RE: Unexpected behavior in permissive mode

Wednesday, 8 April 2015

...
 What does if you switch the SELinux mode (which resets AVC cache)

 # setenforce 1; setenforce 0

 and then re-test it?

 Could you also post full raw AVC?

Hi Miroslav,
Thanks for the pointer about resetting the cache, that helped.

After running the backup in permissive mode, I get the following:

type=AVC msg=audit(1428538766.224:2373): avc:  denied  { execute } for  pid=32056
comm="bacula-fd" name="su" dev="dm-0" ino=18110620
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0
tclass=file
type=AVC msg=audit(1428538766.224:2373): avc:  denied  { execute_no_trans } for  pid=32056
comm="bacula-fd" path="/usr/bin/su" dev="dm-0" ino=18110620
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0
tclass=file
type=AVC msg=audit(1428538766.343:2374): avc:  denied  { create } for  pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1428538766.343:2375): avc:  denied  { bind } for  pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1428538766.343:2376): avc:  denied  { compute_av } for  pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=security
type=AVC msg=audit(1428538766.344:2377): avc:  denied  { create } for  pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1428538766.344:2378): avc:  denied  { nlmsg_relay } for  pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1428538766.344:2378): avc:  denied  { audit_write } for  pid=32056
comm="su" capability=29  scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=capability
type=USER_AVC msg=audit(1428538766.344:2379): pid=32056 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:bacula_t:s0 msg='avc:  denied  { passwd } for 
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0
tclass=passwd  exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1428538766.345:2383): avc:  denied  { setsched } for  pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=process
type=AVC msg=audit(1428538766.345:2384): avc:  denied  { write } for  pid=32056
comm="su" name="system_bus_socket" dev="tmpfs" ino=14052
scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1428538766.345:2384): avc:  denied  { connectto } for  pid=32056
comm="su" path="/run/dbus/system_bus_socket"
scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1428538766.370:2385): pid=694 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied 
{ send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello
dest=org.freedesktop.DBus spid=32056 scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus 
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1428538766.374:2386): pid=694 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied 
{ send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager
member=CreateSession dest=org.freedesktop.login1 spid=32056 tpid=693
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0
tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=?
terminal=?'
type=USER_AVC msg=audit(1428538766.393:2391): pid=694 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied 
{ send_msg } for msgtype=method_return dest=:1.1688 spid=693 tpid=32056
scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:bacula_t:s0
tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=?
terminal=?'
type=AVC msg=audit(1428538766.393:2392): avc:  denied  { write } for  pid=32056
comm="su" name="lastlog" dev="dm-0" ino=8572341
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:lastlog_t:s0
tclass=file
type=AVC msg=audit(1428538766.424:2394): avc:  denied  { execute } for  pid=32063
comm="bash" name="hostname" dev="dm-0" ino=16887470
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0
tclass=file
type=AVC msg=audit(1428538766.424:2394): avc:  denied  { execute_no_trans } for  pid=32063
comm="bash" path="/usr/bin/hostname" dev="dm-0" ino=16887470
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0
tclass=file
type=AVC msg=audit(1428538773.500:2395): avc:  denied  { write } for  pid=32056
comm="su" name="system_bus_socket" dev="tmpfs" ino=14052
scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file

which generates the following policy:

require {
        type su_exec_t;
        type system_dbusd_var_run_t;
        type security_t;
        type system_dbusd_t;
        type systemd_logind_t;
        type lastlog_t;
        type hostname_exec_t;
        type bacula_t;
        class process setsched;
        class unix_stream_socket connectto;
        class dbus send_msg;
        class capability audit_write;
        class passwd passwd;
        class netlink_selinux_socket { bind create };
        class file { write execute execute_no_trans };
        class netlink_audit_socket { nlmsg_relay create };
        class sock_file write;
        class security compute_av;
}

#============= bacula_t ==============
allow bacula_t hostname_exec_t:file { execute execute_no_trans };
allow bacula_t lastlog_t:file write;
allow bacula_t security_t:security compute_av;
allow bacula_t self:capability audit_write;
allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
allow bacula_t self:netlink_selinux_socket { bind create };
allow bacula_t self:passwd passwd;
allow bacula_t self:process setsched;
allow bacula_t su_exec_t:file { execute execute_no_trans };
allow bacula_t system_dbusd_t:dbus send_msg;
allow bacula_t system_dbusd_t:unix_stream_socket connectto;
allow bacula_t system_dbusd_var_run_t:sock_file write;
allow bacula_t systemd_logind_t:dbus send_msg;

#============= systemd_logind_t ==============
allow systemd_logind_t bacula_t:dbus send_msg;

And after loading this I get the following which was not present initially:

type=AVC msg=audit(1428539366.385:377): avc:  denied  { execute } for  pid=2809
comm="su" name="unix_chkpwd" dev="dm-0" ino=25441120
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0
tclass=file
type=AVC msg=audit(1428539366.386:378): avc:  denied  { write } for  pid=2808
comm="su" name="btmp" dev="dm-0" ino=9085718
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:faillog_t:s0
tclass=file

So rebuilding from the new output yields:

require {
        type system_dbusd_var_run_t;
        type security_t;
        type faillog_t;
        type chkpwd_exec_t;
        type systemd_logind_t;
        type hostname_exec_t;
        type bacula_t;
        type su_exec_t;
        type lastlog_t;
        type system_dbusd_t;
        class process setsched;
        class unix_stream_socket connectto;
        class dbus send_msg;
        class capability audit_write;
        class passwd passwd;
        class netlink_selinux_socket { bind create };
        class file { write execute execute_no_trans };
        class netlink_audit_socket { nlmsg_relay create };
        class sock_file write;
        class security compute_av;
}

#============= bacula_t ==============
allow bacula_t chkpwd_exec_t:file execute;
allow bacula_t faillog_t:file write;
allow bacula_t hostname_exec_t:file { execute execute_no_trans };
allow bacula_t lastlog_t:file write;
allow bacula_t security_t:security compute_av;
allow bacula_t self:capability audit_write;
allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
allow bacula_t self:netlink_selinux_socket { bind create };
allow bacula_t self:passwd passwd;
allow bacula_t self:process setsched;
allow bacula_t su_exec_t:file { execute execute_no_trans };
allow bacula_t system_dbusd_t:dbus send_msg;
allow bacula_t system_dbusd_t:unix_stream_socket connectto;
allow bacula_t system_dbusd_var_run_t:sock_file write;
allow bacula_t systemd_logind_t:dbus send_msg;

#============= systemd_logind_t ==============
allow systemd_logind_t bacula_t:dbus send_msg;

Which adds:
allow bacula_t chkpwd_exec_t:file execute;
allow bacula_t faillog_t:file write;

However, after removing the old and loading this new policy I get another denial:

type=AVC msg=audit(1428540219.458:501): avc:  denied  { execute_no_trans } for  pid=4309
comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0"
ino=25441120 scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file

Rerunning the backup yields this same avc, and audit2allow would suggest its permitted.

Thanks so much for assistance.
jlc

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

RE: Unexpected behavior in permissive mode