avc: smartcard token login
Mr Dash Four
mr.dash.four at googlemail.com
Sun Dec 5 01:08:14 UTC 2010
When I try to log in (via a terminal) using smartcard token managed by
openct I get the following AVC:
type=AVC msg=audit(1291494642.695:5): avc: denied { search } for
pid=1651 comm="login" name="openct" dev=dm-0 ino=9737
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:openct_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1291494642.695:5): arch=40000003 syscall=5
success=no exit=-13 a0=bfee6f9c a1=0 a2=3ad326 a3=0 items=0 ppid=1
pid=1651 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login"
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
When I put SELinux in permissive mode I found out that openct, via
/bin/login, is trying to access its status file (/var/run/openct/status):
type=AVC msg=audit(1291510211.246:10): avc: denied { search } for
pid=1656 comm="login" name="openct" dev=dm-0 ino=4248
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:openct_var_run_t:s0 tclass=dir
type=AVC msg=audit(1291510211.246:10): avc: denied { read } for
pid=1656 comm="login" name="status" dev=dm-0 ino=57346
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file
type=AVC msg=audit(1291510211.246:10): avc: denied { open } for
pid=1656 comm="login" name="status" dev=dm-0 ino=57346
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1291510211.246:10): arch=40000003 syscall=5
success=yes exit=5 a0=bfaf597c a1=0 a2=ab1326 a3=0 items=0 ppid=1
pid=1656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login"
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1291510211.277:11): avc: denied { getattr } for
pid=1656 comm="login" path="/var/run/openct/status" dev=dm-0 ino=57346
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1291510211.277:11): arch=40000003 syscall=197
success=yes exit=0 a0=5 a1=bfaf587c a2=3a5ff4 a3=3 items=0 ppid=1
pid=1656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login"
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
The Linux policy I am using is the latest for FC13. My /etc/pam.d/login
file is:
#%PAM-1.0
auth sufficient pam_pkcs11.so
#auth [success=done authinfo_unavail=ignore ignore=ignore
default=die] pam_pkcs11.so
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
pam_pkcs11.so is used by openct to perform the actual login and
appropriate mapping. Any ideas - should I report this as a bug?
More information about the selinux
mailing list