

Comment 8 Daniel Walsh 2011-06-13 12:43:08 UTC

Please attach the AVC you are seeing

ausearch -m avc -ts recent

Comment 9 Stefan Schulze Frielinghaus 2011-06-15 19:30:20 UTC

I run into the same problem and get the following AVC messages even with policy version 3.9.16-26:

SELinux is preventing /bin/systemd-tty-ask-password-agent from read access on the fifo_file 136:0.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-tty-ask-password-agent should be allowed read access on the 136:0 fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tty-ask /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:systemd_passwd_agent_t:s0
Target Context                unconfined_u:object_r:init_var_run_t:s0
Target Objects                136:0 [ fifo_file ]
Source                        systemd-tty-ask
Source Path                   /bin/systemd-tty-ask-password-agent
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-26-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux vogon.seekline.net 2.6.38.7-30.fc15.x86_64
                              #1 SMP Fri May 27 05:15:53 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Mi 15 Jun 2011 21:18:43 CEST
Last Seen                     Mi 15 Jun 2011 21:18:43 CEST
Local ID                      d10a86c9-2161-4451-a201-6e12c937ef69

Raw Audit Messages
type=AVC msg=audit(1308165523.426:380): avc:  denied  { read } for  pid=29356 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=33698 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file


type=AVC msg=audit(1308165523.426:380): avc:  denied  { open } for  pid=29356 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=33698 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file


type=SYSCALL msg=audit(1308165523.426:380): arch=x86_64 syscall=open success=yes exit=ESRCH a0=1cb50a0 a1=80900 a2=fffffffffffffed0 a3=0 items=0 ppid=29355 pid=29356 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)

Hash: systemd-tty-ask,systemd_passwd_agent_t,init_var_run_t,fifo_file,read

audit2allow

#============= systemd_passwd_agent_t ==============
#!!!! This avc is allowed in the current policy

allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };

audit2allow -R

#============= systemd_passwd_agent_t ==============
#!!!! This avc is allowed in the current policy

allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };


If I follow the advice, create a local policy and load it, then no new AVCs are generated. The module looks as follows:

module mypol 1.0;

require {
	type init_var_run_t;
	type systemd_passwd_agent_t;
	class fifo_file { read open };
}

#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };


The file which systemd tries to access is the following:

/run/systemd/ask-password-block/136:0

HTH,
Stefan

Comment 10 Chris Marcantonio 2011-06-15 19:40:48 UTC

I think I'm still seeing this as well.  Here is my relevant info...

[root@linuxbook ~]# rpm -q selinux-policy
selinux-policy-3.9.16-26.fc15.noarch
[root@linuxbook ~]# ausearch -m avc -ts recent
----
time->Wed Jun 15 15:36:31 2011
type=SYSCALL msg=audit(1308166591.199:2873): arch=40000003 syscall=5 success=yes exit=3 a0=8a73080 a1=88900 a2=0 a3=bfd68874 items=0 ppid=29482 pid=29483 auid=32034 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=1 comm="systemd-tty-ask" exe="/bin/systemd-tty-ask-password-agent" subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)
type=AVC msg=audit(1308166591.199:2873): avc:  denied  { open } for  pid=29483 comm="systemd-tty-ask" name="136:6" dev=tmpfs ino=159679 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
type=AVC msg=audit(1308166591.199:2873): avc:  denied  { read } for  pid=29483 comm="systemd-tty-ask" name="136:6" dev=tmpfs ino=159679 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
[root@linuxbook ~]#

Do you want some more information from this system?

Comment 11 Daniel Walsh 2011-06-15 20:17:18 UTC

Yes I allowed access to a sock_file not a fifo_file.

Fixed in selinux-policy-3.9.16-30.fc15

Comment 12 Fedora Update System 2011-06-30 15:58:39 UTC

selinux-policy-3.9.16-31.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-31.fc15

Comment 13 Fedora Update System 2011-07-01 18:55:08 UTC

Package selinux-policy-3.9.16-32.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-32.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-32.fc15
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2011-07-08 18:09:24 UTC

selinux-policy-3.9.16-32.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Matt 2011-08-04 07:53:54 UTC

I get this issue with Fedora 15 - selinux-policy 3.9.16-35.fc15.

I was attempting to stop the iscsi service using: service iscsid stop


More Info:

SELinux is preventing /bin/systemd-tty-ask-password-agent from read access on the fifo_file 136:0.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-tty-ask-password-agent should be allowed read access on the 136:0 fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tty-ask /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:systemd_passwd_agent_t:s0
Target Context                unconfined_u:object_r:init_var_run_t:s0
Target Objects                136:0 [ fifo_file ]
Source                        systemd-tty-ask
Source Path                   /bin/systemd-tty-ask-password-agent
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-26-8.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux gb098531.gb.computacenter.co.uk
                              2.6.40-4.fc15.x86_64 #1 SMP Fri Jul 29 18:46:53
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 04 Aug 2011 08:47:51 BST
Last Seen                     Thu 04 Aug 2011 08:47:51 BST
Local ID                      d1b34671-93d8-4962-b0fa-5a6cdc16da40

Raw Audit Messages
type=AVC msg=audit(1312444071.347:387): avc:  denied  { read } for  pid=9212 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=100129 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file


type=AVC msg=audit(1312444071.347:387): avc:  denied  { open } for  pid=9212 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=100129 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file


type=SYSCALL msg=audit(1312444071.347:387): arch=x86_64 syscall=open success=yes exit=ESRCH a0=10430a0 a1=80900 a2=fffffffffffffed0 a3=0 items=0 ppid=9211 pid=9212 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)

Hash: systemd-tty-ask,systemd_passwd_agent_t,init_var_run_t,fifo_file,read

audit2allow

#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };

audit2allow -R

#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };

Comment 16 Daniel Walsh 2011-08-04 17:44:34 UTC

My reading of the selinux-policy-3.9.16-36.fc15.src.rpm
 source shows this as allowed.  

Could you make sure nothing went wrong on your policy update

yum reinstall selinux-policy

Comment 17 Matt 2011-08-05 10:26:32 UTC

Thanks for the response Daniel.  After reinstalling selinux-policy I cannot reproduce the error.

Matt

Comment 18 Dan Book 2011-10-24 03:01:02 UTC

Got this issue on a fresh install of Fedora 15 x86_64 with selinux-policy-3.9.16-39.fc15.noarch when running service hddtemp start

Comment 19 Miroslav Grepl 2011-10-24 05:37:04 UTC

Could you try it with the latest releae

# yum update selinux-policy-targeted --enablerepo=updates-testing

Note You need to log in before you can comment on or make changes to this bug.

adrigiga
bignikita
cmarcant
cyrusyzgtt
dan
dwalsh
elad
eric
ezzughayyar
frankly3d
galerienv
grinnz
jamescape777
jan
jcmj
jturner
luya
marco.guazzone
matt
mgrepl
millermichael
niki.guldbrand
pedrompcaetano
robk
sdunn2000
sedrez+bugzilla
skr
systpi
tadej.j
tsukinokage