Xpra: Ticket #1679: fedora 27 selinux policy error

ValueError: Type xpra_port_t is invalid, must be a port type

Looks like they've changed something somewhere? PITA

This affects upgrades as well as installs.

selinux related tickets:

Thu, 09 Nov 2017 07:45:02 GMT - Antoine Martin: status, description changed

Thu, 09 Nov 2017 08:00:08 GMT - Antoine Martin: description, summary changed

That's caused by this new rule neverallow authlogin_typeattr_1 shadow_t (file (read))):

sudo neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil:261
  (neverallow authlogin_typeattr_1 shadow_t (file (read)))
    allow at /var/lib/selinux/targeted/tmp/modules/400/xpra_socketactivation/cil:126
      (allow xpra_t shadow_t (file (read getattr open)))
Failed to generate binary
semodule:  Failed!

The port error is a red herring: it occurs because the policy failed to load.

Problem is that we need to access shadow_t to verify passwords..

SELinux insides – Part2: Neverallow assertions: We need to be sure that we do not allow any unwanted/unsecure/dangerous actions. For example, we do not want to allow ordinary services to access /etc/shadow. We are not an ordinary service since we do authentication against the system passwords.

I followed all the rules and built policy with audit2allow and the semodule command blows up: sshd currently uses PAM to check passwords. One of the PAM modules that sshd uses is pam_unix. This module first tries to read /etc/shadow directly. If it gets permission denied it executes /sbin/unix_chkpwd. unix_chkpwd accepts the user name and password and indicates to pam_unix whether the password matches the username.

Maybe we can get by with "dontaudit" and let PAM fallback to chkpwd?

Thu, 09 Nov 2017 11:45:48 GMT - Antoine Martin: owner, status changed

According to Why does it access /etc/shadow?: these two macros should be enough to make us use chkpwd via a subprocess (the process transition takes care of the selinux permissions) rather than the in-process access:


Unfortunately, that doesn't work at all here and PAM fails with a rather cryptic message:

audit[23562]: USER_AUTH pid=23562 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xpra_t:s0 \
    msg='op=PAM:authentication grantors=? acct="antoine" exe="/usr/bin/python2.7" hostname=? addr=? terminal=? res=failed'

The hidden rule that causes this failure is shown with semodule -DB:

AVC avc:  denied  { read } for  pid=27195 comm="xpra" name="shadow" dev="md123" ino=824634 \
    scontext=system_u:system_r:xpra_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0

So it is still trying to access /etc/shadow... For whatever reason.

And this is where it gets incredibly annoying. Even using the big hammer:

typeattribute xpra_t can_read_shadow_passwords;

To try to force allow access to the shadow file does not work because now we get a new unrelated error in a completely different place:

AVC avc:  denied  { map } for  pid=30530 comm="xpra" path="/dev/shm/uG1uyM" dev="tmpfs" ino=396632 \
    scontext=system_u:system_r:xpra_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
Exception in thread start_proxy(SSL socket: ::ffff:, 14500, 0, 0 <- ::ffff:, 55396, 0, 0):
  File "/usr/lib64/python2.7/multiprocessing/synchronize.py", line 75, in __init__
   sl = self._semlock = _multiprocessing.SemLock(kind, value, maxvalue)
OSError: [Errno 13] Permission denied

So r17340 allows both and seems to work. Should this be backported? meh.

@smo: just a FYI, feel free to just close.

Sun, 12 Nov 2017 08:29:52 GMT - Antoine Martin:

r17340 broke all distros older than Fedora 27 as the new "map" selinux capability doesn't exist there... r adds a conditional patch to the spec file to take it out.

Sun, 12 Nov 2017 16:31:59 GMT - Antoine Martin:

After testing in a Fedora 27 VM, looks like we also need r17390 + r17391 + r17402. Whatever this new "map" thing is meant to do, it causes all sorts of problems. (ldconfig also triggers audit warnings with "map" on /usr/bin/ldconfig - maybe there is a more generic way of execing subprocesses without needing this new permission?)

Sat, 23 Dec 2017 12:59:34 GMT - Antoine Martin: status changed; resolution set

Sat, 23 Jan 2021 05:30:53 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1679