Bug 885432 - selinux prevents RHEV-M SSO plugin from accessing credentials channel created by ovirt/rhevm-guest-agent
selinux prevents RHEV-M SSO plugin from accessing credentials channel created...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: ZStream
Depends On:
Blocks: 882239 886210
  Show dependency treegraph
 
Reported: 2012-12-09 07:21 EST by Vinzenz Feenstra [evilissimo]
Modified: 2013-02-21 03:33 EST (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-188.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:33:02 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vinzenz Feenstra [evilissimo] 2012-12-09 07:21:09 EST
Description of problem:
selinux prevents the access of the rhevm-guest-agent-gdm-plugin to connect to the SO_PASSCRED unix domain socket ('\x00/tmp/ovirt-cred-channel').

The unix domain socket is created by the service: ovirt-guest-agent from the package: rhevm-guest-agent


Audit log entry:
type=AVC msg=audit(1355047156.839:26940): avc:  denied  { connectto } for  pid=11187 comm="gdm-session-wor" path=002F746D702F6F766972742D637265642D6368616E6E656C scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket


Version-Release number of selected component (if applicable):
rhevm-guest-agent-1.0.5-7

How reproducible:
Always reproducible with selinux-policy-3.7.19-155

Steps to Reproduce:
1. Setup a RHEV-M Environment
2. Create a RHEL6.3 Desktop VM with rhevm-guest-agent-gdm-plugin installed
3. Join the computer to the domain
4. Single sign on from the user portal will not complete.
  
Actual results:
Single Sign on is not working because the access to the credential socket is blocked.

Expected results:
Access to the socket is not blocked.

Additional info:
Temporary workaround for affected users:
# grep 002F746D702F6F766972742D637265642D6368616E6E656C /var/log/audit/audit.log | audit2allow -M ovirt-guest-agent
# semodule -i ovirt-guest-agent.pp
Comment 1 Vinzenz Feenstra [evilissimo] 2012-12-09 07:24:19 EST
Please note that the package rhevm-guest-agent was previously known as rhev-agent.
The package rhevm-guest-agent-gdm-plugin was previously known as rhev-agent-gdm-plugin-rhevcred.

Correction: The problem occurs within the SSO PAM module - rhevm-guest-agent-pam-module (Previously known as rhev-agent-pam-rhev-cred)
Comment 3 Vinzenz Feenstra [evilissimo] 2012-12-09 08:23:59 EST
Additional note: 

The rhevm-guest-agent-kdm-plugin package is also affected by this. The workaround mentioned in comment#0 works for it as well.
Comment 4 Miroslav Grepl 2012-12-10 02:26:47 EST
The problem is the ovirt-guest-agent service has not a policy.

What does

# ps -efZ |grep initrc
Comment 5 Vinzenz Feenstra [evilissimo] 2012-12-10 03:12:16 EST
system_u:system_r:initrc_t:s0   175       1747     1  0 09:08 ?        00:00:00 /usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-agent.py -p /var/run/ovirt-guest-agent.pid -d
system_u:system_r:initrc_t:s0   root      1790     1  0 09:08 ?        00:00:00 rhnsd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1998 1934  0 09:10 tty1 00:00:00 grep initrc
Comment 6 Miroslav Grepl 2012-12-10 04:31:12 EST
OK, we need to backport changes from Fedora.
Comment 7 Miroslav Grepl 2012-12-10 04:32:21 EST
You can test it for now using

# chcon -t rhev_agentd_exec_t /usr/share/ovirt-guest-agent/ovirt-guest-agent.py

Also please updat to the latest policy build.

rhnsd deamon should be confined.
Comment 8 Miroslav Grepl 2012-12-10 09:56:22 EST
Fixed in selinux-policy-3.7.19-186.el6
Comment 18 Jiri Belka 2012-12-21 08:13:30 EST
Little issue with guest agent pid file (selinux type), will check when BZ882239 is solved.
Comment 20 errata-xmlrpc 2013-02-21 03:33:02 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.