886210 – selinux prevents RHEV-M SSO plugin from accessing credentials channel created by ovirt/rhevm-guest-agent

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 886210 - selinux prevents RHEV-M SSO plugin from accessing credentials channel created by ovirt/rhevm-guest-agent

Summary: selinux prevents RHEV-M SSO plugin from accessing credentials channel created...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	885432
Blocks:	707622 881879
TreeView+	depends on / blocked

Reported:	2012-12-11 19:12 UTC by Chris Pelland
Modified:	2012-12-18 08:19 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.7.19-155.el6_3.13
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-12-18 08:19:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ovirt-agent init script patch (443 bytes, patch) 2012-12-13 14:44 UTC, Miroslav Grepl	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:1581	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2012-12-18 13:18:38 UTC

Description Chris Pelland 2012-12-11 19:12:34 UTC

This bug has been copied from bug #885432 and has been proposed
to be backported to 6.3 z-stream (EUS).

Comment 4 Miroslav Grepl 2012-12-12 13:02:53 UTC

Fixed in selinux-policy-3.7.19-155.el6_3.10

Comment 9 Jiri Belka 2012-12-12 15:47:29 UTC

Justtried and failed:

[root@rhel6ws64 log]# rpm -qa | egrep '^(rhevm|selinux-policy)'
selinux-policy-targeted-3.7.19-155.el6_3.10.noarch
rhevm-guest-agent-gdm-plugin-1.0.5-7.el6ev.x86_64
selinux-policy-3.7.19-155.el6_3.10.noarch
rhevm-guest-agent-pam-module-1.0.5-7.el6ev.x86_64
rhevm-guest-agent-1.0.5-7.el6ev.x86_64

type=AVC msg=audit(1355323141.600:30760): avc:  denied  { append } for  pid=2018 comm="ovirt-locksessi" path="/var/log/ovirt-guest-agent/ovirt-guest-agent.log" dev=dm-0 ino=272408 scontext=system_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1355323141.608:30763): avc:  denied  { execute } for  pid=2018 comm="userhelper" name="LockActiveSession.py" dev=dm-0 ino=13221 scontext=system_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.


--

[root@rhel6ws64 log]# ausearch -m avc -te recent | audit2allow


#============= rhev_agentd_consolehelper_t ==============
allow rhev_agentd_consolehelper_t usr_t:file execute;
allow rhev_agentd_consolehelper_t var_log_t:file append;

#============= rhev_agentd_t ==============
allow rhev_agentd_t initrc_var_run_t:file { write setattr };
#!!!! The source type 'rhev_agentd_t' can write to a 'dir' of the following types:
# tmp_t, rhev_agentd_log_t, rhev_agentd_tmp_t, var_run_t, rhev_agentd_var_run_t, root_t

allow rhev_agentd_t var_log_t:dir { write add_name };
allow rhev_agentd_t var_log_t:file create;

#============= shutdown_t ==============
allow shutdown_t user_tmp_t:file read;

#============= xdm_t ==============
#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'

allow xdm_t admin_home_t:dir read;

Comment 10 Miroslav Grepl 2012-12-12 15:58:28 UTC

Jiri,
could you attach all AVC msgs?

Comment 12 Miroslav Grepl 2012-12-12 16:01:22 UTC

(In reply to comment #10)
> Jiri,
> could you attach all AVC msgs?

Also please test in in permissive mode.

Comment 13 Miroslav Grepl 2012-12-12 16:03:41 UTC

Where is "LockActiveSession.py" exactly located and what does it do?

Comment 14 Miroslav Grepl 2012-12-12 16:08:29 UTC

(In reply to comment #13)
> Where is "LockActiveSession.py" exactly located and what does it do?

Because we have in the policy

/usr/share/rhev-agent/LockActiveSession\.py --  gen_context(system_u:object_r:rhev_agentd_exec_t,s0)


Actually I see it now

/usr/share/ovirt-guest-agent/LockActiveSession.py

Comment 15 Miroslav Grepl 2012-12-12 16:10:33 UTC

So Jiri,
please test it with the latest build 

selinux-policy-3.7.19-155.el6_3.11

and execute

# setenforce 0
# chcon -R -t bin_t /usr/share/ovirt-guest-agent
# chcon -t rhev_agentd_exec_t /usr/share/ovirt-guest-agent/LockActiveSession.py

re-test it and

# ausearch -m avc -ts recent

Comment 16 Jiri Belka 2012-12-12 16:28:47 UTC

SSO works (previous comment was issue with auth setup on client), tested with selinux-policy-3.7.19-155.el6_3.10 and selinux-policy-3.7.19-155.el6_3.11.

[root@rhel6ws64 ~]# ausearch -m avc -ts recent
----
time->Wed Dec 12 17:21:17 2012
type=SYSCALL msg=audit(1355329277.275:30951): arch=c000003e syscall=21 success=no exit=-13 a0=7aaa80 a1=7 a2=20 a3=7fff87803070 items=0 ppid=6109 pid=6130 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355329277.275:30951): avc:  denied  { read write } for  pid=6130 comm="gdm-session-wor" name="portaluser3" dev=dm-2 ino=13 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
----
time->Wed Dec 12 17:21:17 2012
type=SYSCALL msg=audit(1355329277.275:30952): arch=c000003e syscall=2 success=no exit=-13 a0=7aa9f0 a1=442 a2=180 a3=7fff87803070 items=0 ppid=6109 pid=6130 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355329277.275:30952): avc:  denied  { write } for  pid=6130 comm="gdm-session-wor" name="portaluser3" dev=dm-2 ino=13 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
----
time->Wed Dec 12 17:21:17 2012
type=SYSCALL msg=audit(1355329277.275:30953): arch=c000003e syscall=2 success=no exit=-13 a0=7fdbe0 a1=c2 a2=180 a3=7fff87803070 items=0 ppid=6109 pid=6130 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355329277.275:30953): avc:  denied  { write } for  pid=6130 comm="gdm-session-wor" name="portaluser3" dev=dm-2 ino=13 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir

Comment 17 Miroslav Grepl 2012-12-12 19:19:48 UTC

And do these AVC msgs happen on testing? And did you do

# chcon -R -t bin_t /usr/share/ovirt-guest-agent
# chcon -t rhev_agentd_exec_t /usr/share/ovirt-guest-agent/LockActiveSession.py

?

Comment 18 Jiri Belka 2012-12-13 09:07:16 UTC

getenforce ; ps -efZ | grep '[o]virt-guest-agent'; ls -lZ ; ausearch -m avc -m user_avc -ts 09:47
Permissive
unconfined_u:system_r:initrc_t:s0 175     2303     1  0 09:42 ?        00:00:01 /usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-agent.py -p /var/run/ovirt-guest-agent.pid -d
-rw-r--r--. root root system_u:object_r:bin_t:s0       CredServer.py
-rw-r--r--. root root system_u:object_r:bin_t:s0       CredServer.pyc
-rw-r--r--. root root system_u:object_r:bin_t:s0       CredServer.pyo
-rw-r--r--. root root system_u:object_r:bin_t:s0       GuestAgentLinux2.py
-rw-r--r--. root root system_u:object_r:bin_t:s0       GuestAgentLinux2.pyc
-rw-r--r--. root root system_u:object_r:bin_t:s0       GuestAgentLinux2.pyo
-rwxr-xr-x. root root system_u:object_r:rhev_agentd_exec_t:s0 LockActiveSession.py
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       LockActiveSession.pyc
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       LockActiveSession.pyo
-rw-r--r--. root root system_u:object_r:bin_t:s0       OVirtAgentLogic.py
-rw-r--r--. root root system_u:object_r:bin_t:s0       OVirtAgentLogic.pyc
-rw-r--r--. root root system_u:object_r:bin_t:s0       OVirtAgentLogic.pyo
-rw-r--r--. root root system_u:object_r:bin_t:s0       VirtIoChannel.py
-rw-r--r--. root root system_u:object_r:bin_t:s0       VirtIoChannel.pyc
-rw-r--r--. root root system_u:object_r:bin_t:s0       VirtIoChannel.pyo
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       hibernate
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       ovirt-guest-agent.py
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       ovirt-guest-agent.pyc
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       ovirt-guest-agent.pyo
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       ovirt-hibernate -> /usr/bin/consolehelper
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       ovirt-locksession -> /usr/bin/consolehelper
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       ovirt-shutdown -> /usr/bin/consolehelper
----
time->Thu Dec 13 09:47:12 2012
type=SYSCALL msg=audit(1355388432.323:31991): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff29ed54d0 a2=1a a3=7 items=0 ppid=2554 pid=2613 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355388432.323:31991): avc:  denied  { connectto } for  pid=2613 comm="gdm-session-wor" path=002F746D702F6F766972742D637265642D6368616E6E656C scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Thu Dec 13 09:47:12 2012
type=SYSCALL msg=audit(1355388432.836:31998): arch=c000003e syscall=21 success=yes exit=0 a0=78ca80 a1=7 a2=20 a3=a0 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355388432.836:31998): avc:  denied  { read write } for  pid=2640 comm="gdm-session-wor" name="portaluser3" dev=dm-2 ino=13 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
----
time->Thu Dec 13 09:47:12 2012
type=SYSCALL msg=audit(1355388432.836:31999): arch=c000003e syscall=21 success=yes exit=0 a0=78c9f0 a1=6 a2=20 a3=a0 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355388432.836:31999): avc:  denied  { write } for  pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=81 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file
----
time->Thu Dec 13 09:47:12 2012
type=SYSCALL msg=audit(1355388432.837:32000): arch=c000003e syscall=82 success=yes exit=0 a0=78c9f0 a1=7dfbe0 a2=0 a3=6e6f697373657378 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355388432.837:32000): avc:  denied  { add_name } for  pid=2640 comm="gdm-session-wor" name=".xsession-errors.old" dev=dm-2 ino=39 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1355388432.837:32000): avc:  denied  { rename } for  pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=81 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1355388432.837:32000): avc:  denied  { remove_name } for  pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=81 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
----
time->Thu Dec 13 09:47:12 2012
type=SYSCALL msg=audit(1355388432.837:32001): arch=c000003e syscall=2 success=yes exit=12 a0=78c9f0 a1=442 a2=180 a3=1 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355388432.837:32001): avc:  denied  { read append open } for  pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=39 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file
type=AVC msg=audit(1355388432.837:32001): avc:  denied  { create } for  pid=2640 comm="gdm-session-wor" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file
----
time->Thu Dec 13 09:47:12 2012
type=SYSCALL msg=audit(1355388432.837:32002): arch=c000003e syscall=5 success=yes exit=0 a0=c a1=7fff29ed5560 a2=7fff29ed5560 a3=1 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355388432.837:32002): avc:  denied  { getattr } for  pid=2640 comm="gdm-session-wor" path="/home/RHEV/portaluser3/.xsession-errors" dev=dm-2 ino=39 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file
----
time->Thu Dec 13 09:47:12 2012
type=SYSCALL msg=audit(1355388432.837:32003): arch=c000003e syscall=77 success=yes exit=0 a0=c a1=0 a2=7fff29ed5560 a3=1 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355388432.837:32003): avc:  denied  { write } for  pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=39 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file
----
time->Thu Dec 13 09:47:12 2012
type=SYSCALL msg=audit(1355388432.837:32004): arch=c000003e syscall=91 success=yes exit=0 a0=c a1=180 a2=7fff29ed5560 a3=1 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355388432.837:32004): avc:  denied  { setattr } for  pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=39 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file
----
time->Thu Dec 13 09:47:24 2012
type=SYSCALL msg=audit(1355388444.081:32007): arch=c000003e syscall=59 success=yes exit=0 a0=2314c10 a1=7fff855f1440 a2=2315100 a3=4000 items=0 ppid=2303 pid=2759 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="LockActiveSessi" exe="/usr/bin/python" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null)
type=AVC msg=audit(1355388444.081:32007): avc:  denied  { read write } for  pid=2759 comm="LockActiveSessi" path=2F746D702F666669614D39723136202864656C6574656429 dev=dm-0 ino=652820 scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
----
time->Thu Dec 13 09:47:24 2012
type=SYSCALL msg=audit(1355388444.102:32008): arch=c000003e syscall=105 success=yes exit=0 a0=1000000 a1=7fa58e310170 a2=31a305836c a3=7fff99b4f0b8 items=0 ppid=2759 pid=2760 auid=0 uid=16777216 gid=0 euid=16777216 suid=16777216 fsuid=16777216 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="LockActiveSessi" exe="/usr/bin/python" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null)
type=AVC msg=audit(1355388444.102:32008): avc:  denied  { setuid } for  pid=2760 comm="LockActiveSessi" capability=7  scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=unconfined_u:system_r:rhev_agentd_t:s0 tclass=capability
----
time->Thu Dec 13 09:47:24 2012
type=SYSCALL msg=audit(1355388444.104:32009): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fff31fb4db0 a2=14 a3=7fff31fb4db3 items=0 ppid=2760 pid=2761 auid=0 uid=16777216 gid=0 euid=16777216 suid=16777216 fsuid=16777216 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="dbus-launch" exe="/usr/bin/dbus-launch" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null)
type=AVC msg=audit(1355388444.104:32009): avc:  denied  { connectto } for  pid=2761 comm="dbus-launch" path=002F746D702F2E5831312D756E69782F5830 scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Thu Dec 13 09:47:24 2012
type=SYSCALL msg=audit(1355388444.108:32010): arch=c000003e syscall=42 success=yes exit=0 a0=a a1=7fff99b4e580 a2=17 a3=0 items=0 ppid=2759 pid=2760 auid=0 uid=16777216 gid=0 euid=16777216 suid=16777216 fsuid=16777216 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="LockActiveSessi" exe="/usr/bin/python" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null)
type=AVC msg=audit(1355388444.108:32010): avc:  denied  { connectto } for  pid=2760 comm="LockActiveSessi" path=002F746D702F646275732D685976784A776C6F5244 scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket

Comment 19 Miroslav Grepl 2012-12-13 09:21:48 UTC

Ah I missed

# chcon -t rhev_agentd_exec_t /usr/share/ovirt-guest-agent/ovirt-guest-agent.py

which is default labeling in the policy.

Comment 20 Miroslav Grepl 2012-12-13 09:34:13 UTC

Also it looks you have mislabeled homedir.

# restorecon -Rv /home

I am going to do a new build with additional fixes.

Comment 22 Jiri Belka 2012-12-13 10:25:57 UTC

As for /home... This is SSO against AD and user dirs are created by pam_mkhomedir in /home/$domain, policy should be change so gdm (xdm_t) can write to user dirs.

Comment 23 Miroslav Grepl 2012-12-13 11:12:47 UTC

The problem is the homedirs are badly labeled. So you have

/home/$domain/$user

What does

ls -dZ /home/$domain/$user

for a test user?

Comment 24 Jiri Belka 2012-12-13 11:22:54 UTC

AD user

[root@rhel6ws64 ~]# ls -ldZ /home/RHEV/portaluser3
drwxr-xr-x. portaluser3 domain users unconfined_u:object_r:home_root_t:s0 /home/RHEV/portaluser3

local user

[root@rhel6ws64 ~]# ls -ldZ /home/testovic
drwx------. testovic testovic unconfined_u:object_r:user_home_dir_t:s0 /home/testovic

If /home/$domain/$user is mislabeled, it must be repaired in a tool which generated this labeling, or a policy should be tuned to allow gdm to be able to write to home_root_t dirs, for sure no manual intervention. This is what I wanted to say in my previous comment.

Comment 25 Miroslav Grepl 2012-12-13 11:34:57 UTC

Yes, this is an issue with AD. We can not allow it beucase a homedir is mislabeled. 

Basically it needs to execute

# semanage fcontext -e /home /home/RHEV

AFAIK we did some work for this but it looks like only for RHEL6.4. 

Dan, Milos,
do you remember?

Comment 26 Jiri Belka 2012-12-13 11:52:43 UTC

I used last rpm buils and did:

* semanage fcontext -a -e /home /home/RHEV
* restorecon -Rv /home/RHEV

(Basically SSO works but screen is still logged when an user tries to reopen spice console.)

[root@rhel6ws64 ~]# ausearch -m avc -m user_avc -ts 12:43
----
time->Thu Dec 13 12:43:43 2012
type=SYSCALL msg=audit(1355399023.759:31186): arch=c000003e syscall=59 success=yes exit=0 a0=7fa804003850 a1=7fa804000e10 a2=7fffc3661658 a3=6c2d747269766f2f items=0 ppid=1718 pid=2930 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ovirt-locksessi" exe="/usr/bin/consolehelper" subj=system_u:system_r:rhev_agentd_consolehelper_t:s0 key=(null)
type=AVC msg=audit(1355399023.759:31186): avc:  denied  { write } for  pid=2930 comm="ovirt-locksessi" path="/var/log/ovirt-guest-agent/ovirt-guest-agent.log" dev=dm-0 ino=272359 scontext=system_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:rhev_agentd_log_t:s0 tclass=file
----
time->Thu Dec 13 12:44:15 2012
type=SYSCALL msg=audit(1355399055.100:31195): arch=c000003e syscall=59 success=yes exit=0 a0=7fa804003850 a1=7fa804000e10 a2=7fffc3661658 a3=6c2d747269766f2f items=0 ppid=1718 pid=3087 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ovirt-locksessi" exe="/usr/bin/consolehelper" subj=system_u:system_r:rhev_agentd_consolehelper_t:s0 key=(null)
type=AVC msg=audit(1355399055.100:31195): avc:  denied  { write } for  pid=3087 comm="ovirt-locksessi" path="/var/log/ovirt-guest-agent/ovirt-guest-agent.log" dev=dm-0 ino=272359 scontext=system_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:rhev_agentd_log_t:s0 tclass=file
----
time->Thu Dec 13 12:46:54 2012
type=SYSCALL msg=audit(1355399214.906:31198): arch=c000003e syscall=59 success=yes exit=0 a0=7fa804003850 a1=7fa804000e10 a2=7fffc3661658 a3=6c2d747269766f2f items=0 ppid=1718 pid=3130 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ovirt-locksessi" exe="/usr/bin/consolehelper" subj=system_u:system_r:rhev_agentd_consolehelper_t:s0 key=(null)
type=AVC msg=audit(1355399214.906:31198): avc:  denied  { write } for  pid=3130 comm="ovirt-locksessi" path="/var/log/ovirt-guest-agent/ovirt-guest-agent.log" dev=dm-0 ino=272359 scontext=system_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:rhev_agentd_log_t:s0 tclass=file

Comment 27 Miroslav Grepl 2012-12-13 11:57:25 UTC

And does it work in permissive mode?

# setenforce 0

to know if it is a SELinux issue.

Comment 30 Jiri Belka 2012-12-13 14:27:18 UTC

agent's pid is wrong.

[root@rhel6ws64 ~]# ls -lZ /var/run/ovirt-guest-agent.pid 
-rw-rw-r--. ovirtagent ovirtagent unconfined_u:object_r:initrc_var_run_t:s0 /var/run/ovirt-guest-agent.pid
[root@rhel6ws64 ~]# service ovirt-guest-agent stop
Stopping ovirt-guest-agent:                                [  OK  ]
[root@rhel6ws64 ~]# ls -lZ /var/run/ovirt-guest-agent.pid 
ls: cannot access /var/run/ovirt-guest-agent.pid: No such file or directory
[root@rhel6ws64 ~]# service ovirt-guest-agent start
Starting ovirt-guest-agent:                                [  OK  ]
[root@rhel6ws64 ~]# ls -lZ /var/run/ovirt-guest-agent.pid 
-rw-rw-r--. ovirtagent ovirtagent unconfined_u:object_r:initrc_var_run_t:s0 /var/run/ovirt-guest-agent.pid

----
time->Thu Dec 13 15:07:48 2012
type=SYSCALL msg=audit(1355407668.489:31411): arch=c000003e syscall=2 success=yes exit=8 a0=186ee60 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=7002 auid=0 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=1 comm="ovirt-guest-age" exe="/usr/bin/python" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null)
type=AVC msg=audit(1355407668.489:31411): avc:  denied  { write } for  pid=7002 comm="ovirt-guest-age" name="ovirt-guest-agent.pid" dev=dm-0 ino=261661 scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file
----
time->Thu Dec 13 15:07:48 2012
type=SYSCALL msg=audit(1355407668.490:31414): arch=c000003e syscall=90 success=yes exit=0 a0=186ee60 a1=1b4 a2=31a33b4a88 a3=7fff74eefb18 items=0 ppid=1 pid=7002 auid=0 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=1 comm="ovirt-guest-age" exe="/usr/bin/python" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null)
type=AVC msg=audit(1355407668.490:31414): avc:  denied  { setattr } for  pid=7002 comm="ovirt-guest-age" name="ovirt-guest-agent.pid" dev=dm-0 ino=261661 scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file

Comment 31 Miroslav Grepl 2012-12-13 14:32:12 UTC

How is this pid file created? It looks like it is create by init script?

Comment 32 Miroslav Grepl 2012-12-13 14:39:32 UTC

Ok, I see it now. You need to run restorecon in the init script.

Comment 33 Miroslav Grepl 2012-12-13 14:44:43 UTC

Created attachment 663006 [details]
ovirt-agent init script patch

Comment 34 Miroslav Grepl 2012-12-13 15:33:26 UTC

SELinux issues fixed in selinux-policy-3.7.19-155.el6_3.12

Comment 35 Milos Malik 2012-12-14 10:32:13 UTC

Following rule is missing, switching to ASSIGNED:
allow rhev_agentd_t xserver_t : unix_stream_socket { connectto }

Comment 36 Miroslav Grepl 2012-12-14 11:24:17 UTC

Added to selinux-policy-3.7.19-155.el6_3.13

Just building a scratch build.

http://brewweb.devel.redhat.com/brew/taskinfo?taskID=5192902

Comment 37 Jiri Belka 2012-12-14 15:52:53 UTC

Actions done:

* new rpms
* restorecon -Rv /etc /var /usr/share
* modified ovirg-guest-agent init script && restart
* semanage fcontext -a -e /home /home/RHEV ; restorecon -Rv /home/RHEV

time->Fri Dec 14 16:50:21 2012
type=SYSCALL msg=audit(1355500221.461:137): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=c449d0 a2=1c a3=7fff140dc390 items=0 ppid=2478 pid=2594 auid=0 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=1 comm="consolehelper-g" exe="/usr/bin/consolehelper-gtk" subj=unconfined_u:system_r:rhev_agentd_consolehelper_t:s0 key=(null)
type=AVC msg=audit(1355500221.461:137): avc:  denied  { name_connect } for  pid=2594 comm="consolehelper-g" dest=6010 scontext=unconfined_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket
----
time->Fri Dec 14 16:50:21 2012
type=SYSCALL msg=audit(1355500221.461:138): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=c44980 a2=10 a3=7fff140dc698 items=0 ppid=2478 pid=2594 auid=0 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=1 comm="consolehelper-g" exe="/usr/bin/consolehelper-gtk" subj=unconfined_u:system_r:rhev_agentd_consolehelper_t:s0 key=(null)
type=AVC msg=audit(1355500221.461:138): avc:  denied  { name_connect } for  pid=2594 comm="consolehelper-g" dest=6010 scontext=unconfined_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket

Comment 38 Jiri Belka 2012-12-14 16:13:29 UTC

SSO comment: Surprisingly SSO works from UP (I restarted winbind), when I closed spice client while logged in as AD user, then I opened console from Admin Portal and screen was locked.

Comment 39 Miroslav Grepl 2012-12-14 16:38:01 UTC

If you execute

# grep xserver_port_t /var/log/audit/audit.log |audit2allow -M mypol
# semodule -i mypol.pp

does it work then?


Is it enough to have SSO working from UP for this bug?

Comment 40 Miroslav Grepl 2012-12-14 18:32:58 UTC

A new one

http://brewweb.devel.redhat.com/brew/taskinfo?taskID=5194334

Comment 41 Vinzenz Feenstra [evilissimo] 2012-12-14 18:46:59 UTC

(In reply to comment #38)
> SSO comment: Surprisingly SSO works from UP (I restarted winbind), when I
> closed spice client while logged in as AD user, then I opened console from
> Admin Portal and screen was locked.

The Admin Portal does not support SSO. This is only implemented for the User Portal.

Comment 45 errata-xmlrpc 2012-12-18 08:19:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1581.html

Note You need to log in before you can comment on or make changes to this bug.