Bug 868839 (s390execmod) - Login is slow, AVC denials in audit.log
Summary: Login is slow, AVC denials in audit.log
Keywords:
Status: CLOSED WONTFIX
Alias: s390execmod
Product: Fedora
Classification: Fedora
Component: systemd
Version: 18
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: ZedoraTracker 872148 fedora19rtt 1175590
TreeView+ depends on / blocked
 
Reported: 2012-10-22 09:21 UTC by Jan Stodola
Modified: 2014-12-18 07:04 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-05 23:25:27 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
audit.log (10.46 KB, text/plain)
2012-10-22 09:22 UTC, Jan Stodola
no flags Details
var/log/messages (4.55 KB, text/plain)
2012-10-22 09:23 UTC, Jan Stodola
no flags Details
audit.log file after the fix-up of systemd-logind makefile and login is not delayed (331.77 KB, text/plain)
2012-11-08 08:12 UTC, IBM Bug Proxy
no flags Details
audit.log file whence the avc denial occurs and login is delayed (54.18 KB, application/octet-stream)
2012-11-08 08:51 UTC, IBM Bug Proxy
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Sourceware 14940 0 None None None Never

Description Jan Stodola 2012-10-22 09:21:35 UTC
Description of problem:
When trying to log in to installed system, there is a delay in about 20 seconds after password is entered. After the delay, user is logged into system.

There are AVC denials in audit.log and this issue is not reproducible in permissive mode.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.11.1-32.fc18.noarch
systemd-194-1.fc18.s390x

How reproducible:
always

Steps to Reproduce:
1. install system and reboot
2. try to log into the system
  
Actual results:
about 20 seconds delay between entering password and logging into system, AVC denials

Expected results:
user is logged in without a delay, no AVC denials

Additional info:
Tested only on s390x.

Comment 1 Jan Stodola 2012-10-22 09:22:26 UTC
Created attachment 631346 [details]
audit.log

Comment 2 Jan Stodola 2012-10-22 09:23:06 UTC
Created attachment 631347 [details]
var/log/messages

Comment 3 Miroslav Grepl 2012-10-22 12:56:26 UTC
This is strange.

Comment 4 Miroslav Grepl 2012-10-22 12:57:08 UTC
Ok, I have just noticed this happens on s390x.

Comment 5 Daniel Walsh 2012-10-24 19:29:33 UTC
Why does s390x need execmod for executing apps?

Comment 6 Stephen Smalley 2012-10-24 19:35:13 UTC
Check for text relocation in the executable or one of the .so files on which it depends.

Comment 7 Daniel Walsh 2012-10-24 19:38:20 UTC
This looks like an s390 kernel issue since the executing of one program should not require execmod access.

We are not seeing this on other platforms.

Comment 8 IBM Bug Proxy 2012-11-08 08:12:01 UTC
Created attachment 640642 [details]
audit.log file after the fix-up of systemd-logind makefile and login is not delayed



The audit.log file after the "avc" denial problem is fixed by properly compiling the systemd-logind binary. Note that the contents of the "Before_Fix_audit.log" are also included in this file.

Comment 9 IBM Bug Proxy 2012-11-08 08:40:47 UTC
Please refer to the attachments as given in the RH Bugzilla.
Due to this bug the usual login attempt takes in excess of 20 secs.

The Fedora-18 version is date 20121105, and downloaded from "http://s390.koji.fedoraproject.org/tree/test/20121105/s390x/os/"

Explanation (root-cause) of the issue:-

The offending line (in audit.log) is:-

type=AVC msg=audit(1352272376.592:8): avc:  denied  { execmod } for  pid=604 comm="systemd-logind" path="/usr/lib/systemd/systemd-logind" dev="dm-2" ino=790    765 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:systemd_logind_exec_t:s0 tclass=file

In the above we see that there is an 'avc' denial. The systemd-logind daemon is invoked every time the login attempt is done (please refer to the '.log' files in the attachments). The systemd-logind steps are causing errors with SELinux, which does not find (part of) the systemd-logind binary as made 'relocatable' at build time. Hence the error. The repeated invocations of this daemon will cause the login to get delayed. A thorough description of how text relocation can cause the issue of "AVC Denial" is best explained at "http://www.akkadia.org/drepper/textrelocs.html". Please refer to the screen-dump below:-

[mockbuild@r3530040 systemd-195_DISSECTION]$ rpm -qf /usr/lib/systemd/systemd-logind
systemd-195-2.fc18.s390x
[mockbuild@r3530040 systemd-195_DISSECTION]$ eu-findtextrel /usr/lib/systemd/systemd-logind
either the file containing the function '_fini' or the file containing the function '' is not compiled with -fpic/-fPIC
[mockbuild@r3530040 systemd-195_DISSECTION]$ which eu-findtextrel
/usr/bin/eu-findtextrel
[mockbuild@r3530040 systemd-195_DISSECTION]$ rpm -qf /usr/bin/eu-findtextrel
elfutils-0.155-1.fc18.s390x

It is evident that (a part of) systemd-logind binary is not compiled with "-fPIC" flag. In order to further narrow-down on the problem the "systemd-195-2.fc18.src.rpm" was downloaded and built. This leaves (in the $HOME/rpmbuild/BUILD/systemd-195/.libs/ directory) an "Un-Stripped" version of the systemd-logind binary, and which shows the problem area in more detail:-

[mockbuild@r3530040 systemd-195_DISSECTION]$ eu-findtextrel ~/rpmbuild/BUILD/systemd-195/.libs/systemd-logind
either the file containing the function '__PRETTY_FUNCTION__.8524' or the file containing the function '__PRETTY_FUNCTION__.8532' is not compiled with -fpic/-fPIC. The following screen-dump shows the offending object code:-

[mockbuild@r3530040 systemd-195_DISSECTION]$ cd ~/rpmbuild;for oName in `find ./ -name '*.o' -print`; do nm -a $oName|grep PRETTY|grep 8532 && echo $oName; nm -a $oName|grep PRETTY|grep 8524 && echo $oName; done;cd -
0000000000000000 r __PRETTY_FUNCTION__.8532
0000000000000000 r .rodata.__PRETTY_FUNCTION__.8532
./BUILD/systemd-195/src/login/systemd_logind-logind-inhibit.o
0000000000000000 r __PRETTY_FUNCTION__.8524
0000000000000000 r .rodata.__PRETTY_FUNCTION__.8524
./BUILD/systemd-195/src/login/systemd_logind-logind-user.o
/home/mockbuild/systemd-195_DISSECTION

From above it is evident that above object files were not compiled with the "-fPIC" option, and the make-file is manually changed (note the -fPIC):-

[mockbuild@r3530040 systemd-195]$ diff ./Makefile Makefile.orig
7998,7999c7998
< #MANIKJ
<               -fPIC -c -o src/login/systemd_logind-logind-inhibit.o `test -f 'src/login/logind-inhibit.c' || echo '/'`src/login/logind-inhibit.c
---
>               -c -o src/login/systemd_logind-logind-inhibit.o `test -f 'src/login/logind-inhibit.c' || echo '/'`src/login/logind-inhibit.c

The resulting 'systemd-logind'  binary is 'stripped' and is placed in "/usr/lib/systemd/systemd-logind" (overwriting the older one). The system is rebooted, and there is *NO* delay in login

Comment 10 IBM Bug Proxy 2012-11-08 08:51:07 UTC
Created attachment 640646 [details]
audit.log file whence the avc denial occurs and login is delayed



The audit.log file as seen immediately after first login using ssh.

Comment 11 Jan Stodola 2012-11-26 13:48:04 UTC
Any progress on this bug? 
It is still reproducible with systemd-195-7.

Comment 12 Daniel Walsh 2012-11-27 13:54:51 UTC
Looks like 

https://bugzilla.redhat.com/show_bug.cgi?id=872148

Is making progress

Comment 13 Michal Schmidt 2012-12-10 12:40:19 UTC
The combination of PIE and __thread is broken on s390(x). I disabled the hardening flags (which include PIE) in systemd-195-11.fc18 and systemd-196-3.fc19.

http://koji.fedoraproject.org/koji/taskinfo?taskID=4772807
http://koji.fedoraproject.org/koji/taskinfo?taskID=4772430

Comment 14 Michal Schmidt 2012-12-10 12:41:28 UTC
(In reply to comment #13)
> I disabled the hardening flags

(arch-conditionally, only on s390, s390x)

Comment 15 Michal Schmidt 2012-12-11 19:18:44 UTC
http://sourceware.org/bugzilla/show_bug.cgi?id=14940

Comment 16 Jan Stodola 2013-06-10 07:32:43 UTC
No longer able to reproduce with systemd-204-3.fc19.s390x, moving to VERIFIED.

Comment 17 Fedora End Of Life 2013-12-21 15:52:41 UTC
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 18 Fedora End Of Life 2014-02-05 23:25:27 UTC
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 19 IBM Bug Proxy 2014-12-18 07:04:02 UTC
------- Comment From manibajp.com 2012-11-08 08:37 EDT-------


Note You need to log in before you can comment on or make changes to this bug.