743042 – AVC when run in ipa-client-install

Bug 743042 - AVC when run in ipa-client-install

Summary: AVC when run in ipa-client-install

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	certmonger
Sub Component:
Version:	15
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-03 16:48 UTC by Rob Crittenden
Modified:	2012-08-07 20:00 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-07 20:00:02 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Rob Crittenden 2011-10-03 16:48:27 UTC

Description of problem:

User has reported two AVCs when running ipa-client-install in Fedora 15. Since certmonger is throwing the issue I'm starting there, but both may be related to coolkey.

type=AVC msg=audit(1317642673.502:81): avc:  denied  { read write } for  pid=2347 comm="certmonger" name=636F6F6C6B6579706B313173452D47617465203020302D30 dev=dm-1 ino=269923 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1317642673.502:81): arch=x86_64 syscall=open success=no exit=EACCES a0=23ed720 a1=20002 a2=180 a3=7fff1b5efab0 items=0 ppid=2271 pid=2347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null)

And here is a systemd-related error, but it may be something prompting for a token password:

type=AVC msg=audit(1317642678.58:83): avc:  denied  { read } for  pid=2457 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=23880 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
type=AVC msg=audit(1317642678.58:83): avc:  denied  { open } for  pid=2457 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=23880 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1317642678.58:83): arch=x86_64 syscall=open success=yes exit=ESRCH a0=22cc0a0 a1=80900 a2=fffffffffffffed0 a3=7fff3cd59b70 items=0 ppid=2456 pid=2457 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)

Version-Release number of selected component (if applicable):

selinux-policy: 3.9.16-38.f15

Comment 1 Nalin Dahyabhai 2011-10-03 17:38:59 UTC

Yes, I think that this must be related to coolkey, as 636F6F6C6B6579706B313173452D47617465203020302D30 is a hexadecimal representation of "coolkeypk11sE-Gate 0 0-0".  By default, the API we use to open a database which contains an NSS key and/or certificate also loads PKCS#11 modules, and I guess we need to change that.

I'm not really sure how systemd-tty-ask is involved, though.  The way certmonger sets prompt callbacks, there shouldn't be anything attempting to ask questions on the TTY.  The timestamp of the second denial is also 5 seconds later than the first.  Are you sure that they're related?

Comment 2 Rob Crittenden 2011-10-03 17:57:44 UTC

No, it was pure speculation on my part.

The user says that he has not configured coolkey so I don't know why it would be causing the first AVC.

Comment 3 Nalin Dahyabhai 2011-10-03 18:37:25 UTC

When we install the coolkey package, the %post adds the module to /etc/pki/nssdb, which causes certmonger to load it when it needs to work with a list of available tokens.

Comment 4 Nalin Dahyabhai 2011-10-03 19:30:25 UTC

Until we expect to be supporting keys and certificates stored in locations other than the NSS soft token (because when we do, we may end up skipping a database completely and just load the module directly), we should be initializing NSS in such a way that only the soft token is used.

Comment 5 Fedora End Of Life 2012-08-07 20:00:04 UTC

This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.