Hide Forgot
SELinux is preventing /usr/sbin/userhelper from 'search' accesses on the directory /dev/pts. Not sure, what's going on, but I have a lot of consolehelper AVC denials, will attach a list. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that userhelper should be allowed search access on the pts directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep userhelper /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:staff_consolehelper_t:s0-s0:c0.c10 23 Target Context system_u:object_r:devpts_t:s0 Target Objects /dev/pts [ dir ] Source userhelper Source Path /usr/sbin/userhelper Port <Neznámé> Host (removed) Source RPM Packages usermode-1.107-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-23.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.5-24.fc15.x86_64 #1 SMP Fri May 6 08:00:28 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Čt 12. květen 2011, 09:34:18 CEST Last Seen Čt 12. květen 2011, 09:34:18 CEST Local ID 7879217b-ca18-4762-bc80-19281464f520 Raw Audit Messages type=AVC msg=audit(1305185658.529:4153): avc: denied { search } for pid=4223 comm="userhelper" name="/" dev=devpts ino=1 scontext=staff_u:staff_r:staff_consolehelper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir type=SYSCALL msg=audit(1305185658.529:4153): arch=x86_64 syscall=stat success=no exit=EACCES a0=6a1300 a1=7fff6290a980 a2=7fff6290a980 a3=7fff6290a830 items=0 ppid=4222 pid=4223 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts0 ses=488 comm=userhelper exe=/usr/sbin/userhelper subj=staff_u:staff_r:staff_consolehelper_t:s0-s0:c0.c1023 key=(null) Hash: userhelper,staff_consolehelper_t,devpts_t,dir,search audit2allow #============= staff_consolehelper_t ============== allow staff_consolehelper_t devpts_t:dir search; audit2allow -R #============= staff_consolehelper_t ============== allow staff_consolehelper_t devpts_t:dir search;
Created attachment 498497 [details] output of ausearch -m AVC -ts today Which boils down to: bradford:~# audit2allow < /tmp/ausearch-today.txt #============= crond_t ============== #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation' allow crond_t self:capability chown; #============= staff_consolehelper_t ============== allow staff_consolehelper_t agp_device_t:chr_file getattr; allow staff_consolehelper_t apm_bios_t:chr_file getattr; allow staff_consolehelper_t autofs_device_t:chr_file getattr; allow staff_consolehelper_t clock_device_t:chr_file getattr; allow staff_consolehelper_t devpts_t:dir { getattr search }; allow staff_consolehelper_t event_device_t:chr_file getattr; allow staff_consolehelper_t fixed_disk_device_t:blk_file getattr; allow staff_consolehelper_t framebuf_device_t:chr_file getattr; allow staff_consolehelper_t fuse_device_t:chr_file getattr; allow staff_consolehelper_t gpmctl_t:sock_file getattr; allow staff_consolehelper_t hugetlbfs_t:dir getattr; allow staff_consolehelper_t initctl_t:fifo_file getattr; allow staff_consolehelper_t kmsg_device_t:chr_file getattr; allow staff_consolehelper_t kvm_device_t:chr_file getattr; allow staff_consolehelper_t lvm_control_t:chr_file getattr; allow staff_consolehelper_t memory_device_t:chr_file getattr; allow staff_consolehelper_t netcontrol_device_t:chr_file getattr; allow staff_consolehelper_t nvram_device_t:chr_file getattr; allow staff_consolehelper_t ppp_device_t:chr_file getattr; allow staff_consolehelper_t proc_kcore_t:file getattr; allow staff_consolehelper_t ptmx_t:chr_file getattr; allow staff_consolehelper_t removable_device_t:blk_file getattr; allow staff_consolehelper_t scsi_generic_device_t:chr_file getattr; allow staff_consolehelper_t tpm_device_t:chr_file getattr; allow staff_consolehelper_t tty_device_t:chr_file getattr; allow staff_consolehelper_t usb_device_t:chr_file getattr; allow staff_consolehelper_t usbmon_device_t:chr_file getattr; allow staff_consolehelper_t watchdog_device_t:chr_file getattr; allow staff_consolehelper_t wireless_device_t:chr_file getattr; allow staff_consolehelper_t xserver_misc_device_t:chr_file getattr; #============= staff_gkeyringd_t ============== #!!!! This avc is allowed in the current policy allow staff_gkeyringd_t self:process setcap; #============= staff_t ============== allow staff_t system_map_t:file read; bradford:~#
Matej, which tool were you running?
Matej, Do you think there is anything we should protect from staff_t that perf reads? I am not sure what userhelper is doing, but we should probably just dontaudit the access.
(In reply to comment #3) > I am not sure what userhelper is doing, but we should probably just dontaudit > the access. More “modern” version of (I trust) your best friend consolehelper.
(In reply to comment #4) > (In reply to comment #3) > > I am not sure what userhelper is doing, but we should probably just dontaudit > > the access. > > More “modern” version of (I trust) your best friend consolehelper. userhelper is the underlying privilege escalation mechanism used by consolehelper. However userhelper does not itself perform any search of /dev ; I guess that this is done by some PAM module. Matej, could you * collect timestamps of the denials, using e.g. (ausearch -i) to get readable data out of audit.log, * identify the related userhelper log entries in /var/log/secure, e.g. > May 14 02:22:59 kulicka userhelper[11381]: running '/usr/share/system-config-users/system-config-users ' with root privileges on behalf of 'mitr' * from the command name in that log entry, identify the relevant file in /etc/security/console.apps , * attach the contents of the /etc/pam.d/* file with the same name, please?
I believe it will be better for everybody, when I won't be doing much of analysis on data I have no clue about ;).
I'm afraid I haven't found the code that is doing the accesses in /dev ; I was not able to reproduce the accesses either. The only noticeable thing about the logs is that these AVCs cannot happen with the default setup where users run as unconfined_t, because unconfined_t is allowed to access device files. These messages are related to using staff_t (but, AFAICT, not directly caused by this). The only thing I can tell is that userhelper itself is not performing these accesses. Tomas, can you think of a PAM module that would do this?
Well many PAM modules are looking at the file attributes of the tty devices including the pseudo ttys, so the access to the inode attributes should be definitely allowed.
Miroslav just add dev_getattr_all_chr_files(consolehelper_domain) To RHEL6, F14,F15
Fixed in selinux-policy-3.9.16-24.fc15
selinux-policy-3.9.16-24.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-24.fc15
Package selinux-policy-3.9.16-24.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-24.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-24.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-24.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.