SELinux is preventing /usr/sbin/pcscd from 'getattr' accesses on the sock_file /run/pcscd.comm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that pcscd should be allowed getattr access on the pcscd.comm sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pcscd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pcscd_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects /run/pcscd.comm [ sock_file ] Source pcscd Source Path /usr/sbin/pcscd Port <Unknown> Host (removed) Source RPM Packages pcsc-lite-1.7.4-2.fc16 Target RPM Packages Policy RPM selinux-policy-3.10.0-3.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux beagle 3.0-0.rc6.git6.1.fc16.x86_64 #1 SMP Sun Jul 10 16:00:07 UTC 2011 x86_64 x86_64 Alert Count 17 First Seen Thu 23 Jun 2011 11:58:07 PM EEST Last Seen Fri 15 Jul 2011 02:26:55 PM EEST Local ID a2f72610-2abc-419f-93c9-6079be20707d Raw Audit Messages type=AVC msg=audit(1310729215.108:145): avc: denied { getattr } for pid=22152 comm="pcscd" path="/run/pcscd.comm" dev=tmpfs ino=418387 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1310729215.108:145): arch=x86_64 syscall=stat success=yes exit=0 a0=413efd a1=7fff02c8b110 a2=7fff02c8b110 a3=7fff02c8ae80 items=0 ppid=1 pid=22152 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pcscd exe=/usr/sbin/pcscd subj=system_u:system_r:pcscd_t:s0 key=(null) Hash: pcscd,pcscd_t,var_run_t,sock_file,getattr audit2allow #============= pcscd_t ============== allow pcscd_t var_run_t:sock_file getattr; audit2allow -R #============= pcscd_t ============== allow pcscd_t var_run_t:sock_file getattr;
Starting with pcsc-lite-1.7.4-2.fc16, pcscd in rawhide now uses systemd socket activation to create /var/run/pcscd.comm as opposed to pcscd creating it itself, so the socket is now labelled differently.
Strange I believe systemd should have created it with the correct context.
Is systemd checking for a sock_file label or just not implementing the mode check at all?
Actually the code looks correct. I can not look at the pcscd code for some reason. It looks like we are not labeling sock_files?
αΊe do label sockets and this works for all other sockets in the system. If the label is right for all sockets but this one I'd guess this is policy problem?
In my Fedora install, other sockets created by systemd are all in subdirectories; pcscd.comm is directly under /var/run/. Could this be somehow the cause for mislabelling?
Lennart you are logging sockets, but the problem here is actually the sock_file label. The code we have for labelling sockets is just putting the process label on the socket, we need to also add a label to the sock_file, just like we do for the fifo_file. Socket would be labelled pcscd_t and sock_file would be labelled pcscd_var_run_t.
Created attachment 519140 [details] selinux-policy patch for /var/run/pcscd/ systemd gets labelling right when it's applied to a whole subdirectory, but not with individual socket files. I would like to get pcscd fixed, even if this means doing a workaround here and moving all the files to /var/run/pcscd/. It's also worth pointing out that using /var/run/pcscd/ is the pcsc-lite upstream default, so with that change Fedora pcsc-lite and selinux-policy packages would get closer to upstream defaults. Daniel, I've attached a patch to selinux-policy for moving the files to /var/run/pcscd/. Can you verify that it looks OK and apply it to F16 and rawhide?
I have added labelling for this in selinux-policy-3.10.0-19.fc17
Thanks. I have built a matching pcsc-lite update for switching over to /var/run/pcscd/. When you push out the selinux-policy update for F16, please add pcsc-lite-1.7.4-3.fc16 to the update group so that the two builds can go out together.
(In reply to comment #7) > The code we have for labelling sockets is just putting the process label on the > socket, we need to also add a label to the sock_file, just like we do for the > fifo_file. Hmm, I am not sure I follow. What's the difference between "sock_file" and "socket here?
Sock_file is the actual object on the file system. Socket is the open file descriptor to the sock_file In this example to systemd should label the process that is opening the the sock_file as pcscd_t, which I believe it is, but it should also create the sock_file with the label pcscd_var_run_t.
pcsc-lite-1.7.4-3.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/pcsc-lite-1.7.4-3.fc16
(In reply to comment #12) > Sock_file is the actual object on the file system. > > Socket is the open file descriptor to the sock_file > > In this example to systemd should label the process that is opening the the > sock_file as pcscd_t, which I believe it is, but it should also create the > sock_file with the label pcscd_var_run_t. This issue is tracked in bug 729997, let's continue this discussion there. *** This bug has been marked as a duplicate of bug 729997 ***
pcsc-lite-1.7.4-4.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/pcsc-lite-1.7.4-4.fc16
pcsc-lite-1.7.4-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.