Bug 868839 - (s390execmod) Login is slow, AVC denials in audit.log
Login is slow, AVC denials in audit.log
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: systemd (Show other bugs)
18
Unspecified Linux
medium Severity medium
: ---
: ---
Assigned To: systemd-maint
Fedora Extras Quality Assurance
:
Depends On:
Blocks: ZedoraTracker 872148 fedora19rtt 1175590
  Show dependency treegraph
 
Reported: 2012-10-22 05:21 EDT by Jan Stodola
Modified: 2014-12-18 02:04 EST (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-05 18:25:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
audit.log (10.46 KB, text/plain)
2012-10-22 05:22 EDT, Jan Stodola
no flags Details
var/log/messages (4.55 KB, text/plain)
2012-10-22 05:23 EDT, Jan Stodola
no flags Details
audit.log file after the fix-up of systemd-logind makefile and login is not delayed (331.77 KB, text/plain)
2012-11-08 03:12 EST, IBM Bug Proxy
no flags Details
audit.log file whence the avc denial occurs and login is delayed (54.18 KB, application/octet-stream)
2012-11-08 03:51 EST, IBM Bug Proxy
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Sourceware 14940 None None None Never

  None (edit)
Description Jan Stodola 2012-10-22 05:21:35 EDT
Description of problem:
When trying to log in to installed system, there is a delay in about 20 seconds after password is entered. After the delay, user is logged into system.

There are AVC denials in audit.log and this issue is not reproducible in permissive mode.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.11.1-32.fc18.noarch
systemd-194-1.fc18.s390x

How reproducible:
always

Steps to Reproduce:
1. install system and reboot
2. try to log into the system
  
Actual results:
about 20 seconds delay between entering password and logging into system, AVC denials

Expected results:
user is logged in without a delay, no AVC denials

Additional info:
Tested only on s390x.
Comment 1 Jan Stodola 2012-10-22 05:22:26 EDT
Created attachment 631346 [details]
audit.log
Comment 2 Jan Stodola 2012-10-22 05:23:06 EDT
Created attachment 631347 [details]
var/log/messages
Comment 3 Miroslav Grepl 2012-10-22 08:56:26 EDT
This is strange.
Comment 4 Miroslav Grepl 2012-10-22 08:57:08 EDT
Ok, I have just noticed this happens on s390x.
Comment 5 Daniel Walsh 2012-10-24 15:29:33 EDT
Why does s390x need execmod for executing apps?
Comment 6 Stephen Smalley 2012-10-24 15:35:13 EDT
Check for text relocation in the executable or one of the .so files on which it depends.
Comment 7 Daniel Walsh 2012-10-24 15:38:20 EDT
This looks like an s390 kernel issue since the executing of one program should not require execmod access.

We are not seeing this on other platforms.
Comment 8 IBM Bug Proxy 2012-11-08 03:12:01 EST
Created attachment 640642 [details]
audit.log file after the fix-up of systemd-logind makefile and login is not delayed



The audit.log file after the "avc" denial problem is fixed by properly compiling the systemd-logind binary. Note that the contents of the "Before_Fix_audit.log" are also included in this file.
Comment 9 IBM Bug Proxy 2012-11-08 03:40:47 EST
Please refer to the attachments as given in the RH Bugzilla.
Due to this bug the usual login attempt takes in excess of 20 secs.

The Fedora-18 version is date 20121105, and downloaded from "http://s390.koji.fedoraproject.org/tree/test/20121105/s390x/os/"

Explanation (root-cause) of the issue:-

The offending line (in audit.log) is:-

type=AVC msg=audit(1352272376.592:8): avc:  denied  { execmod } for  pid=604 comm="systemd-logind" path="/usr/lib/systemd/systemd-logind" dev="dm-2" ino=790    765 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:systemd_logind_exec_t:s0 tclass=file

In the above we see that there is an 'avc' denial. The systemd-logind daemon is invoked every time the login attempt is done (please refer to the '.log' files in the attachments). The systemd-logind steps are causing errors with SELinux, which does not find (part of) the systemd-logind binary as made 'relocatable' at build time. Hence the error. The repeated invocations of this daemon will cause the login to get delayed. A thorough description of how text relocation can cause the issue of "AVC Denial" is best explained at "http://www.akkadia.org/drepper/textrelocs.html". Please refer to the screen-dump below:-

[mockbuild@r3530040 systemd-195_DISSECTION]$ rpm -qf /usr/lib/systemd/systemd-logind
systemd-195-2.fc18.s390x
[mockbuild@r3530040 systemd-195_DISSECTION]$ eu-findtextrel /usr/lib/systemd/systemd-logind
either the file containing the function '_fini' or the file containing the function '' is not compiled with -fpic/-fPIC
[mockbuild@r3530040 systemd-195_DISSECTION]$ which eu-findtextrel
/usr/bin/eu-findtextrel
[mockbuild@r3530040 systemd-195_DISSECTION]$ rpm -qf /usr/bin/eu-findtextrel
elfutils-0.155-1.fc18.s390x

It is evident that (a part of) systemd-logind binary is not compiled with "-fPIC" flag. In order to further narrow-down on the problem the "systemd-195-2.fc18.src.rpm" was downloaded and built. This leaves (in the $HOME/rpmbuild/BUILD/systemd-195/.libs/ directory) an "Un-Stripped" version of the systemd-logind binary, and which shows the problem area in more detail:-

[mockbuild@r3530040 systemd-195_DISSECTION]$ eu-findtextrel ~/rpmbuild/BUILD/systemd-195/.libs/systemd-logind
either the file containing the function '__PRETTY_FUNCTION__.8524' or the file containing the function '__PRETTY_FUNCTION__.8532' is not compiled with -fpic/-fPIC. The following screen-dump shows the offending object code:-

[mockbuild@r3530040 systemd-195_DISSECTION]$ cd ~/rpmbuild;for oName in `find ./ -name '*.o' -print`; do nm -a $oName|grep PRETTY|grep 8532 && echo $oName; nm -a $oName|grep PRETTY|grep 8524 && echo $oName; done;cd -
0000000000000000 r __PRETTY_FUNCTION__.8532
0000000000000000 r .rodata.__PRETTY_FUNCTION__.8532
./BUILD/systemd-195/src/login/systemd_logind-logind-inhibit.o
0000000000000000 r __PRETTY_FUNCTION__.8524
0000000000000000 r .rodata.__PRETTY_FUNCTION__.8524
./BUILD/systemd-195/src/login/systemd_logind-logind-user.o
/home/mockbuild/systemd-195_DISSECTION

From above it is evident that above object files were not compiled with the "-fPIC" option, and the make-file is manually changed (note the -fPIC):-

[mockbuild@r3530040 systemd-195]$ diff ./Makefile Makefile.orig
7998,7999c7998
< #MANIKJ
<               -fPIC -c -o src/login/systemd_logind-logind-inhibit.o `test -f 'src/login/logind-inhibit.c' || echo '/'`src/login/logind-inhibit.c
---
>               -c -o src/login/systemd_logind-logind-inhibit.o `test -f 'src/login/logind-inhibit.c' || echo '/'`src/login/logind-inhibit.c

The resulting 'systemd-logind'  binary is 'stripped' and is placed in "/usr/lib/systemd/systemd-logind" (overwriting the older one). The system is rebooted, and there is *NO* delay in login
Comment 10 IBM Bug Proxy 2012-11-08 03:51:07 EST
Created attachment 640646 [details]
audit.log file whence the avc denial occurs and login is delayed



The audit.log file as seen immediately after first login using ssh.
Comment 11 Jan Stodola 2012-11-26 08:48:04 EST
Any progress on this bug? 
It is still reproducible with systemd-195-7.
Comment 12 Daniel Walsh 2012-11-27 08:54:51 EST
Looks like 

https://bugzilla.redhat.com/show_bug.cgi?id=872148

Is making progress
Comment 13 Michal Schmidt 2012-12-10 07:40:19 EST
The combination of PIE and __thread is broken on s390(x). I disabled the hardening flags (which include PIE) in systemd-195-11.fc18 and systemd-196-3.fc19.

http://koji.fedoraproject.org/koji/taskinfo?taskID=4772807
http://koji.fedoraproject.org/koji/taskinfo?taskID=4772430
Comment 14 Michal Schmidt 2012-12-10 07:41:28 EST
(In reply to comment #13)
> I disabled the hardening flags

(arch-conditionally, only on s390, s390x)
Comment 15 Michal Schmidt 2012-12-11 14:18:44 EST
http://sourceware.org/bugzilla/show_bug.cgi?id=14940
Comment 16 Jan Stodola 2013-06-10 03:32:43 EDT
No longer able to reproduce with systemd-204-3.fc19.s390x, moving to VERIFIED.
Comment 17 Fedora End Of Life 2013-12-21 10:52:41 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 18 Fedora End Of Life 2014-02-05 18:25:27 EST
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 19 IBM Bug Proxy 2014-12-18 02:04:02 EST
------- Comment From manibajp@in.ibm.com 2012-11-08 08:37 EDT-------

Note You need to log in before you can comment on or make changes to this bug.