I get various AVCs related to cgroup usage with systemd when logging in to proftpd on F-15: type=AVC msg=audit(1310388446.140:7884): avc: denied { read } for pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=AVC msg=audit(1310388446.140:7884): avc: denied { open } for pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.140:7884): arch=c000003e syscall=2 success=yes exit=10 a0=2150480 a1=80000 a2=1b6 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1310388446.142:7885): avc: denied { getattr } for pid=12071 comm="proftpd" path="/proc/1/cgroup" dev=proc ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.142:7885): arch=c000003e syscall=5 success=yes exit=0 a0=a a1=7fff0173a930 a2=7fff0173a930 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1310388446.143:7886): avc: denied { write } for pid=12071 comm="proftpd" name="phowarth" dev=cgroup ino=27218 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1310388446.143:7886): avc: denied { add_name } for pid=12071 comm="proftpd" name="785" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1310388446.143:7886): avc: denied { create } for pid=12071 comm="proftpd" name="785" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=SYSCALL msg=audit(1310388446.143:7886): arch=c000003e syscall=83 success=yes exit=0 a0=2150370 a1=1ed a2=0 a3=776f68702f726573 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1310388446.143:7887): avc: denied { write } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=AVC msg=audit(1310388446.143:7887): avc: denied { open } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.143:7887): arch=c000003e syscall=2 success=yes exit=11 a0=2150370 a1=80241 a2=1b6 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1310388446.143:7888): avc: denied { getattr } for pid=12071 comm="proftpd" path="/sys/fs/cgroup/systemd/user/phowarth/785/tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.143:7888): arch=c000003e syscall=5 success=yes exit=0 a0=b a1=7fff0173b100 a2=7fff0173b100 a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1310388446.150:7889): avc: denied { setattr } for pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1310388446.150:7889): arch=c000003e syscall=90 success=yes exit=0 a0=2150370 a1=1a4 a2=3f4 a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1310388446.150:7890): avc: denied { setattr } for pid=12071 comm="proftpd" name="785" dev=cgroup ino=58575428 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=SYSCALL msg=audit(1310388446.150:7890): arch=c000003e syscall=90 success=yes exit=0 a0=2150370 a1=1ed a2=3f4 a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) /var/log/messages includes: Jul 11 13:47:21 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - FTP session opened. Jul 11 12:47:26 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - Preparing to chroot to directory '/nis-home/phowarth' Jul 11 13:47:29 roary kernel: [2670919.902960] proftpd[12071]: pam_systemd(proftpd:session): Failed to lock runtime directory: Permission denied Jul 11 13:47:29 roary kernel: [2670919.902978] proftpd[12071]: pam_unix(proftpd:session): session closed for user phowarth Jul 11 13:47:29 roary kernel: [2670919.904278] proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1]) - FTP session closed. audit2allow -R suggests: fs_manage_cgroup_dirs(ftpd_t) fs_manage_cgroup_files(ftpd_t) init_read_state(ftpd_t) proftpd does appear to work despite these messages, so I'm wondering if it would be better to dontaudit these rather than allow them? Dan (on the fedora selinux list) reckons that proftpd may be trying to set up its own cgroups but I can't see anything in the code relating to that. I've established that the "Failed to lock runtime directory" message is due to proftpd dropping capabilities but I don't know which one it needs to retain for this to work.
Is this being caused by pam_systemd?
(In reply to comment #0) > I've established that the "Failed to lock runtime directory" message is due to > proftpd dropping capabilities but I don't know which one it needs to retain for > this to work. It turns out to be CAP_DAC_OVERRIDE; does this mean that everything using pam_systemd needs to retain (and be permitted to use by SELinux) this capability? (In reply to comment #1) > Is this being caused by pam_systemd? That's my suspicion. I may be able to try it without pam_systemd later today.
Well if that is the case, we had better figure out a way to fix this.
I think we need a way to setup cgroups that does not require this priv.
So, in general PAM hooks really need to invoked with full privileges, and running them with reduced caps is bound to fail in some cases depending on the PAM modules used. In pam_systemd in F15 we need CAP_DAC_OVERRIDE. This will change in F16, where most of the smart stuff pam_systemd is responsible for is actually moved out of the PAM module code and into a tiny service of its own. That means CAP_DAC_OVERRIDE will not be necessary anymore then.
I think from an SELinux point of view, we need additional labeling for cgroups file system, since I might want to allow a process to modify limit it's children processes but not change its own cgroups, or other processes cgroups. The other question I have is does proftp or any ftp daemon need pam_systemd?
proftpd's PAM configuration includes "password-auth" to handle authentication in the system-default way, and this is set up by authconfig and includes pam_systemd by default.
I tried copying password-auth to password-auth-proftpd and including that instead of password-auth in proftpd's PAM config. I restarted proftpd and tried logging in, and the AVCs were generated as before. I then commented out the one line in password-auth-proftpd that referred to pam_systemd (-session optional pam_systemd.so), restarted proftpd and tried again, and no AVCs were generated. So the cgroup-related AVCs are definitely coming from pam_systemd running as ftpd_t.
The question is, does anything in ftp daemons benefit from using pam_systemd? Or is this really only useful for login shells? Adding dac_override for ftpd_t is not that big a deal since it can already setuid. But the cgroup stuff is another question.
(In reply to comment #9) > The question is, does anything in ftp daemons benefit from using pam_systemd? > Or is this really only useful for login shells? Assuming the answer to this is "no" (Lennart will know the answer better than me, for sure), there's then the question of how can an ftp daemon hook into what authconfig has produced without pulling in pam_systemd.
(In reply to comment #10) > (In reply to comment #9) > > The question is, does anything in ftp daemons benefit from using pam_systemd? > > Or is this really only useful for login shells? > > Assuming the answer to this is "no" (Lennart will know the answer better than > me, for sure), there's then the question of how can an ftp daemon hook into > what authconfig has produced without pulling in pam_systemd. Hmm, it's a good question whether pam-systemd should be in the PAM chain for protftpd. It might actually be useful, if people want the ftp users show up in their own cgroups. Might be good to apply cgroup limits to them. Then again, this probably doesn't matter too much and keeping it out of the chain is a OK too.
Random thought: would there be any harm in having authconfig put pam_systemd in postlogin rather than password-auth?
Just tried proftpd on F16 alpha + updates + updates-testing and login with user from LDAP via sssd. I needed this local policy: #============= ftpd_t ============== systemd_write_inherited_logind_sessions_pipes(ftpd_t) #============= systemd_logind_t ============== allow systemd_logind_t ftpd_t:dir search; allow systemd_logind_t ftpd_t:file { read getattr open }; Don't know if this is related to pam-systemd or not.
Miroslav 30467adf1bc421ea2b42a995f45ea550c5dcb90e In F16 policy implements the changes to make this work in F15
Note that Comment #13 was from an F-16 system, not an F-15 one.
Ok in that case this will be fixed in selinux-policy-3.10.0-35.fc16
Added to f15.
Still getting these on F15 with selinux-policy-3.9.16-46.fc15: type=AVC msg=audit(1321004214.811:756818): avc: denied { read } for pid=22369 comm="proftpd" name="cgroup" dev=proc ino=19395563 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=AVC msg=audit(1321004214.811:756818): avc: denied { open } for pid=22369 comm="proftpd" name="cgroup" dev=proc ino=19395563 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1321004214.811:756818): arch=c000003e syscall=2 success=yes exit=13 a0=256faf0 a1=80000 a2=1b6 a3=9 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1321004214.813:756819): avc: denied { getattr } for pid=22369 comm="proftpd" path="/proc/1/cgroup" dev=proc ino=19395563 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1321004214.813:756819): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7fff6555fb20 a2=7fff6555fb20 a3=9 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1321004214.813:756820): avc: denied { write } for pid=22369 comm="proftpd" name="paul" dev=cgroup ino=48633 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1321004214.813:756820): avc: denied { add_name } for pid=22369 comm="proftpd" name="66692" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=AVC msg=audit(1321004214.813:756820): avc: denied { create } for pid=22369 comm="proftpd" name="66692" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=SYSCALL msg=audit(1321004214.813:756820): arch=c000003e syscall=83 success=yes exit=0 a0=256f9f0 a1=1ed a2=0 a3=6c7561702f726573 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1321004214.813:756821): avc: denied { write } for pid=22369 comm="proftpd" name="tasks" dev=cgroup ino=19396451 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=AVC msg=audit(1321004214.813:756821): avc: denied { open } for pid=22369 comm="proftpd" name="tasks" dev=cgroup ino=19396451 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1321004214.813:756821): arch=c000003e syscall=2 success=yes exit=14 a0=256fc40 a1=80241 a2=1b6 a3=9 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1321004214.814:756822): avc: denied { getattr } for pid=22369 comm="proftpd" path="/sys/fs/cgroup/systemd/user/paul/66692/tasks" dev=cgroup ino=19396451 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1321004214.814:756822): arch=c000003e syscall=5 success=yes exit=0 a0=e a1=7fff655602f0 a2=7fff655602f0 a3=9 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1321004214.818:756823): avc: denied { setattr } for pid=22369 comm="proftpd" name="tasks" dev=cgroup ino=19396451 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=file type=SYSCALL msg=audit(1321004214.818:756823): arch=c000003e syscall=90 success=yes exit=0 a0=256fc40 a1=1a4 a2=1f4 a3=7561702f72657375 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1321004214.818:756824): avc: denied { setattr } for pid=22369 comm="proftpd" name="66692" dev=cgroup ino=19396450 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir type=SYSCALL msg=audit(1321004214.818:756824): arch=c000003e syscall=90 success=yes exit=0 a0=256fc10 a1=1ed a2=1f4 a3=7561702f72657375 items=0 ppid=22269 pid=22369 auid=500 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=66692 comm="proftpd" exe="/usr/sbin/proftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) On F-16 with selinux-policy-3.10.0-55.fc16 I'm getting: type=AVC msg=audit(1321004707.304:1143): avc: denied { search } for pid=30199 comm="systemd-logind" name="1591" dev=proc ino=14162393 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=dir type=AVC msg=audit(1321004707.304:1143): avc: denied { read } for pid=30199 comm="systemd-logind" name="sessionid" dev=proc ino=14163596 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file type=AVC msg=audit(1321004707.304:1143): avc: denied { open } for pid=30199 comm="systemd-logind" name="sessionid" dev=proc ino=14163596 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1321004707.304:1143): arch=c000003e syscall=2 success=yes exit=11 a0=15d1430 a1=80000 a2=1b6 a3=0 items=0 ppid=1 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(1321004707.304:1144): avc: denied { getattr } for pid=30199 comm="systemd-logind" path="/proc/1591/sessionid" dev=proc ino=14163596 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1321004707.304:1144): arch=c000003e syscall=5 success=yes exit=0 a0=b a1=7fffe3b39190 a2=7fffe3b39190 a3=0 items=0 ppid=1 pid=30199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-logind" exe="/lib/systemd/systemd-logind" subj=system_u:system_r:systemd_logind_t:s0 key=(null) None of these appear to prevent proftpd from working as expected.
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15
Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.