Bug 735556 - SELinux is preventing /usr/bin/chfn from 'getattr' accesses on the sock_file /dev/gpmctl.
Summary: SELinux is preventing /usr/bin/chfn from 'getattr' accesses on the sock_file ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: util-linux
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Karel Zak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:085c1ad835ae88607877758f734...
: 735557 735558 735559 735560 735561 735562 735563 735565 735566 735567 735568 735570 735571 735572 735573 735574 735575 735576 735577 735578 735579 735581 735582 735583 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-03 14:46 UTC by zxcv
Modified: 2012-01-10 12:05 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-10 12:05:22 UTC


Attachments (Terms of Use)

Description zxcv 2011-09-03 14:46:15 UTC
abrt version: 2.0.5
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.0.0-1.fc16.x86_64
reason:         SELinux is preventing /usr/bin/chfn from 'getattr' accesses on the sock_file /dev/gpmctl.
time:           Sat Sep  3 11:42:36 2011

description:
:SELinux is preventing /usr/bin/chfn from 'getattr' accesses on the sock_file /dev/gpmctl.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that chfn should be allowed getattr access on the gpmctl sock_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep chfn /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:chfn_t:s0
:Target Context                system_u:object_r:gpmctl_t:s0
:Target Objects                /dev/gpmctl [ sock_file ]
:Source                        chfn
:Source Path                   /usr/bin/chfn
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           util-linux-2.19.1-2.fc16
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-15.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.0.0-1.fc16.x86_64 #1 SMP Fri
:                              Jul 22 16:09:29 UTC 2011 x86_64 x86_64
:Alert Count                   1
:First Seen                    Sat 03 Sep 2011 10:39:48 AM CLST
:Last Seen                     Sat 03 Sep 2011 10:39:48 AM CLST
:Local ID                      18c7d39a-93c0-40f6-b487-cc5d7f8d07e6
:
:Raw Audit Messages
:type=AVC msg=audit(1315057188.476:86): avc:  denied  { getattr } for  pid=2245 comm="chfn" path="/dev/gpmctl" dev=devtmpfs ino=12756 scontext=unconfined_u:unconfined_r:chfn_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file
:
:
:type=SYSCALL msg=audit(1315057188.476:86): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fffd89b96d0 a1=7fffd89b4fa0 a2=7fffd89b4fa0 a3=0 items=0 ppid=2214 pid=2245 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=2 comm=chfn exe=/usr/bin/chfn subj=unconfined_u:unconfined_r:chfn_t:s0 key=(null)
:
:Hash: chfn,chfn_t,gpmctl_t,sock_file,getattr
:
:audit2allow
:
:#============= chfn_t ==============
:allow chfn_t gpmctl_t:sock_file getattr;
:
:audit2allow -R
:
:#============= chfn_t ==============
:allow chfn_t gpmctl_t:sock_file getattr;
:

Comment 1 Miroslav Grepl 2011-09-05 06:09:59 UTC
Does everything work as you expect?

Comment 2 Miroslav Grepl 2011-09-05 06:10:23 UTC
*** Bug 735557 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2011-09-05 06:10:54 UTC
*** Bug 735558 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2011-09-05 06:11:37 UTC
*** Bug 735559 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Grepl 2011-09-05 06:12:05 UTC
*** Bug 735560 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2011-09-05 06:12:24 UTC
*** Bug 735561 has been marked as a duplicate of this bug. ***

Comment 7 Miroslav Grepl 2011-09-05 06:12:44 UTC
*** Bug 735562 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2011-09-05 06:13:04 UTC
*** Bug 735563 has been marked as a duplicate of this bug. ***

Comment 9 Miroslav Grepl 2011-09-05 06:13:32 UTC
*** Bug 735564 has been marked as a duplicate of this bug. ***

Comment 10 Miroslav Grepl 2011-09-05 06:13:51 UTC
*** Bug 735565 has been marked as a duplicate of this bug. ***

Comment 11 Miroslav Grepl 2011-09-05 06:14:12 UTC
*** Bug 735566 has been marked as a duplicate of this bug. ***

Comment 12 Miroslav Grepl 2011-09-05 06:14:35 UTC
*** Bug 735567 has been marked as a duplicate of this bug. ***

Comment 13 Miroslav Grepl 2011-09-05 06:14:55 UTC
*** Bug 735568 has been marked as a duplicate of this bug. ***

Comment 14 Miroslav Grepl 2011-09-05 06:15:15 UTC
*** Bug 735570 has been marked as a duplicate of this bug. ***

Comment 15 Miroslav Grepl 2011-09-05 06:15:35 UTC
*** Bug 735571 has been marked as a duplicate of this bug. ***

Comment 16 Miroslav Grepl 2011-09-05 06:15:55 UTC
*** Bug 735572 has been marked as a duplicate of this bug. ***

Comment 17 Miroslav Grepl 2011-09-05 06:19:25 UTC
*** Bug 735573 has been marked as a duplicate of this bug. ***

Comment 18 Miroslav Grepl 2011-09-05 06:19:44 UTC
*** Bug 735574 has been marked as a duplicate of this bug. ***

Comment 19 Miroslav Grepl 2011-09-05 06:20:03 UTC
*** Bug 735575 has been marked as a duplicate of this bug. ***

Comment 20 Miroslav Grepl 2011-09-05 06:20:21 UTC
*** Bug 735576 has been marked as a duplicate of this bug. ***

Comment 21 Miroslav Grepl 2011-09-05 06:20:48 UTC
*** Bug 735577 has been marked as a duplicate of this bug. ***

Comment 22 Miroslav Grepl 2011-09-05 06:21:12 UTC
*** Bug 735578 has been marked as a duplicate of this bug. ***

Comment 23 Miroslav Grepl 2011-09-05 06:22:06 UTC
*** Bug 735579 has been marked as a duplicate of this bug. ***

Comment 24 Miroslav Grepl 2011-09-05 06:22:28 UTC
*** Bug 735581 has been marked as a duplicate of this bug. ***

Comment 25 Miroslav Grepl 2011-09-05 06:22:52 UTC
*** Bug 735582 has been marked as a duplicate of this bug. ***

Comment 26 Miroslav Grepl 2011-09-05 06:23:21 UTC
*** Bug 735583 has been marked as a duplicate of this bug. ***

Comment 27 Daniel Walsh 2011-09-06 15:50:05 UTC
PLEASE do not just hit report bug like this, it just becomes a pain for us to handle.  If you see lots of AVC messages all related to the same  problem, please report one bug and then tell us you got lots of AVC's.  This will make us a lot more efficient.

Comment 28 Daniel Walsh 2011-09-06 15:51:41 UTC
util-linux guys, any idea why chfn would stat every device?

Comment 29 Daniel Walsh 2011-09-06 15:52:43 UTC
Miroslav since we already have

dev_dontaudit_getattr_all(useradd_t)


this is probably the same problem, and we should just add

dev_dontaudit_getattr_all(chfn_t)

Comment 30 Karel Zak 2011-09-07 00:35:14 UTC
(In reply to comment #28)
> util-linux guys, any idea why chfn would stat every device?

I don't understand the question. It doesn't work with devices.

try 
    strace -e open,stat,fstat -o ~/log chfn

or send complete strace.

Comment 31 Daniel Walsh 2011-09-07 17:50:52 UTC
Probably a rogue pam module.  I would figure pam_finger

Comment 32 Tomas Mraz 2011-10-20 11:08:27 UTC
Is it possible that this is the ttyname() problem? And that the real solution is to allow getattr on the tty devices than to dontaudit all getattrs for these utilities?

Comment 33 Karel Zak 2011-10-20 11:42:43 UTC
(In reply to comment #32)
> Is it possible that this is the ttyname() problem?

Good point. By default ttyname() reads /proc/self/fd/1 symlink, for example:

readlink("/proc/self/fd/0", "/dev/pts/1", 4095) = 10
stat("/dev/pts/1", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0

and if this way is unsuccessful then it scans (readdir + stat) "/dev/pts" and "/dev" directories :-(

Anyway I don't see any reason why chfn(1) should not be able to read /proc/self/fd/* files.

Comment 34 Daniel Walsh 2011-10-20 19:11:43 UTC
I guess it depends on what those are links to.

I am not sure what the label of /dev/pts/1 is, that is triggering the problem

git patch 
7493a8faf03525018b2ba0531deb816aa66f60a8

Allows all of chfn, passwd, useradd, groupadd to getattr on any pty.

Should show up in selinux-policy-3.10.0-46.fc16

Comment 35 Karel Zak 2012-01-10 12:05:22 UTC
I guess that the problem is fixed now. Closing.


Note You need to log in before you can comment on or make changes to this bug.