Bug 729748 - spice-vdagent does not have a selinux policy for (selinux) confined users
Summary: spice-vdagent does not have a selinux policy for (selinux) confined users
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-10 17:59 UTC by bodhi.zazen
Modified: 2011-08-22 05:42 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-22 05:42:47 UTC


Attachments (Terms of Use)
everything.te contains every AVC denial I am getting on login with selinux in permissive mode. (4.28 KB, text/plain)
2011-08-12 15:38 UTC, bodhi.zazen
no flags Details
I attached a copy of audit.log (68.54 KB, application/octet-stream)
2011-08-12 21:50 UTC, bodhi.zazen
no flags Details

Description bodhi.zazen 2011-08-10 17:59:00 UTC
Description of problem: spice-vdagent does not have a selinux policy for (selinux) confined users

If you confine your users, spice-vdagent no longer works.


Version-Release number of selected component (if applicable):


How reproducible: Always (when confining users)


Steps to Reproduce:
1. Confine your users with selinux, either as a user_u or staff_u
2. Log in via GDM
3. spice-vdagent no longer functions
  
Actual results:

spice-vdagent no longer functions


Expected results:

spice-vdagent functions with confined (staff_u) users. I assume it will work with user_u, just add in a user_t 

Additional info:

Here is the spice te I generated. 
module spice 1.0;

require {
        type staff_t;
        type vdagent_exec_t;
        type vdagent_t;
        type vdagent_log_t;
        type vdagent_var_run_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class dir { search getattr };
        class file getattr;
}

#============= staff_t ==============
allow staff_t vdagent_exec_t:file getattr;
allow staff_t vdagent_log_t:dir getattr;
allow staff_t vdagent_t:unix_stream_socket connectto;
allow staff_t vdagent_var_run_t:dir search;
allow staff_t vdagent_var_run_t:sock_file write;

Comment 1 bodhi.zazen 2011-08-10 17:59:27 UTC

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 2 bodhi.zazen 2011-08-10 18:53:56 UTC

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 3 Miroslav Grepl 2011-08-10 19:16:38 UTC
Is this in permissive mode? 

If not, please switch to permissive mode and collect all AVC msgs and attach them.

Comment 4 bodhi.zazen 2011-08-10 22:33:12 UTC
@Miroslav - Thank you for your time and attention.

Yes , that was with permissive mode and included all the AVC mesgs I found.

With that spice.te , spice-vdagent is working with selinux in enforcing mode.

Note: that module was for staff_u only, I did not test user_u, although I would be willing if you feel it would help.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 5 Miroslav Grepl 2011-08-11 07:43:28 UTC
Ok, I am fixing it.

Comment 6 Miroslav Grepl 2011-08-11 07:53:30 UTC
Fixed in selinux-policy-3.9.16-38.fc15

Comment 7 bodhi.zazen 2011-08-11 15:12:18 UTC
Thank you.

Do you need any testing / te for confining user_u ?



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 8 Daniel Walsh 2011-08-11 20:12:06 UTC
Sure it should work for user_u, and xguest_u.

Comment 9 bodhi.zazen 2011-08-12 15:36:46 UTC
I am so sorry, I thought I had this resolved.

The problem was I had left selinux in permissive mode.

When I put it into enforcing mode, the module I posted here did not work.

I did not see any additional AVC denials in the logs, so I looked for silent denials.

semodule -DB

Still nothing.

With selinux in enforcing mode, spice-vdagent fails to start.

If I then follow the logs, with tail -F /var/log/audit/audit.log , and manually start spice-vdagent from the command line it fails with no errors on the command line and nothing in the logs.

If I put selinux into permissive mode then I can again start the spice-vdagent.

I can get it to work if I allow the "kitchen sink", ie all AVC denials in the logs when I log in, but the resulting local.te has a long list of policies / rules that have to do with things such as pulse-audio and what not.

I am at a dead end, so I am attaching a "everything.te" Obviously this contains a bunch of policy that does not apply to spice-vdagent , including ecryptfs, and a bunch of desktop policy, such a pulse audio, but if I 

semodule -i everything.pp

then spice-vdagent works when enforcing selinux

hope some of these rules can help with enforcing users in general, but any suggestions on spice-vdagent would be appreciated.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 10 bodhi.zazen 2011-08-12 15:38:19 UTC
Created attachment 518051 [details]
everything.te contains every AVC denial I am getting on login with selinux in  permissive mode.

everything.te contains every AVC denial I am getting on login with selinux in  permissive mode.

Comment 11 Miroslav Grepl 2011-08-12 21:04:07 UTC
Could you add raw AVC msgs?

Comment 12 bodhi.zazen 2011-08-12 21:50:52 UTC
Created attachment 518112 [details]
I attached a copy of audit.log

The tempfs_denials are for ecryptfs.

Comment 13 bodhi.zazen 2011-08-13 18:42:48 UTC
update: It is working now

selinux-policy.noarch              3.9.16-35.fc15           @updates            
selinux-policy-targeted.noarch     3.9.16-35.fc15           @updates

sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 26
Policy from config file:        targeted


Same spice.te / spice.pp as in my first post.

Sorry for the trouble, not really sure why I was having a problem, all I did was reboot the KVM guest and now it works as expected.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 14 Miroslav Grepl 2011-08-22 05:42:47 UTC
Ok, please reopen if the problem still exists.


Note You need to log in before you can comment on or make changes to this bug.