On 04/09/2015 02:55 AM, Joseph L. Casale wrote:
> What does if you switch the SELinux mode (which resets AVC
cache)
>
> # setenforce 1; setenforce 0
>
> and then re-test it?
>
> Could you also post full raw AVC?
Hi Miroslav,
Thanks for the pointer about resetting the cache, that helped.
After running the backup in permissive mode, I get the following:
type=AVC msg=audit(1428538766.224:2373): avc: denied { execute } for pid=32056
comm="bacula-fd" name="su" dev="dm-0" ino=18110620
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0
tclass=file
type=AVC msg=audit(1428538766.224:2373): avc: denied { execute_no_trans } for
pid=32056 comm="bacula-fd" path="/usr/bin/su" dev="dm-0"
ino=18110620 scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:su_exec_t:s0 tclass=file
type=AVC msg=audit(1428538766.343:2374): avc: denied { create } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1428538766.343:2375): avc: denied { bind } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1428538766.343:2376): avc: denied { compute_av } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=security
type=AVC msg=audit(1428538766.344:2377): avc: denied { create } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1428538766.344:2378): avc: denied { nlmsg_relay } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1428538766.344:2378): avc: denied { audit_write } for pid=32056
comm="su" capability=29 scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=capability
type=USER_AVC msg=audit(1428538766.344:2379): pid=32056 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:bacula_t:s0 msg='avc: denied { passwd } for
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0
tclass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1428538766.345:2383): avc: denied { setsched } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=process
type=AVC msg=audit(1428538766.345:2384): avc: denied { write } for pid=32056
comm="su" name="system_bus_socket" dev="tmpfs" ino=14052
scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1428538766.345:2384): avc: denied { connectto } for pid=32056
comm="su" path="/run/dbus/system_bus_socket"
scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1428538766.370:2385): pid=694 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied
{ send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello
dest=org.freedesktop.DBus spid=32056 scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1428538766.374:2386): pid=694 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied
{ send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager
member=CreateSession dest=org.freedesktop.login1 spid=32056 tpid=693
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0
tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=?
terminal=?'
type=USER_AVC msg=audit(1428538766.393:2391): pid=694 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied
{ send_msg } for msgtype=method_return dest=:1.1688 spid=693 tpid=32056
scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:bacula_t:s0
tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=?
terminal=?'
type=AVC msg=audit(1428538766.393:2392): avc: denied { write } for pid=32056
comm="su" name="lastlog" dev="dm-0" ino=8572341
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:lastlog_t:s0
tclass=file
type=AVC msg=audit(1428538766.424:2394): avc: denied { execute } for pid=32063
comm="bash" name="hostname" dev="dm-0" ino=16887470
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0
tclass=file
type=AVC msg=audit(1428538766.424:2394): avc: denied { execute_no_trans } for
pid=32063 comm="bash" path="/usr/bin/hostname" dev="dm-0"
ino=16887470 scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=AVC msg=audit(1428538773.500:2395): avc: denied { write } for pid=32056
comm="su" name="system_bus_socket" dev="tmpfs" ino=14052
scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
which generates the following policy:
require {
type su_exec_t;
type system_dbusd_var_run_t;
type security_t;
type system_dbusd_t;
type systemd_logind_t;
type lastlog_t;
type hostname_exec_t;
type bacula_t;
class process setsched;
class unix_stream_socket connectto;
class dbus send_msg;
class capability audit_write;
class passwd passwd;
class netlink_selinux_socket { bind create };
class file { write execute execute_no_trans };
class netlink_audit_socket { nlmsg_relay create };
class sock_file write;
class security compute_av;
}
#============= bacula_t ==============
allow bacula_t hostname_exec_t:file { execute execute_no_trans };
allow bacula_t lastlog_t:file write;
allow bacula_t security_t:security compute_av;
allow bacula_t self:capability audit_write;
allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
allow bacula_t self:netlink_selinux_socket { bind create };
allow bacula_t self:passwd passwd;
allow bacula_t self:process setsched;
allow bacula_t su_exec_t:file { execute execute_no_trans };
allow bacula_t system_dbusd_t:dbus send_msg;
allow bacula_t system_dbusd_t:unix_stream_socket connectto;
allow bacula_t system_dbusd_var_run_t:sock_file write;
allow bacula_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ==============
allow systemd_logind_t bacula_t:dbus send_msg;
And after loading this I get the following which was not present initially:
type=AVC msg=audit(1428539366.385:377): avc: denied { execute } for pid=2809
comm="su" name="unix_chkpwd" dev="dm-0" ino=25441120
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0
tclass=file
type=AVC msg=audit(1428539366.386:378): avc: denied { write } for pid=2808
comm="su" name="btmp" dev="dm-0" ino=9085718
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:faillog_t:s0
tclass=file
So rebuilding from the new output yields:
require {
type system_dbusd_var_run_t;
type security_t;
type faillog_t;
type chkpwd_exec_t;
type systemd_logind_t;
type hostname_exec_t;
type bacula_t;
type su_exec_t;
type lastlog_t;
type system_dbusd_t;
class process setsched;
class unix_stream_socket connectto;
class dbus send_msg;
class capability audit_write;
class passwd passwd;
class netlink_selinux_socket { bind create };
class file { write execute execute_no_trans };
class netlink_audit_socket { nlmsg_relay create };
class sock_file write;
class security compute_av;
}
#============= bacula_t ==============
allow bacula_t chkpwd_exec_t:file execute;
allow bacula_t faillog_t:file write;
allow bacula_t hostname_exec_t:file { execute execute_no_trans };
allow bacula_t lastlog_t:file write;
allow bacula_t security_t:security compute_av;
allow bacula_t self:capability audit_write;
allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
allow bacula_t self:netlink_selinux_socket { bind create };
allow bacula_t self:passwd passwd;
allow bacula_t self:process setsched;
allow bacula_t su_exec_t:file { execute execute_no_trans };
allow bacula_t system_dbusd_t:dbus send_msg;
allow bacula_t system_dbusd_t:unix_stream_socket connectto;
allow bacula_t system_dbusd_var_run_t:sock_file write;
allow bacula_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ==============
allow systemd_logind_t bacula_t:dbus send_msg;
Are there any scripts which you can defined? Or did you get it by
default? It looks bacula is an administrative tool which is going to be
unconfined domain.
Which adds:
allow bacula_t chkpwd_exec_t:file execute;
allow bacula_t faillog_t:file write;
However, after removing the old and loading this new policy I get another denial:
type=AVC msg=audit(1428540219.458:501): avc: denied { execute_no_trans } for pid=4309
comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0"
ino=25441120 scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
Rerunning the backup yields this same avc, and audit2allow would suggest its permitted.
Thanks so much for assistance.
jlc
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.