avc: smartcard token login

Dominick Grift domg472 at gmail.com
Sun Dec 5 19:42:51 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/05/2010 02:08 AM, Mr Dash Four wrote:
> When I try to log in (via a terminal) using smartcard token managed by 
> openct I get the following AVC:
> 
> type=AVC msg=audit(1291494642.695:5): avc:  denied  { search } for  
> pid=1651 comm="login" name="openct" dev=dm-0 ino=9737 
> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:openct_var_run_t:s0 tclass=dir
> type=SYSCALL msg=audit(1291494642.695:5): arch=40000003 syscall=5 
> success=no exit=-13 a0=bfee6f9c a1=0 a2=3ad326 a3=0 items=0 ppid=1 
> pid=1651 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" 
> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
> 
> When I put SELinux in permissive mode I found out that openct, via 
> /bin/login, is trying to access its status file (/var/run/openct/status):
> 
> type=AVC msg=audit(1291510211.246:10): avc:  denied  { search } for  
> pid=1656 comm="login" name="openct" dev=dm-0 ino=4248 
> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:openct_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1291510211.246:10): avc:  denied  { read } for  
> pid=1656 comm="login" name="status" dev=dm-0 ino=57346 
> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file
> type=AVC msg=audit(1291510211.246:10): avc:  denied  { open } for  
> pid=1656 comm="login" name="status" dev=dm-0 ino=57346 
> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file
> type=SYSCALL msg=audit(1291510211.246:10): arch=40000003 syscall=5 
> success=yes exit=5 a0=bfaf597c a1=0 a2=ab1326 a3=0 items=0 ppid=1 
> pid=1656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" 
> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1291510211.277:11): avc:  denied  { getattr } for  
> pid=1656 comm="login" path="/var/run/openct/status" dev=dm-0 ino=57346 
> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file
> type=SYSCALL msg=audit(1291510211.277:11): arch=40000003 syscall=197 
> success=yes exit=0 a0=5 a1=bfaf587c a2=3a5ff4 a3=3 items=0 ppid=1 
> pid=1656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" 
> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
> 
> The Linux policy I am using is the latest for FC13. My /etc/pam.d/login 
> file is:
> 
> #%PAM-1.0
> auth       sufficient   pam_pkcs11.so
> #auth       [success=done authinfo_unavail=ignore ignore=ignore 
> default=die] pam_pkcs11.so
> auth [user_unknown=ignore success=ok ignore=ignore default=bad] 
> pam_securetty.so
> auth       include      system-auth
> account    required     pam_nologin.so
> account    include      system-auth
> password   include      system-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    required     pam_loginuid.so
> session    optional     pam_console.so
> # pam_selinux.so open should only be followed by sessions to be executed 
> in the user context
> session    required     pam_selinux.so open
> session    required     pam_namespace.so
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth
> -session   optional     pam_ck_connector.so
> 
> pam_pkcs11.so is used by openct to perform the actual login and 
> appropriate mapping. Any ideas - should I report this as a bug?

looks like a bug in policy (redhat.bugzilla.com in the selinux-policy
component)

but before you consider that verify that there is no boolean available
that you can toggle to provide this access:

sesearch --allow -SC -s local_login_t -t openct_var_run_t

If there is a line that allows local_login_t openct_var_run_t:file read
then see if the line is prefixed with DT or ET (disabled tunable,
enabled tunable respectively)

If there is and its prefixed by DT then theres a boolean that can be
toggled to allow local_login_t to read openct_var_run_t files. Which
boolean(s) is prep-ended to that line in brackets.

But chances are youve just stumbled upon a bug or you've misconfigured
something.

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz76zsACgkQMlxVo39jgT8tCQCgtjcmJ3HHRqrVOxLvdmrLG6SO
zKoAniKfhlXGiWMLvnsgcYJo4EIlMl+B
=yTXV
-----END PGP SIGNATURE-----

More information about the selinux mailing list