libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.4-5.fc17.x86_64 time: Sat 12 May 2012 23:21:24 BST description: :SELinux is preventing polkit-agent-he from using the 'setsched' accesses on a process. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that polkit-agent-he should be allowed setsched access on processes labeled policykit_auth_t by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep polkit-agent-he /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c : 0.c1023 :Target Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c : 0.c1023 :Target Objects [ process ] :Source polkit-agent-he :Source Path polkit-agent-he :Port <Unknown> :Host (removed) :Source RPM Packages :Target RPM Packages :Policy RPM selinux-policy-3.10.0-121.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 : 17:29:34 UTC 2012 x86_64 x86_64 :Alert Count 18 :First Seen Sat 12 May 2012 23:07:22 BST :Last Seen Sat 12 May 2012 23:15:27 BST :Local ID cfc2a164-845d-4e32-b8b6-27f14ad43e45 : :Raw Audit Messages :type=AVC msg=audit(1336860927.579:398): avc: denied { setsched } for pid=18367 comm="polkit-agent-he" scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tclass=process : : :Hash: polkit-agent-he,policykit_auth_t,policykit_auth_t,process,setsched : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
Second AVC denial: Additional Information: Source Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c 0.c1023 Target Objects [ capability ] Source polkit-agent-he Source Path /usr/libexec/polkit-1/polkit-agent-helper-1 Port <Unknown> Host iridium Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-121.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name iridium Platform Linux iridium 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64 Alert Count 54 First Seen Tue 10 Apr 2012 09:23:41 BST Last Seen Sat 12 May 2012 23:15:27 BST Local ID 0be0682e-3bbd-495c-8639-538c654af2bc Raw Audit Messages type=AVC msg=audit(1336860927.579:397): avc: denied { sys_nice } for pid=18367 comm="polkit-agent-he" capability=23 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tclass=capability Hash: polkit-agent-he,policykit_auth_t,policykit_auth_t,capability,sys_nice
This seems to be caused by using pam_yubico (support for Yubikey OTP devices) with a PolicyKit-enabled application such as virt-manager. pam_yubico uses libyubikey, which uses libcurl to query the Yubikey server for authentication. I'm not sure of the details, but I think these syscalls are being triggered by NSPR inside libcurl. One example stacktrace from a sched_setscheduler syscall captured with systemtap: 0x7f9e9cd0d607 : __sched_setscheduler+0x7/0x30 [/usr/lib64/libc-2.15.so] 0x7f9e9cff52e1 : pthread_setschedparam+0x51/0xb0 [/usr/lib64/libpthread-2.15.so] 0x7f9e987065c3 : PR_SetThreadPriority+0x93/0xd0 [/usr/lib64/libnspr4.so] 0x7f9e9870690a : PR_Yield+0x14a/0x1a0 [/usr/lib64/libnspr4.so] 0x7f9e986f7b14 : PR_ErrorInstallCallback+0x1b4/0x220 [/usr/lib64/libnspr4.so] 0x7f9e9972aed5 : curl_getdate+0x9645/0xc0d0 [/usr/lib64/libcurl.so.4.2.0] 0x7f9e99714955 : curl_global_init+0x85/0xb0 [/usr/lib64/libcurl.so.4.2.0] 0x7f9e99714aaa : curl_easy_init+0x1a/0x50 [/usr/lib64/libcurl.so.4.2.0] 0x7f9e9a1b792f : ykclient_init+0x2f/0x150 [/usr/lib64/libykclient.so.3.3.3] 0x7f9e9a3c06b5 : pam_sm_authenticate+0x8b5/0x2400 [/usr/lib64/security/pam_yubico.so] 0x7f9e9d9920c4 [/usr/lib64/libpam.so.0.83.1+0x30c4/0x20e000]
Thanks. Fixed in selinux-policy-3.10.0-126.fc17
selinux-policy-3.10.0-128.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-128.fc17
Package selinux-policy-3.10.0-128.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-128.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-8720/selinux-policy-3.10.0-128.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Miroslav, I still receive these AVC denials - did the two additions definitely go in? I can't find them in my loaded policy. $ rpm -qf /etc/selinux/targeted/policy/policy.27 selinux-policy-targeted-3.10.0-153.fc17.noarch $ sesearch --allow -s policykit_auth_t -t policykit_auth_t -c process Found 2 semantic av rules: allow policykit_auth_t policykit_auth_t : process { fork sigchld signal getsched getcap getattr } ; allow policykit_auth_t policykit_auth_t : process setfscreate ; (missing the setsched access vector) $ sesearch --allow -s policykit_auth_t -t policykit_auth_t -c capability Found 2 semantic av rules: allow policykit_auth_t policykit_auth_t : capability { setgid setuid ipc_lock audit_write } ; allow policykit_auth_t policykit_auth_t : capability net_bind_service ; (missing sys_nice)
I apologized, it has not been added for policykit_auth_t
Added. commit 44e47b64b08a0dbea9a43178d41d02a45ea3c53e Author: Miroslav Grepl <mgrepl> Date: Fri Oct 19 11:15:09 2012 +0200 policykit-auth wants sys_nice diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index 939fe6d..8971bdd 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -134,9 +134,9 @@ optional_policy(` # polkit_auth local policy # -allow policykit_auth_t self:capability { ipc_lock setgid setuid }; +allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
Ok, thanks. setsched was also required for the process class, could you add that please?
Yes, it has been added with sys_nice.
(In reply to comment #11) > Yes, it has been added with sys_nice. Good, thank you.
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback).