Bug 826023 - selinux is preventing apache asking for an SSL passphrase
selinux is preventing apache asking for an SSL passphrase
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-29 08:03 EDT by Tom Hughes
Modified: 2012-06-30 17:50 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-30 17:50:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
This patch will turn the log_debugs to log_errors even in permissive mode. (3.80 KB, patch)
2012-06-11 10:59 EDT, Daniel Walsh
no flags Details | Diff

  None (edit)
Description Tom Hughes 2012-05-29 08:03:44 EDT
Description of problem:

Apache's attempts to ask (via systemd) for an SSL passphrase are being thwarted by selinux.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.10.0-125.fc17.noarch

How reproducible:

Every time.

Steps to Reproduce:
1. Configure apache with a certificate that has a passphrase.
2. Try and start it.
  
Actual results:

It fails, with AVCs reported.

Expected results:

It asks (via systemd) for the passphrase and then starts.

Additional info:

The AVCs reported are:

time->Tue May 29 12:29:52 2012
type=AVC msg=audit(1338290992.779:76): avc:  denied  { read } for  pid=877 comm="httpd-ssl-pass-" path="/etc/pki/tls/private/www.example.com.key" dev="dm-0" ino=9702464 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
---
time->Tue May 29 12:29:52 2012
type=AVC msg=audit(1338290992.783:77): avc:  denied  { read } for  pid=877 comm="httpd-ssl-pass-" path="/usr/bin/bash" dev="dm-0" ino=16421031 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.167:222): avc:  denied  { read } for  pid=1077 comm="httpd-ssl-pass-" name="passwd" dev="dm-0" ino=9535550 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.167:223): avc:  denied  { open } for  pid=1077 comm="httpd-ssl-pass-" name="passwd" dev="dm-0" ino=9535550 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.168:224): avc:  denied  { getattr } for  pid=1077 comm="httpd-ssl-pass-" path="/etc/passwd" dev="dm-0" ino=9535550 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.176:225): avc:  denied  { write } for  pid=1077 comm="systemd-ask-pas" name="ask-password" dev="tmpfs" ino=8219 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=dir
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.176:226): avc:  denied  { add_name } for  pid=1077 comm="systemd-ask-pas" name="tmp.khl2NG" scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=dir
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.177:227): avc:  denied  { create } for  pid=1077 comm="systemd-ask-pas" name="tmp.khl2NG" scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=file
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.177:228): avc:  denied  { read write open } for  pid=1077 comm="systemd-ask-pas" name="tmp.khl2NG" dev="tmpfs" ino=29520 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=file
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.178:229): avc:  denied  { setattr } for  pid=1077 comm="systemd-ask-pas" name="tmp.khl2NG" dev="tmpfs" ino=29520 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=file
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.178:230): avc:  denied  { getattr } for  pid=1077 comm="systemd-ask-pas" path="/run/systemd/ask-password/tmp.khl2NG" dev="tmpfs" ino=29520 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=file
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.179:231): avc:  denied  { create } for  pid=1077 comm="systemd-ask-pas" name="sck.7735420083618819185" scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=sock_file
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.179:232): avc:  denied  { remove_name } for  pid=1077 comm="systemd-ask-pas" name="tmp.khl2NG" dev="tmpfs" ino=29520 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=dir
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.179:233): avc:  denied  { rename } for  pid=1077 comm="systemd-ask-pas" name="tmp.khl2NG" dev="tmpfs" ino=29520 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=file
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.412:235): avc:  denied  { signull } for  pid=1082 comm="systemd-tty-ask" scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:httpd_passwd_t:s0 tclass=process
----
time->Tue May 29 12:58:01 2012
type=AVC msg=audit(1338292681.414:236): avc:  denied  { write } for  pid=1082 comm="systemd-tty-ask" name="136:0" dev="tmpfs" ino=16347 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
----
time->Tue May 29 12:58:03 2012
type=AVC msg=audit(1338292683.887:237): avc:  denied  { unlink } for  pid=1077 comm="systemd-ask-pas" name="sck.7735420083618819185" dev="tmpfs" ino=29522 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=sock_file
----
time->Tue May 29 12:58:03 2012
type=AVC msg=audit(1338292683.887:238): avc:  denied  { unlink } for  pid=1077 comm="systemd-ask-pas" name="ask.khl2NG" dev="tmpfs" ino=29520 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=file
Comment 1 Daniel Walsh 2012-05-29 14:31:53 EDT
Fixed in selinux-policy-3.10.0-128.fc17
Comment 2 Tom Hughes 2012-06-06 05:58:29 EDT
This is a bit strange, but with that policy applied it still doesn't seem to work unless I go to permissive mode.

The strange bit though, is that I'm not seeing any AVCs at all, yet switching to permissive mode makes it work.
Comment 3 Daniel Walsh 2012-06-07 14:25:29 EDT
Try it with dontaudit rules off.

# semodule -DB
Run your app
# semodule -B

Look for new AVC messages.
Comment 4 Tom Hughes 2012-06-07 15:57:06 EDT
Yes, that found a load more AVCs:

time->Thu Jun  7 20:42:55 2012
type=AVC msg=audit(1339098175.088:5307): avc:  denied  { rlimitinh } for  pid=9330 comm="missing" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
----
time->Thu Jun  7 20:42:55 2012
type=AVC msg=audit(1339098175.088:5308): avc:  denied  { siginh } for  pid=9330 comm="missing" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
----
time->Thu Jun  7 20:42:55 2012
type=AVC msg=audit(1339098175.089:5309): avc:  denied  { noatsecure } for  pid=9330 comm="missing" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
----
time->Thu Jun  7 20:53:21 2012
type=AVC msg=audit(1339098801.916:5343): avc:  denied  { read } for  pid=9361 comm="httpd" name="mls" dev="selinuxfs" ino=12 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
----
time->Thu Jun  7 20:53:21 2012
type=AVC msg=audit(1339098801.916:5344): avc:  denied  { open } for  pid=9361 comm="httpd" name="mls" dev="selinuxfs" ino=12 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
----
time->Thu Jun  7 20:53:21 2012
type=AVC msg=audit(1339098801.988:5345): avc:  denied  { rlimitinh } for  pid=9362 comm="httpd-ssl-pass-" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_passwd_t:s0 tclass=process
----
time->Thu Jun  7 20:53:21 2012
type=AVC msg=audit(1339098801.988:5346): avc:  denied  { siginh } for  pid=9362 comm="httpd-ssl-pass-" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_passwd_t:s0 tclass=process
----
time->Thu Jun  7 20:53:21 2012
type=AVC msg=audit(1339098801.989:5347): avc:  denied  { noatsecure } for  pid=9362 comm="httpd-ssl-pass-" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_passwd_t:s0 tclass=process
----
time->Thu Jun  7 20:53:22 2012
type=AVC msg=audit(1339098802.032:5348): avc:  denied  { getattr } for  pid=9362 comm="systemd-ask-pas" path="/run/systemd" dev="tmpfs" ino=1944 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
----
time->Thu Jun  7 20:53:26 2012
type=AVC msg=audit(1339098806.557:5350): avc:  denied  { siginh } for  pid=9372 comm="missing" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
----
time->Thu Jun  7 20:53:26 2012
type=AVC msg=audit(1339098806.558:5351): avc:  denied  { noatsecure } for  pid=9372 comm="missing" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
----
time->Thu Jun  7 20:53:26 2012
type=AVC msg=audit(1339098806.557:5349): avc:  denied  { rlimitinh } for  pid=9372 comm="missing" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
Comment 5 Daniel Walsh 2012-06-07 17:17:44 EDT
Fixed in selinux-policy-3.10.0-129.fc17


You can check this by executing

# grep init_var_run_t /var/log/audit/audit.log | audit2allow -M mysystemd
# semodule -i mysystemd.pp
Comment 6 Tom Hughes 2012-06-08 05:22:28 EDT
Well that fixes one of the AVCs yes, but it still leaves these:

time->Fri Jun  8 09:52:55 2012
type=AVC msg=audit(1339145575.342:7554): avc:  denied  { read } for  pid=19868 comm="httpd" name="mls" dev="selinuxfs" ino=12 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
----
time->Fri Jun  8 09:52:55 2012
type=AVC msg=audit(1339145575.342:7555): avc:  denied  { open } for  pid=19868 comm="httpd" name="mls" dev="selinuxfs" ino=12 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
----
time->Fri Jun  8 09:52:55 2012
type=AVC msg=audit(1339145575.407:7556): avc:  denied  { rlimitinh } for  pid=19869 comm="httpd-ssl-pass-" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_passwd_t:s0 tclass=process
----
time->Fri Jun  8 09:52:55 2012
type=AVC msg=audit(1339145575.407:7557): avc:  denied  { siginh } for  pid=19869 comm="httpd-ssl-pass-" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_passwd_t:s0 tclass=process
----
time->Fri Jun  8 09:52:55 2012
type=AVC msg=audit(1339145575.408:7558): avc:  denied  { noatsecure } for  pid=19869 comm="httpd-ssl-pass-" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_passwd_t:s0 tclass=process
Comment 7 Daniel Walsh 2012-06-08 06:51:55 EDT
Well you can turn off the dontaudit rules if the app works.

semodule -B
Comment 8 Tom Hughes 2012-06-08 06:53:50 EDT
Well that's the point, even with that custom module it doesn't work unless I go into permissive mode...
Comment 9 Daniel Walsh 2012-06-08 07:07:34 EDT
Ok change the custom policy to add all of those alerts and see if it works.
Comment 10 Tom Hughes 2012-06-08 08:58:11 EDT
Right, so I rebuild the custom policy to cover all those AVCs, and it still fails unless I am in permissive mode.

So in summary, in permissive mode it works, with no AVCs (not even dontaudit ones) and in enforcing mode it fails.

Basically systemd-ask-password is failing to create the file in /run/systemd/ask-password that would trigger the password prompt. Watching with inotifywait I can see that in enforcing mode the only events are:

/run/systemd/ask-password/ OPEN,ISDIR 
/run/systemd/ask-password/ CLOSE_NOWRITE,CLOSE,ISDIR 

while in permissive mode you get:

/run/systemd/ask-password/ OPEN,ISDIR 
/run/systemd/ask-password/ CLOSE_NOWRITE,CLOSE,ISDIR 
/run/systemd/ask-password/ CREATE tmp.GlVgCL
/run/systemd/ask-password/ OPEN,ISDIR 
/run/systemd/ask-password/ CLOSE_NOWRITE,CLOSE,ISDIR 
/run/systemd/ask-password/ OPEN tmp.GlVgCL
/run/systemd/ask-password/ ATTRIB tmp.GlVgCL
/run/systemd/ask-password/ CREATE sck.3176690537257226118
/run/systemd/ask-password/ MODIFY tmp.GlVgCL
/run/systemd/ask-password/ MOVED_FROM tmp.GlVgCL
/run/systemd/ask-password/ OPEN,ISDIR 
/run/systemd/ask-password/ MOVED_TO ask.GlVgCL
...

etc
Comment 11 Daniel Walsh 2012-06-08 10:19:37 EDT
And you are not seeing any avc messages with dontaudit rulese disabled?

semdoule -DB
setenforce 0
Attempt your connection
Look for AVC's.  I would think we are still not giving it permission to search through /run/systemd/ask-password.
Comment 12 Tom Hughes 2012-06-08 10:48:35 EDT
Absolutely sure... I just did this:

centurion [~] % getenforce
Permissive
centurion [~] % sudo semodule -DB 
...
centurion [~] % sudo systemctl restart httpd.service
Enter SSL pass phrase for www.example.com:443 (RSA) : ********

and all I that got added to audit.log is:

type=USER_AUTH msg=audit(1339166732.831:8599): pid=0 uid=0 auid=2067 ses=685 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="thh" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_ACCT msg=audit(1339166732.848:8600): pid=0 uid=0 auid=2067 ses=685 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="thh" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_CMD msg=audit(1339166732.854:8601): pid=0 uid=0 auid=2067 ses=685 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/thh" cmd=73797374656D63746C20726573746172742068747470642E73657276696365 terminal=pts/1 res=success'
type=CRED_ACQ msg=audit(1339166732.859:8602): pid=0 uid=0 auid=2067 ses=685 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1339166732.867:8603): pid=0 uid=0 auid=2067 ses=685 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=SERVICE_STOP msg=audit(1339166734.467:8604): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1339166742.743:8605): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1339166742.760:8606): pid=0 uid=0 auid=2067 ses=685 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'

then if I turn enforcing on:

centurion [~] % sudo setenforce 1  
centurion [~] % sudo systemctl restart httpd.service
Job failed. See system journal and 'systemctl status' for details.
Comment 13 Daniel Walsh 2012-06-08 11:33:44 EDT
Strange do you see any AVC's in /var/log/messages?
Comment 14 Tom Hughes 2012-06-08 12:20:04 EDT
Not any AVCs as such, though there is one strange message when the polic reloaded. Here are the messages from when I reloaded to turn off dontaudit:

Jun  8 15:42:18 centurion kernel: [190138.696800] SELinux:  Permission ptrace_child in class process not defined in policy.
Jun  8 15:42:18 centurion kernel: [190138.697680] SELinux: the above unknown classes and permissions will be allowed
Jun  8 15:42:29 centurion dbus-daemon[537]: dbus[537]: avc:  received policyload notice (seqno=11)
Jun  8 15:42:29 centurion dbus[537]: avc:  received policyload notice (seqno=11)
Jun  8 15:42:30 centurion dbus-daemon[537]: dbus[537]: [system] Reloaded configuration
Jun  8 15:42:30 centurion dbus[537]: [system] Reloaded configuration

and the messages from setting enforcing mode and then doing a failed restart:

Jun  8 15:47:50 centurion dbus-daemon[537]: dbus[537]: avc:  received setenforce notice (enforcing=1)
Jun  8 15:47:50 centurion dbus[537]: avc:  received setenforce notice (enforcing=1)
Jun  8 15:47:50 centurion dbus-daemon[537]: dbus[537]: [system] Reloaded configuration
Jun  8 15:47:50 centurion dbus[537]: [system] Reloaded configuration
Jun  8 15:47:53 centurion systemd[1]: httpd.service: control process exited, code=exited status=1
Jun  8 15:47:53 centurion systemd[1]: Unit httpd.service entered failed state.
Comment 15 Stephen Smalley 2012-06-08 13:15:03 EDT
Have all userspace components that previously did their own direct calls to security_compute_av or used libselinux checkPasswdAccess or selinux_check_passwd_access() been converted over to using selinux_check_access()?  If not, then you might be getting userspace permission denials without AVC messages, as per old bug 518268.

Another possibility is that I think you directly checking enforcing mode in some userspace code and if permissive, succeed even in the face of errors other than permission denials, which wouldn't get logged.  So that would be something to check.

What exact userspace components are involved in this transaction?  pam modules?  shadow-utils programs?
Comment 16 Tom Hughes 2012-06-10 06:11:25 EDT
So basically apache is running /usr/libexec/httpd-ssl-pass-dialog from the mod_ssl package, which is just a simple shell script:

#!/bin/sh

exec /bin/systemd-ask-password "Enter SSL pass phrase for $1 ($2) : "

then /bin/systemd-ask-password is trying to create a socket and a text file in /run/systemd/ask-password which systemd will detect with inotify and which will trigger it into prompting for a password.

The actual code which is running shoud be this:

http://cgit.freedesktop.org/systemd/systemd/tree/src/ask-password-api.c?id=16f1239e1ece27257c0deedcf01aa39474f66241#n326

I'm think it is getting as far as the mkdir_p() call, because something it accessing the directory, but clearly it never gets as far as creating the file a few lines later. The mkdir_p code is hre:

http://cgit.freedesktop.org/systemd/systemd/tree/src/util.c?id=16f1239e1ece27257c0deedcf01aa39474f66241#n1648

I guess the interesting thing there is that it uss label_mkdir, which does do selinux stuff - you can see that here:

http://cgit.freedesktop.org/systemd/systemd/tree/src/label.c?id=16f1239e1ece27257c0deedcf01aa39474f66241#n286
Comment 17 Stephen Smalley 2012-06-11 08:09:32 EDT
Dan, in label.c, in any situation where you permit it to proceed if not enforcing, you need to log a message if it wasn't due to a permission denial so that it is possible to debug such failures.  Also, I see that in various cases, the logs are done at LOG_DEBUG rather than LOG_ERR if not enforcing there.  How does one turn up debug logging for systemd?  That also seems prone to hiding errors in permissive mode.
Comment 18 Daniel Walsh 2012-06-11 10:59:33 EDT
Created attachment 590965 [details]
This patch will turn the log_debugs to log_errors even in permissive mode.

I added a log_error to show it is in permissive mode.
Comment 19 Tom Hughes 2012-06-19 07:44:44 EDT
After some mucking about I have now managed to get to see the log messages reported by systemd-ask-password (which go to stderr which is discarded by apache) and I can now reveal that the following is reported:

Failed to create password file: Permission denied

which indicates that the call to mkostemp() in ask_password_agent() is failing.
Comment 20 Stephen Smalley 2012-06-19 08:15:25 EDT
In that case, you should have an avc denial.
ausearch -i -m AVC,USER_AVC,SELINUX_ERR -ts today

If not, try this:
semodule -DB
Trigger the denial again.
ausearch -i -m AVC,USER_AVC,SELINUX_ERR -ts recent
semodule -B
Comment 21 Tom Hughes 2012-06-19 08:49:54 EDT
OK so I have no idea why this wasn't showing up before, but I see there is one new AVC that was appearing, then stopped appearing, then has started again a few hours ago:

type=AVC msg=audit(1340106041.157:48401): avc:  denied  { search } for  pid=4866 comm="systemd-ask-pas" name="systemd" dev="tmpfs" ino=1944 scontext=system_u:system_r:httpd_passwd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir

and sure enough, adding this rule:

allow httpd_passwd_t init_var_run_t:dir search;

gets everything working...
Comment 22 Daniel Walsh 2012-06-19 09:29:34 EDT
Fixed in selinux-policy-3.10.0-133.fc17
Comment 23 Fedora Update System 2012-06-26 17:46:59 EDT
selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17
Comment 24 Fedora Update System 2012-06-27 23:36:44 EDT
Package selinux-policy-3.10.0-134.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17
then log in and leave karma (feedback).
Comment 25 Fedora Update System 2012-06-30 17:50:47 EDT
selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.