Is it a SELinux policy problem ?

Daniel J Walsh dwalsh at redhat.com
Wed Jan 28 00:48:19 UTC 2015 

On 01/27/2015 05:11 PM, Casper wrote:
> Or is it a luajit problem ?
>
> Dear devs hello.
> I would like to determine if these AVC are caused by prosody, lua, or
> a wrong SELinux policy.
>
This avc (execmem) looks like it is allowed in Fedora
selinux-policy-3.13.1-105.fc21.src.rpm

Does prosody have a log file error.log?


>
> lancaster ~ # systemctl status prosody
> ● prosody.service - Prosody XMPP (Jabber) server
>    Loaded: loaded (/usr/lib/systemd/system/prosody.service; disabled)
>          Active: inactive (dead)
>
> lancaster ~ # sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             targeted
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Max kernel policy version:      29
>
> lancaster ~ # rpm -q prosody luajit
> prosody-0.9.4-4.fc21.x86_64
> luajit-2.0.3-3.fc21.x86_64
>
>
> systemd start:
> janv. 27 19:28:03 lancaster prosodyctl[21208]: PANIC: unprotected
> error in call to Lua API (runtime code generation failed, restricted
> kernel?)
> janv. 27 19:28:04 lancaster prosodyctl[21208]: PANIC: unprotected
> error in call to Lua API (runtime code generation failed, restricted
> kernel?)
> janv. 27 19:28:04 lancaster systemd[1]: prosody.service: control
> process exited, code=killed status=11
> janv. 27 19:28:04 lancaster systemd[1]: Failed to start Prosody XMPP
> (Jabber) server.
> janv. 27 19:28:04 lancaster systemd[1]: Unit prosody.service entered
> failed state.
> janv. 27 19:28:04 lancaster systemd[1]: prosody.service failed.
>
> kernel log:
> janv. 27 19:28:03 lancaster prosodyctl[21208]: PANIC: unprotected
> error in call to Lua API (runtime code generation failed, restricted
> kernel?)
> janv. 27 19:28:03 lancaster kernel: luajit[21209]: segfault at bcefddd
> ip 000000000bcefddd sp 00007fff98c8cf00 error 15
> janv. 27 19:28:04 lancaster prosodyctl[21208]: PANIC: unprotected
> error in call to Lua API (runtime code generation failed, restricted
> kernel?)
> janv. 27 19:28:04 lancaster kernel: luajit[21208]: segfault at bcefe33
> ip 000000000bcefe33 sp 00007fffe6d4a6b0 error 15
> janv. 27 19:28:04 lancaster systemd[1]: prosody.service: control
> process exited, code=killed status=11
> janv. 27 19:28:04 lancaster systemd[1]: Failed to start Prosody XMPP
> (Jabber) server.
> janv. 27 19:28:04 lancaster systemd[1]: Unit prosody.service entered
> failed state.
> janv. 27 19:28:04 lancaster systemd[1]: prosody.service failed.
> janv. 27 19:28:05 lancaster dbus[904]: [system] Successfully activated
> service 'org.fedoraproject.Setroubleshootd'
> janv. 27 19:28:14 lancaster setroubleshoot[21211]: Plugin Exception
> restorecon_source
> janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is
> preventing /usr/bin/luajit-2.0.3 from read access on the file
> /var/log/prosody/debug.log. For complete SELinux messages. run sealert
> -l 4598d861-a393-472b-9dda-2c1c3b069fd4
> janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is
> preventing /usr/bin/luajit-2.0.3 from read access on the file
> /var/log/prosody/info.log. For complete SELinux messages. run sealert
> -l 4598d861-a393-472b-9dda-2c1c3b069fd4
> janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is
> preventing /usr/bin/luajit-2.0.3 from read access on the file
> /var/log/prosody/error.log. For complete SELinux messages. run sealert
> -l 4598d861-a393-472b-9dda-2c1c3b069fd4
> janv. 27 19:28:15 lancaster setroubleshoot[21211]: SELinux is
> preventing /usr/bin/luajit-2.0.3 from using the execmem access on a
> process. For complete SELinux messages. run sealert -l
> e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb
> janv. 27 19:28:15 lancaster setroubleshoot[21211]: SELinux is
> preventing /usr/bin/luajit-2.0.3 from using the execmem access on a
> process. For complete SELinux messages. run sealert -l
> e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb
>
>
> lancaster ~ # sealert -l 4598d861-a393-472b-9dda-2c1c3b069fd4
> SELinux is preventing /usr/bin/luajit-2.0.3 from read access on the
> file /var/log/prosody/error.log.
>
> *****  Plugin catchall (100. confidence) suggests
>        **************************
>
> If vous pensez que luajit-2.0.3 devrait être autorisé à accéder read
> sur error.log file par défaut.
> Then vous devriez rapporter ceci en tant qu'anomalie.
> Vous pouvez générer un module de stratégie local pour autoriser cet
> accès.
> Do
> autoriser cet accès pour le moment en exécutant :
> # grep luajit /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context                system_u:system_r:prosody_t:s0
> Target Context                system_u:object_r:var_log_t:s0
> Target Objects                /var/log/prosody/error.log [ file ]
> Source                        luajit
> Source Path                   /usr/bin/luajit-2.0.3
> Port                          <Unknown>
> Host                          lancaster
> Source RPM Packages           luajit-2.0.3-3.fc21.x86_64
> Target RPM Packages
> Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     lancaster
> Platform                      Linux lancaster 3.17.8-300.fc21.x86_64
> #1 SMP Thu
>                               Jan 8 23:32:49 UTC 2015 x86_64 x86_64
> 			      Alert Count                   7
> 			      First Seen		    2015-01-18
> 			      08:59:03 CET
> 			      Last Seen			2015-01-27
> 			      19:28:02 CET
> 			      Local ID 4598d861-a393-472b-9dda-2c1c3b069fd4
>
> Raw Audit Messages
> type=AVC msg=audit(1422383282.541:154043): avc:  denied  { read } for
> pid=21209 comm="luajit" name="error.log" dev="dm-1" ino=2228909
> scontext=system_u:system_r:prosody_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
>
>
> type=SYSCALL msg=audit(1422383282.541:154043): arch=x86_64
> syscall=open success=no exit=EACCES a0=4154f8c0 a1=442 a2=1b6 a3=241
> items=0 ppid=21208 pid=21209 auid=4294967295 uid=991 gid=990 euid=991
> suid=991 fsuid=991 egid=990 sgid=990 fsgid=990 tty=(none)
> ses=4294967295 comm=luajit exe=/usr/bin/luajit-2.0.3
> subj=system_u:system_r:prosody_t:s0 key=(null)
>
> Hash: luajit,prosody_t,var_log_t,file,read
>
>
> lancaster ~ # sealert -l e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb
> SELinux is preventing /usr/bin/luajit-2.0.3 from using the execmem
> access on a process.
>
> *****  Plugin catchall (100. confidence) suggests
>        **************************
>
> If vous pensez que luajit-2.0.3 devrait être autorisé à accéder
> execmem sur les processus étiquetés prosody_t par défaut.
> Then vous devriez rapporter ceci en tant qu'anomalie.
> Vous pouvez générer un module de stratégie local pour autoriser cet
> accès.
> Do
> autoriser cet accès pour le moment en exécutant :
> # grep luajit /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context                system_u:system_r:prosody_t:s0
> Target Context                system_u:system_r:prosody_t:s0
> Target Objects                Unknown [ process ]
> Source                        luajit
> Source Path                   /usr/bin/luajit-2.0.3
> Port                          <Unknown>
> Host                          lancaster
> Source RPM Packages           luajit-2.0.3-3.fc21.x86_64
> Target RPM Packages
> Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     lancaster
> Platform                      Linux lancaster 3.17.8-300.fc21.x86_64
> #1 SMP Thu
>                               Jan 8 23:32:49 UTC 2015 x86_64 x86_64
> 			      Alert Count    	      	12
> 			      First Seen		2015-01-17
> 			      18:00:51 CET
> 			      Last Seen 2015-01-27 19:28:04 CET
> 			      Local ID e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb
>
> Raw Audit Messages
> type=AVC msg=audit(1422383284.804:154046): avc:  denied  { execmem }
> for  pid=21208 comm="luajit" scontext=system_u:system_r:prosody_t:s0
> tcontext=system_u:system_r:prosody_t:s0 tclass=process permissive=0
>
>
> type=SYSCALL msg=audit(1422383284.804:154046): arch=x86_64
> syscall=mprotect success=no exit=EACCES a0=bce0000 a1=10000 a2=5
> a3=47e items=0 ppid=1 pid=21208 auid=429496795 uid=991 gid=990
> euid=991 suid=991 fsuid=991 egid=990 sgid=990 fsgid=990 tty=(none)
> ses=4294967295 comm=luajit exe=/usr/bin/luajit-2.0.3
> subj=system_u:system_r:prosody_t:s0 key=(null)
>
> Hash: luajit,prosody_t,prosody_t,process,execmem
>
>
> lancaster ~ # ll -Za /var/log/prosody
> drwxrwx---. root prosody system_u:object_r:var_log_t:s0   .
> drwxr-xr-x. root root    system_u:object_r:var_log_t:s0   ..
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0   debug.log
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0
> debug.log-20130727
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0   error.log
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0
> error.log-20130727
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0   info.log
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0
> info.log-20130727
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0   prosody.log
>
>
> An opinion on this ?
>
> Best regards,
> Matthieu Saulnier
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150127/e7d22c9c/attachment-0001.html>

More information about the devel mailing list