Bug 722449 - SELinux is preventing /usr/sbin/pcscd from 'getattr' accesses on the sock_file /run/pcscd.comm.
Summary: SELinux is preventing /usr/sbin/pcscd from 'getattr' accesses on the sock_fil...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Lennart Poettering
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:62eade48429...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-15 11:31 UTC by Kalev Lember
Modified: 2011-09-11 01:46 UTC (History)
10 users (show)

Fixed In Version: pcsc-lite-1.7.4-4.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-30 23:49:08 UTC


Attachments (Terms of Use)
selinux-policy patch for /var/run/pcscd/ (651 bytes, patch)
2011-08-20 12:42 UTC, Kalev Lember
no flags Details | Diff

Description Kalev Lember 2011-07-15 11:31:23 UTC
SELinux is preventing /usr/sbin/pcscd from 'getattr' accesses on the sock_file /run/pcscd.comm.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that pcscd should be allowed getattr access on the pcscd.comm sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pcscd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:pcscd_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                /run/pcscd.comm [ sock_file ]
Source                        pcscd
Source Path                   /usr/sbin/pcscd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           pcsc-lite-1.7.4-2.fc16
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-3.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux beagle 3.0-0.rc6.git6.1.fc16.x86_64 #1 SMP
                              Sun Jul 10 16:00:07 UTC 2011 x86_64 x86_64
Alert Count                   17
First Seen                    Thu 23 Jun 2011 11:58:07 PM EEST
Last Seen                     Fri 15 Jul 2011 02:26:55 PM EEST
Local ID                      a2f72610-2abc-419f-93c9-6079be20707d

Raw Audit Messages
type=AVC msg=audit(1310729215.108:145): avc:  denied  { getattr } for  pid=22152 comm="pcscd" path="/run/pcscd.comm" dev=tmpfs ino=418387 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1310729215.108:145): arch=x86_64 syscall=stat success=yes exit=0 a0=413efd a1=7fff02c8b110 a2=7fff02c8b110 a3=7fff02c8ae80 items=0 ppid=1 pid=22152 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pcscd exe=/usr/sbin/pcscd subj=system_u:system_r:pcscd_t:s0 key=(null)

Hash: pcscd,pcscd_t,var_run_t,sock_file,getattr

audit2allow

#============= pcscd_t ==============
allow pcscd_t var_run_t:sock_file getattr;

audit2allow -R

#============= pcscd_t ==============
allow pcscd_t var_run_t:sock_file getattr;

Comment 1 Kalev Lember 2011-07-15 11:35:51 UTC
Starting with pcsc-lite-1.7.4-2.fc16, pcscd in rawhide now uses systemd socket activation to create /var/run/pcscd.comm as opposed to pcscd creating it itself, so the socket is now labelled differently.

Comment 2 Daniel Walsh 2011-07-15 17:55:29 UTC
Strange I believe systemd should have created it with the correct context.

Comment 3 Daniel Walsh 2011-07-15 18:00:43 UTC
Is systemd checking for a sock_file label or just not implementing the mode check at all?

Comment 4 Daniel Walsh 2011-07-15 18:12:43 UTC
Actually the code looks correct.

I can not look at the pcscd code for some reason.

It looks like we are not labeling sock_files?

Comment 5 Lennart Poettering 2011-07-18 20:27:05 UTC
αΊ€e do label sockets and this works for all other sockets in the system. If the label is right for all sockets but this one I'd guess this is policy problem?

Comment 6 Kalev Lember 2011-07-18 20:57:25 UTC
In my Fedora install, other sockets created by systemd are all in subdirectories; pcscd.comm is directly under /var/run/. Could this be somehow the cause for mislabelling?

Comment 7 Daniel Walsh 2011-07-19 12:26:38 UTC
Lennart you are logging sockets, but the problem here is actually the sock_file label.

The code we have for labelling sockets is just putting the process label on the socket, we need to also add a label to the sock_file, just like we do for the fifo_file.

Socket would be labelled pcscd_t and sock_file would be labelled pcscd_var_run_t.

Comment 8 Kalev Lember 2011-08-20 12:42:12 UTC
Created attachment 519140 [details]
selinux-policy patch for /var/run/pcscd/

systemd gets labelling right when it's applied to a whole subdirectory, but not with individual socket files.

I would like to get pcscd fixed, even if this means doing a workaround here and moving all the files to /var/run/pcscd/. It's also worth pointing out that using /var/run/pcscd/ is the pcsc-lite upstream default, so with that change Fedora pcsc-lite and selinux-policy packages would get closer to upstream defaults.

Daniel, I've attached a patch to selinux-policy for moving the files to /var/run/pcscd/. Can you verify that it looks OK and apply it to F16 and rawhide?

Comment 9 Daniel Walsh 2011-08-22 18:44:53 UTC
I have added labelling for this in selinux-policy-3.10.0-19.fc17

Comment 10 Kalev Lember 2011-08-22 19:13:10 UTC
Thanks. I have built a matching pcsc-lite update for switching over to /var/run/pcscd/.

When you push out the selinux-policy update for F16, please add pcsc-lite-1.7.4-3.fc16 to the update group so that the two builds can go out together.

Comment 11 Lennart Poettering 2011-08-23 11:22:20 UTC
(In reply to comment #7)

> The code we have for labelling sockets is just putting the process label on the
> socket, we need to also add a label to the sock_file, just like we do for the
> fifo_file.

Hmm, I am not sure I follow. What's the difference between "sock_file" and "socket here?

Comment 12 Daniel Walsh 2011-08-24 03:01:56 UTC
Sock_file is the actual object on the file system.

Socket is the open file descriptor to the sock_file

In this example to systemd should label the process that is opening the the sock_file as pcscd_t, which I believe it is, but it should also create the sock_file with the label pcscd_var_run_t.

Comment 13 Fedora Update System 2011-08-24 16:27:35 UTC
pcsc-lite-1.7.4-3.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/pcsc-lite-1.7.4-3.fc16

Comment 14 Lennart Poettering 2011-08-30 23:49:08 UTC
(In reply to comment #12)
> Sock_file is the actual object on the file system.
> 
> Socket is the open file descriptor to the sock_file
> 
> In this example to systemd should label the process that is opening the the
> sock_file as pcscd_t, which I believe it is, but it should also create the
> sock_file with the label pcscd_var_run_t.

This issue is tracked in bug 729997, let's continue this discussion there.

*** This bug has been marked as a duplicate of bug 729997 ***

Comment 15 Fedora Update System 2011-09-03 22:07:18 UTC
pcsc-lite-1.7.4-4.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/pcsc-lite-1.7.4-4.fc16

Comment 16 Fedora Update System 2011-09-07 11:10:24 UTC
pcsc-lite-1.7.4-4.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/pcsc-lite-1.7.4-4.fc16

Comment 17 Fedora Update System 2011-09-11 01:46:05 UTC
pcsc-lite-1.7.4-4.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.