-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/05/2010 02:08 AM, Mr Dash Four wrote: > When I try to log in (via a terminal) using smartcard token managed by > openct I get the following AVC: > > type=AVC msg=audit(1291494642.695:5): avc: denied { search } for > pid=1651 comm="login" name="openct" dev=dm-0 ino=9737 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:openct_var_run_t:s0 tclass=dir > type=SYSCALL msg=audit(1291494642.695:5): arch=40000003 syscall=5 > success=no exit=-13 a0=bfee6f9c a1=0 a2=3ad326 a3=0 items=0 ppid=1 > pid=1651 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" > subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) > > When I put SELinux in permissive mode I found out that openct, via > /bin/login, is trying to access its status file (/var/run/openct/status): > > type=AVC msg=audit(1291510211.246:10): avc: denied { search } for > pid=1656 comm="login" name="openct" dev=dm-0 ino=4248 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:openct_var_run_t:s0 tclass=dir > type=AVC msg=audit(1291510211.246:10): avc: denied { read } for > pid=1656 comm="login" name="status" dev=dm-0 ino=57346 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file > type=AVC msg=audit(1291510211.246:10): avc: denied { open } for > pid=1656 comm="login" name="status" dev=dm-0 ino=57346 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file > type=SYSCALL msg=audit(1291510211.246:10): arch=40000003 syscall=5 > success=yes exit=5 a0=bfaf597c a1=0 a2=ab1326 a3=0 items=0 ppid=1 > pid=1656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" > subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1291510211.277:11): avc: denied { getattr } for > pid=1656 comm="login" path="/var/run/openct/status" dev=dm-0 ino=57346 > scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:openct_var_run_t:s0 tclass=file > type=SYSCALL msg=audit(1291510211.277:11): arch=40000003 syscall=197 > success=yes exit=0 a0=5 a1=bfaf587c a2=3a5ff4 a3=3 items=0 ppid=1 > pid=1656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=tty1 ses=4294967295 comm="login" exe="/bin/login" > subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) > > The Linux policy I am using is the latest for FC13. My /etc/pam.d/login > file is: > > #%PAM-1.0 > auth sufficient pam_pkcs11.so > #auth [success=done authinfo_unavail=ignore ignore=ignore > default=die] pam_pkcs11.so > auth [user_unknown=ignore success=ok ignore=ignore default=bad] > pam_securetty.so > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session required pam_loginuid.so > session optional pam_console.so > # pam_selinux.so open should only be followed by sessions to be executed > in the user context > session required pam_selinux.so open > session required pam_namespace.so > session optional pam_keyinit.so force revoke > session include system-auth > -session optional pam_ck_connector.so > > pam_pkcs11.so is used by openct to perform the actual login and > appropriate mapping. Any ideas - should I report this as a bug? looks like a bug in policy (redhat.bugzilla.com in the selinux-policy component) but before you consider that verify that there is no boolean available that you can toggle to provide this access: sesearch --allow -SC -s local_login_t -t openct_var_run_t If there is a line that allows local_login_t openct_var_run_t:file read then see if the line is prefixed with DT or ET (disabled tunable, enabled tunable respectively) If there is and its prefixed by DT then theres a boolean that can be toggled to allow local_login_t to read openct_var_run_t files. Which boolean(s) is prep-ended to that line in brackets. But chances are youve just stumbled upon a bug or you've misconfigured something. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz76zsACgkQMlxVo39jgT8tCQCgtjcmJ3HHRqrVOxLvdmrLG6SO zKoAniKfhlXGiWMLvnsgcYJo4EIlMl+B =yTXV -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux