Is it a SELinux policy problem ?
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 28 00:48:19 UTC 2015
On 01/27/2015 05:11 PM, Casper wrote:
> Or is it a luajit problem ?
>
> Dear devs hello.
> I would like to determine if these AVC are caused by prosody, lua, or
> a wrong SELinux policy.
>
This avc (execmem) looks like it is allowed in Fedora
selinux-policy-3.13.1-105.fc21.src.rpm
Does prosody have a log file error.log?
>
> lancaster ~ # systemctl status prosody
> ● prosody.service - Prosody XMPP (Jabber) server
> Loaded: loaded (/usr/lib/systemd/system/prosody.service; disabled)
> Active: inactive (dead)
>
> lancaster ~ # sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Max kernel policy version: 29
>
> lancaster ~ # rpm -q prosody luajit
> prosody-0.9.4-4.fc21.x86_64
> luajit-2.0.3-3.fc21.x86_64
>
>
> systemd start:
> janv. 27 19:28:03 lancaster prosodyctl[21208]: PANIC: unprotected
> error in call to Lua API (runtime code generation failed, restricted
> kernel?)
> janv. 27 19:28:04 lancaster prosodyctl[21208]: PANIC: unprotected
> error in call to Lua API (runtime code generation failed, restricted
> kernel?)
> janv. 27 19:28:04 lancaster systemd[1]: prosody.service: control
> process exited, code=killed status=11
> janv. 27 19:28:04 lancaster systemd[1]: Failed to start Prosody XMPP
> (Jabber) server.
> janv. 27 19:28:04 lancaster systemd[1]: Unit prosody.service entered
> failed state.
> janv. 27 19:28:04 lancaster systemd[1]: prosody.service failed.
>
> kernel log:
> janv. 27 19:28:03 lancaster prosodyctl[21208]: PANIC: unprotected
> error in call to Lua API (runtime code generation failed, restricted
> kernel?)
> janv. 27 19:28:03 lancaster kernel: luajit[21209]: segfault at bcefddd
> ip 000000000bcefddd sp 00007fff98c8cf00 error 15
> janv. 27 19:28:04 lancaster prosodyctl[21208]: PANIC: unprotected
> error in call to Lua API (runtime code generation failed, restricted
> kernel?)
> janv. 27 19:28:04 lancaster kernel: luajit[21208]: segfault at bcefe33
> ip 000000000bcefe33 sp 00007fffe6d4a6b0 error 15
> janv. 27 19:28:04 lancaster systemd[1]: prosody.service: control
> process exited, code=killed status=11
> janv. 27 19:28:04 lancaster systemd[1]: Failed to start Prosody XMPP
> (Jabber) server.
> janv. 27 19:28:04 lancaster systemd[1]: Unit prosody.service entered
> failed state.
> janv. 27 19:28:04 lancaster systemd[1]: prosody.service failed.
> janv. 27 19:28:05 lancaster dbus[904]: [system] Successfully activated
> service 'org.fedoraproject.Setroubleshootd'
> janv. 27 19:28:14 lancaster setroubleshoot[21211]: Plugin Exception
> restorecon_source
> janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is
> preventing /usr/bin/luajit-2.0.3 from read access on the file
> /var/log/prosody/debug.log. For complete SELinux messages. run sealert
> -l 4598d861-a393-472b-9dda-2c1c3b069fd4
> janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is
> preventing /usr/bin/luajit-2.0.3 from read access on the file
> /var/log/prosody/info.log. For complete SELinux messages. run sealert
> -l 4598d861-a393-472b-9dda-2c1c3b069fd4
> janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is
> preventing /usr/bin/luajit-2.0.3 from read access on the file
> /var/log/prosody/error.log. For complete SELinux messages. run sealert
> -l 4598d861-a393-472b-9dda-2c1c3b069fd4
> janv. 27 19:28:15 lancaster setroubleshoot[21211]: SELinux is
> preventing /usr/bin/luajit-2.0.3 from using the execmem access on a
> process. For complete SELinux messages. run sealert -l
> e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb
> janv. 27 19:28:15 lancaster setroubleshoot[21211]: SELinux is
> preventing /usr/bin/luajit-2.0.3 from using the execmem access on a
> process. For complete SELinux messages. run sealert -l
> e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb
>
>
> lancaster ~ # sealert -l 4598d861-a393-472b-9dda-2c1c3b069fd4
> SELinux is preventing /usr/bin/luajit-2.0.3 from read access on the
> file /var/log/prosody/error.log.
>
> ***** Plugin catchall (100. confidence) suggests
> **************************
>
> If vous pensez que luajit-2.0.3 devrait être autorisé à accéder read
> sur error.log file par défaut.
> Then vous devriez rapporter ceci en tant qu'anomalie.
> Vous pouvez générer un module de stratégie local pour autoriser cet
> accès.
> Do
> autoriser cet accès pour le moment en exécutant :
> # grep luajit /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context system_u:system_r:prosody_t:s0
> Target Context system_u:object_r:var_log_t:s0
> Target Objects /var/log/prosody/error.log [ file ]
> Source luajit
> Source Path /usr/bin/luajit-2.0.3
> Port <Unknown>
> Host lancaster
> Source RPM Packages luajit-2.0.3-3.fc21.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-103.fc21.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name lancaster
> Platform Linux lancaster 3.17.8-300.fc21.x86_64
> #1 SMP Thu
> Jan 8 23:32:49 UTC 2015 x86_64 x86_64
> Alert Count 7
> First Seen 2015-01-18
> 08:59:03 CET
> Last Seen 2015-01-27
> 19:28:02 CET
> Local ID 4598d861-a393-472b-9dda-2c1c3b069fd4
>
> Raw Audit Messages
> type=AVC msg=audit(1422383282.541:154043): avc: denied { read } for
> pid=21209 comm="luajit" name="error.log" dev="dm-1" ino=2228909
> scontext=system_u:system_r:prosody_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
>
>
> type=SYSCALL msg=audit(1422383282.541:154043): arch=x86_64
> syscall=open success=no exit=EACCES a0=4154f8c0 a1=442 a2=1b6 a3=241
> items=0 ppid=21208 pid=21209 auid=4294967295 uid=991 gid=990 euid=991
> suid=991 fsuid=991 egid=990 sgid=990 fsgid=990 tty=(none)
> ses=4294967295 comm=luajit exe=/usr/bin/luajit-2.0.3
> subj=system_u:system_r:prosody_t:s0 key=(null)
>
> Hash: luajit,prosody_t,var_log_t,file,read
>
>
> lancaster ~ # sealert -l e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb
> SELinux is preventing /usr/bin/luajit-2.0.3 from using the execmem
> access on a process.
>
> ***** Plugin catchall (100. confidence) suggests
> **************************
>
> If vous pensez que luajit-2.0.3 devrait être autorisé à accéder
> execmem sur les processus étiquetés prosody_t par défaut.
> Then vous devriez rapporter ceci en tant qu'anomalie.
> Vous pouvez générer un module de stratégie local pour autoriser cet
> accès.
> Do
> autoriser cet accès pour le moment en exécutant :
> # grep luajit /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context system_u:system_r:prosody_t:s0
> Target Context system_u:system_r:prosody_t:s0
> Target Objects Unknown [ process ]
> Source luajit
> Source Path /usr/bin/luajit-2.0.3
> Port <Unknown>
> Host lancaster
> Source RPM Packages luajit-2.0.3-3.fc21.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-103.fc21.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name lancaster
> Platform Linux lancaster 3.17.8-300.fc21.x86_64
> #1 SMP Thu
> Jan 8 23:32:49 UTC 2015 x86_64 x86_64
> Alert Count 12
> First Seen 2015-01-17
> 18:00:51 CET
> Last Seen 2015-01-27 19:28:04 CET
> Local ID e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb
>
> Raw Audit Messages
> type=AVC msg=audit(1422383284.804:154046): avc: denied { execmem }
> for pid=21208 comm="luajit" scontext=system_u:system_r:prosody_t:s0
> tcontext=system_u:system_r:prosody_t:s0 tclass=process permissive=0
>
>
> type=SYSCALL msg=audit(1422383284.804:154046): arch=x86_64
> syscall=mprotect success=no exit=EACCES a0=bce0000 a1=10000 a2=5
> a3=47e items=0 ppid=1 pid=21208 auid=429496795 uid=991 gid=990
> euid=991 suid=991 fsuid=991 egid=990 sgid=990 fsgid=990 tty=(none)
> ses=4294967295 comm=luajit exe=/usr/bin/luajit-2.0.3
> subj=system_u:system_r:prosody_t:s0 key=(null)
>
> Hash: luajit,prosody_t,prosody_t,process,execmem
>
>
> lancaster ~ # ll -Za /var/log/prosody
> drwxrwx---. root prosody system_u:object_r:var_log_t:s0 .
> drwxr-xr-x. root root system_u:object_r:var_log_t:s0 ..
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0 debug.log
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0
> debug.log-20130727
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0 error.log
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0
> error.log-20130727
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0 info.log
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0
> info.log-20130727
> -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0 prosody.log
>
>
> An opinion on this ?
>
> Best regards,
> Matthieu Saulnier
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150127/e7d22c9c/attachment-0001.html>
More information about the devel
mailing list