Bug 808297 – SELinux is preventing /usr/libexec/fprintd from read access on the file /var/lib/sss/mc/passwd.

Bug 808297 - SELinux is preventing /usr/libexec/fprintd from read access on the file /var/lib/sss/mc/passwd.

Summary:	SELinux is preventing /usr/libexec/fprintd from read access on the file /var/...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	16
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	---
Assigned To:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:	Reopened

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-03-30 01:19 EDT by Gowrishankar Rajaiyan
Modified:	2012-07-02 03:01 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	selinux-policy-3.10.0-84.fc16
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-06-27 23:25:37 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Gowrishankar Rajaiyan 2012-03-30 01:19:08 EDT

Description of problem:

SELinux is preventing /usr/libexec/fprintd from read access on the file /var/lib/sss/mc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that fprintd should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fprintd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sssd_var_lib_t:s0
Target Objects                /var/lib/sss/mc/passwd [ file ]
Source                        fprintd
Source Path                   /usr/libexec/fprintd
Port                          <Unknown>
Host                          shanks.pnq.redhat.com
Source RPM Packages           fprintd-0.4.1-1.fc16.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     shanks.pnq.redhat.com
Platform                      Linux shanks.pnq.redhat.com 3.2.9-2.fc16.x86_64 #1
                              SMP Mon Mar 5 20:55:39 UTC 2012 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 30 Mar 2012 03:52:00 AM IST
Last Seen                     Fri 30 Mar 2012 10:30:06 AM IST
Local ID                      9843ca8a-5875-41ff-955a-fbd4f0e206ab

Raw Audit Messages
type=AVC msg=audit(1333083606.141:159): avc:  denied  { read } for  pid=3865 comm="fprintd" path="/var/lib/sss/mc/passwd" dev=sda3 ino=131501 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1333083606.141:159): arch=x86_64 syscall=execve success=yes exit=0 a0=1431950 a1=1431870 a2=1430010 a3=15 items=0 ppid=3864 pid=3865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)

Hash: fprintd,fprintd_t,sssd_var_lib_t,file,read

audit2allow

#============= fprintd_t ==============
allow fprintd_t sssd_var_lib_t:file read;

audit2allow -R

#============= fprintd_t ==============
allow fprintd_t sssd_var_lib_t:file read;
[root@shanks ~]#

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-80.fc16.noarch

How reproducible:


Steps to Reproduce:
1. See description
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Miroslav Grepl 2012-03-30 02:30:40 EDT

Fixed in selinux-policy-3.10.0-82.fc16

You can allow it for now using

$ chcon -R -t sssd_public_t /var/lib/sss/mc

Comment 2 Fedora Update System 2012-04-18 08:55:41 EDT

selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16

Comment 3 Fedora Update System 2012-04-21 23:37:59 EDT

selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Stephen Gallagher 2012-05-08 08:38:29 EDT

I'm still having this issue with selinux-policy-3.10.0-118.fc17.noarch

type=AVC msg=audit(1336480562.282:284): avc:  denied  { read } for  pid=15282 comm="tmpwatch" path="/var/lib/sss/mc/group" dev="dm-2" ino=3162172 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file

Comment 5 Daniel Walsh 2012-05-08 10:03:25 EDT

Steven, is this something we should allow?  Do we want to allow tmpreaper to read/delete sssd_public_t content?

Comment 6 Stephen Gallagher 2012-05-08 10:11:45 EDT

(In reply to comment #5)
> Steven, is this something we should allow?  Do we want to allow tmpreaper to
> read/delete sssd_public_t content?

I think it needs to be able to read it or else it cannot use the SSSD in-memory cache to look up group and user data on files. I assume it must be doing so internally. I'll confess I don't know exactly what it's doing, only that it's trying to read our memory cache which only happens through our libnss_sss.so.2 plugin for glibc.

It should have READ permission. Delete should be reserved by SSSD processes.

Comment 7 Daniel Walsh 2012-05-08 11:04:47 EDT

Ok Strange up til now tmpwatch/tmpreaper have not had the ability to use the getpw calls other then reading /etc/passwd.  Seems we need to fix policy to allow it.  

Anyways you are reporting an F17 bug on an F16 system.

Fixed in selinux-policy-3.10.0-123.fc17

Probably needs to be back ported to F16

Comment 8 Fedora Update System 2012-06-15 06:29:14 EDT

selinux-policy-3.10.0-89.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-89.fc16

Comment 9 Fedora Update System 2012-06-15 19:51:24 EDT

Package selinux-policy-3.10.0-89.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-89.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9507/selinux-policy-3.10.0-89.fc16
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2012-06-27 23:25:37 EDT

selinux-policy-3.10.0-89.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Daniil Ivanov 2012-06-28 10:37:22 EDT

I've updated selinux-policy to 3.10.0-89.fc16.noarch
and I still have a lot of messages like this one in syslog:
Jun 28 20:30:56 localhost kernel: [  158.598018] type=1400 audit(1340904633.454:1524): avc:  denied  { create } for  pid=1694 comm="fprintd" scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

Comment 12 Daniel Walsh 2012-06-29 17:28:38 EDT

That is a different AVC.  Looks like fprintd is trying to send a syslog message?

Comment 13 Miroslav Grepl 2012-07-02 03:01:52 EDT

If you set

# semanage permissive -a fprintd_t

a re-test. Are you getting more AVC

# ausearch -m avc -ts recent

Note You need to log in before you can comment on or make changes to this bug.