Bug 808297 - SELinux is preventing /usr/libexec/fprintd from read access on the file /var/lib/sss/mc/passwd.
SELinux is preventing /usr/libexec/fprintd from read access on the file /var/...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2012-03-30 01:19 EDT by Gowrishankar Rajaiyan
Modified: 2012-07-02 03:01 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-84.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-27 23:25:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Gowrishankar Rajaiyan 2012-03-30 01:19:08 EDT
Description of problem:

SELinux is preventing /usr/libexec/fprintd from read access on the file /var/lib/sss/mc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that fprintd should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep fprintd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sssd_var_lib_t:s0
Target Objects                /var/lib/sss/mc/passwd [ file ]
Source                        fprintd
Source Path                   /usr/libexec/fprintd
Port                          <Unknown>
Host                          shanks.pnq.redhat.com
Source RPM Packages           fprintd-0.4.1-1.fc16.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     shanks.pnq.redhat.com
Platform                      Linux shanks.pnq.redhat.com 3.2.9-2.fc16.x86_64 #1
                              SMP Mon Mar 5 20:55:39 UTC 2012 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 30 Mar 2012 03:52:00 AM IST
Last Seen                     Fri 30 Mar 2012 10:30:06 AM IST
Local ID                      9843ca8a-5875-41ff-955a-fbd4f0e206ab

Raw Audit Messages
type=AVC msg=audit(1333083606.141:159): avc:  denied  { read } for  pid=3865 comm="fprintd" path="/var/lib/sss/mc/passwd" dev=sda3 ino=131501 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file

type=SYSCALL msg=audit(1333083606.141:159): arch=x86_64 syscall=execve success=yes exit=0 a0=1431950 a1=1431870 a2=1430010 a3=15 items=0 ppid=3864 pid=3865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)

Hash: fprintd,fprintd_t,sssd_var_lib_t,file,read


#============= fprintd_t ==============
allow fprintd_t sssd_var_lib_t:file read;

audit2allow -R

#============= fprintd_t ==============
allow fprintd_t sssd_var_lib_t:file read;
[root@shanks ~]#

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. See description
Actual results:

Expected results:

Additional info:
Comment 1 Miroslav Grepl 2012-03-30 02:30:40 EDT
Fixed in selinux-policy-3.10.0-82.fc16

You can allow it for now using

$ chcon -R -t sssd_public_t /var/lib/sss/mc
Comment 2 Fedora Update System 2012-04-18 08:55:41 EDT
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
Comment 3 Fedora Update System 2012-04-21 23:37:59 EDT
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Stephen Gallagher 2012-05-08 08:38:29 EDT
I'm still having this issue with selinux-policy-3.10.0-118.fc17.noarch

type=AVC msg=audit(1336480562.282:284): avc:  denied  { read } for  pid=15282 comm="tmpwatch" path="/var/lib/sss/mc/group" dev="dm-2" ino=3162172 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
Comment 5 Daniel Walsh 2012-05-08 10:03:25 EDT
Steven, is this something we should allow?  Do we want to allow tmpreaper to read/delete sssd_public_t content?
Comment 6 Stephen Gallagher 2012-05-08 10:11:45 EDT
(In reply to comment #5)
> Steven, is this something we should allow?  Do we want to allow tmpreaper to
> read/delete sssd_public_t content?

I think it needs to be able to read it or else it cannot use the SSSD in-memory cache to look up group and user data on files. I assume it must be doing so internally. I'll confess I don't know exactly what it's doing, only that it's trying to read our memory cache which only happens through our libnss_sss.so.2 plugin for glibc.

It should have READ permission. Delete should be reserved by SSSD processes.
Comment 7 Daniel Walsh 2012-05-08 11:04:47 EDT
Ok Strange up til now tmpwatch/tmpreaper have not had the ability to use the getpw calls other then reading /etc/passwd.  Seems we need to fix policy to allow it.  

Anyways you are reporting an F17 bug on an F16 system.

Fixed in selinux-policy-3.10.0-123.fc17

Probably needs to be back ported to F16
Comment 8 Fedora Update System 2012-06-15 06:29:14 EDT
selinux-policy-3.10.0-89.fc16 has been submitted as an update for Fedora 16.
Comment 9 Fedora Update System 2012-06-15 19:51:24 EDT
Package selinux-policy-3.10.0-89.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-89.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2012-06-27 23:25:37 EDT
selinux-policy-3.10.0-89.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Daniil Ivanov 2012-06-28 10:37:22 EDT
I've updated selinux-policy to 3.10.0-89.fc16.noarch
and I still have a lot of messages like this one in syslog:
Jun 28 20:30:56 localhost kernel: [  158.598018] type=1400 audit(1340904633.454:1524): avc:  denied  { create } for  pid=1694 comm="fprintd" scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
Comment 12 Daniel Walsh 2012-06-29 17:28:38 EDT
That is a different AVC.  Looks like fprintd is trying to send a syslog message?
Comment 13 Miroslav Grepl 2012-07-02 03:01:52 EDT
If you set

# semanage permissive -a fprintd_t

a re-test. Are you getting more AVC

# ausearch -m avc -ts recent

Note You need to log in before you can comment on or make changes to this bug.