xpra icon
Bug tracker and wiki

Opened 5 weeks ago

Last modified 4 weeks ago

#1679 new defect

fedora 27 selinux policy error

Reported by: Antoine Martin Owned by: Smo
Priority: major Milestone: 2.2
Component: platforms Version: trunk
Keywords: fedora selinux Cc:

Description (last modified by Antoine Martin)

ValueError: Type xpra_port_t is invalid, must be a port type

Looks like they've changed something somewhere?
PITA

This affects upgrades as well as installs.

selinux related tickets:

Change History (5)

comment:1 Changed 5 weeks ago by Antoine Martin

Description: modified (diff)
Status: newassigned

comment:2 Changed 5 weeks ago by Antoine Martin

Description: modified (diff)
Summary: fedora 27 selinux policy error: xpra_port_t must be a port typefedora 27 selinux policy error

That's caused by this new rule neverallow authlogin_typeattr_1 shadow_t (file (read))):

sudo neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil:261
  (neverallow authlogin_typeattr_1 shadow_t (file (read)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/400/xpra_socketactivation/cil:126
      (allow xpra_t shadow_t (file (read getattr open)))

Failed to generate binary
semodule:  Failed!

The port error is a red herring: it occurs because the policy failed to load.

Problem is that we need to access shadow_t to verify passwords..

SELinux insides – Part2: Neverallow assertions: We need to be sure that we do not allow any unwanted/unsecure/dangerous actions. For example, we do not want to allow ordinary services to access /etc/shadow.
We are not an ordinary service since we do authentication against the system passwords.

I followed all the rules and built policy with audit2allow and the semodule command blows up: sshd currently uses PAM to check passwords. One of the PAM modules that sshd uses is pam_unix. This module first tries to read /etc/shadow directly. If it gets permission denied it executes /sbin/unix_chkpwd. unix_chkpwd accepts the user name and password and indicates to pam_unix whether the password matches the username.

Maybe we can get by with "dontaudit" and let PAM fallback to chkpwd?

comment:3 Changed 5 weeks ago by Antoine Martin

Owner: changed from Antoine Martin to Smo
Status: assignednew

According to Why does it access /etc/shadow?: these two macros should be enough to make us use chkpwd via a subprocess (the process transition takes care of the selinux permissions) rather than the in-process access:

auth_use_pam(xpra_t)
selinux_getattr_fs(xpra_t)

Unfortunately, that doesn't work at all here and PAM fails with a rather cryptic message:

audit[23562]: USER_AUTH pid=23562 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xpra_t:s0 \
    msg='op=PAM:authentication grantors=? acct="antoine" exe="/usr/bin/python2.7" hostname=? addr=? terminal=? res=failed'

The hidden rule that causes this failure is shown with semodule -DB:

AVC avc:  denied  { read } for  pid=27195 comm="xpra" name="shadow" dev="md123" ino=824634 \
    scontext=system_u:system_r:xpra_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0

So it is still trying to access /etc/shadow... For whatever reason.

And this is where it gets incredibly annoying. Even using the big hammer:

typeattribute xpra_t can_read_shadow_passwords;

To try to force allow access to the shadow file does not work because now we get a new unrelated error in a completely different place:

do_start_proxy()
AVC avc:  denied  { map } for  pid=30530 comm="xpra" path="/dev/shm/uG1uyM" dev="tmpfs" ino=396632 \
    scontext=system_u:system_r:xpra_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
Exception in thread start_proxy(SSL socket: ::ffff:127.0.0.1, 14500, 0, 0 <- ::ffff:127.0.0.1, 55396, 0, 0):
(..)
  File "/usr/lib64/python2.7/multiprocessing/synchronize.py", line 75, in __init__
   sl = self._semlock = _multiprocessing.SemLock(kind, value, maxvalue)
OSError: [Errno 13] Permission denied

So r17340 allows both and seems to work.
Should this be backported? meh.

@smo: just a FYI, feel free to just close.

comment:4 Changed 4 weeks ago by Antoine Martin

r17340 broke all distros older than Fedora 27 as the new "map" selinux capability doesn't exist there... r adds a conditional patch to the spec file to take it out.

comment:5 Changed 4 weeks ago by Antoine Martin

After testing in a Fedora 27 VM, looks like we also need r17390 + r17391 + r17402.
Whatever this new "map" thing is meant to do, it causes all sorts of problems.
(ldconfig also triggers audit warnings with "map" on /usr/bin/ldconfig - maybe there is a more generic way of execing subprocesses without needing this new permission?)

Note: See TracTickets for help on using tickets.