avc: smartcard token login

Mr Dash Four mr.dash.four at googlemail.com
Sun Dec 5 01:08:14 UTC 2010 

When I try to log in (via a terminal) using smartcard token managed by 
openct I get the following AVC:

type=AVC msg=audit(1291494642.695:5): avc:  denied  { search } for  
pid=1651 comm="login" name="openct" dev=dm-0 ino=9737 
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:openct_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1291494642.695:5): arch=40000003 syscall=5 
success=no exit=-13 a0=bfee6f9c a1=0 a2=3ad326 a3=0 items=0 ppid=1 
pid=1651 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" 
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

When I put SELinux in permissive mode I found out that openct, via 
/bin/login, is trying to access its status file (/var/run/openct/status):

type=AVC msg=audit(1291510211.246:10): avc:  denied  { search } for  
pid=1656 comm="login" name="openct" dev=dm-0 ino=4248 
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:openct_var_run_t:s0 tclass=dir
type=AVC msg=audit(1291510211.246:10): avc:  denied  { read } for  
pid=1656 comm="login" name="status" dev=dm-0 ino=57346 
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file
type=AVC msg=audit(1291510211.246:10): avc:  denied  { open } for  
pid=1656 comm="login" name="status" dev=dm-0 ino=57346 
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1291510211.246:10): arch=40000003 syscall=5 
success=yes exit=5 a0=bfaf597c a1=0 a2=ab1326 a3=0 items=0 ppid=1 
pid=1656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" 
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1291510211.277:11): avc:  denied  { getattr } for  
pid=1656 comm="login" path="/var/run/openct/status" dev=dm-0 ino=57346 
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1291510211.277:11): arch=40000003 syscall=197 
success=yes exit=0 a0=5 a1=bfaf587c a2=3a5ff4 a3=3 items=0 ppid=1 
pid=1656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" 
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

The Linux policy I am using is the latest for FC13. My /etc/pam.d/login 
file is:

#%PAM-1.0
auth       sufficient   pam_pkcs11.so
#auth       [success=done authinfo_unavail=ignore ignore=ignore 
default=die] pam_pkcs11.so
auth [user_unknown=ignore success=ok ignore=ignore default=bad] 
pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed 
in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so

pam_pkcs11.so is used by openct to perform the actual login and 
appropriate mapping. Any ideas - should I report this as a bug?

More information about the selinux mailing list