1818759 – AVC from pcscd during startup

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1818759 - AVC from pcscd during startup

Summary: AVC from pcscd during startup

Keywords:
Status:	CLOSED DUPLICATE of bug 1811407
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-30 09:52 UTC by Jakub Jelen
Modified:	2020-04-27 08:57 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-09 16:44:12 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jakub Jelen 2020-03-30 09:52:49 UTC

Description of problem:
I am getting this AVC reproducibly during startup of pcscd. There is no explicit call to nice in pcscd, but it might be in underlying usb libraries. As it is daemon talking to HW, I assume this is valid request to ask for priority.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.6-9.fc33.noarch
selinux-policy-3.14.5-31.fc32.noarch

How reproducible:
100%

Steps to Reproduce:
0. Install gnutls-utils, pcscd, opensc
1. Run p11tool --list-tokens

Actual results:
works, but this AVC is thrown

Expected results:
Works, no AVC is thrown

I did not see this in Fedora 31.

Additional info:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      32
selinux-policy-3.14.6-9.fc33.noarch

time->Fri Mar 27 14:26:29 2020
type=AVC msg=audit(1585319189.817:2659): avc:  denied  { sys_nice } for  pid=50066 comm="pcscd" capability=23  scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=capability permissive=0

Comment 1 Zdenek Pytela 2020-03-30 10:27:33 UTC

Jakub,

This is supposed to be related to update of glib2 in F32 and is a candidate for not auditing. Do you see any issue with not having the permission allowed, like some functionality problem?

https://bugzilla.redhat.com/show_bug.cgi?id=1795524

Comment 2 Jakub Jelen 2020-03-30 10:43:34 UTC

No. It works fine without this permission. If it is bug in glib2, feel free to close it as a duplicate. These were jobs from Friday. If it will show up again with newer versions, I will reopen.

Comment 3 Zdenek Pytela 2020-04-09 16:44:12 UTC


*** This bug has been marked as a duplicate of bug 1811407 ***

Note You need to log in before you can comment on or make changes to this bug.