On Mon, 11 Jul 2011 14:03:33 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/11/2011 08:55 AM, Paul Howarth wrote:
> I get various AVCs related to cgroup usage with systemd when
> logging in to proftpd on F-15:
>
> type=AVC msg=audit(1310388446.140:7884): avc: denied { read } for
> pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=file
>
> type=AVC msg=audit(1310388446.140:7884): avc: denied { open } for
> pid=12071 comm="proftpd" name="cgroup" dev=proc ino=58466916
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=file
> type=SYSCALL msg=audit(1310388446.140:7884): arch=c000003e
> syscall=2 success=yes exit=10 a0=2150480 a1=80000 a2=1b6 a3=9
> items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd"
> exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.142:7885): avc: denied { getattr }
> for pid=12071 comm="proftpd" path="/proc/1/cgroup" dev=proc
> ino=58466916 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=file
> type=SYSCALL msg=audit(1310388446.142:7885): arch=c000003e
> syscall=5 success=yes exit=0 a0=a a1=7fff0173a930 a2=7fff0173a930
> a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785
> comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.143:7886): avc: denied { write }
> for pid=12071 comm="proftpd" name="phowarth" dev=cgroup
ino=27218
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
>
> type=AVC msg=audit(1310388446.143:7886): avc: denied { add_name }
> for pid=12071 comm="proftpd" name="785"
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
> type=AVC msg=audit(1310388446.143:7886): avc: denied { create }
> for pid=12071 comm="proftpd" name="785"
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
> type=SYSCALL msg=audit(1310388446.143:7886): arch=c000003e
> syscall=83 success=yes exit=0 a0=2150370 a1=1ed a2=0
> a3=776f68702f726573 items=0 ppid=11443 pid=12071 auid=1012 uid=0
> gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.143:7887): avc: denied { write }
> for pid=12071 comm="proftpd" name="tasks" dev=cgroup
ino=58575429
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cgroup_t:s0 tclass=file
>
> type=AVC msg=audit(1310388446.143:7887): avc: denied { open } for
> pid=12071 comm="proftpd" name="tasks" dev=cgroup ino=58575429
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cgroup_t:s0 tclass=file
> type=SYSCALL msg=audit(1310388446.143:7887): arch=c000003e
> syscall=2 success=yes exit=11 a0=2150370 a1=80241 a2=1b6 a3=9
> items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785 comm="proftpd"
> exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.143:7888): avc: denied { getattr }
> for pid=12071 comm="proftpd"
> path="/sys/fs/cgroup/systemd/user/phowarth/785/tasks" dev=cgroup
> ino=58575429 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cgroup_t:s0 tclass=file
> type=SYSCALL msg=audit(1310388446.143:7888): arch=c000003e
> syscall=5 success=yes exit=0 a0=b a1=7fff0173b100 a2=7fff0173b100
> a3=9 items=0 ppid=11443 pid=12071 auid=1012 uid=0 gid=99 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=785
> comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.150:7889): avc: denied { setattr }
> for pid=12071 comm="proftpd" name="tasks" dev=cgroup
ino=58575429
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cgroup_t:s0 tclass=file
> type=SYSCALL msg=audit(1310388446.150:7889): arch=c000003e
> syscall=90 success=yes exit=0 a0=2150370 a1=1a4 a2=3f4
> a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0
> gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> type=AVC msg=audit(1310388446.150:7890): avc: denied { setattr }
> for pid=12071 comm="proftpd" name="785" dev=cgroup ino=58575428
> scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
> type=SYSCALL msg=audit(1310388446.150:7890): arch=c000003e
> syscall=90 success=yes exit=0 a0=2150370 a1=1ed a2=3f4
> a3=6f68702f72657375 items=0 ppid=11443 pid=12071 auid=1012 uid=0
> gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=785 comm="proftpd" exe="/usr/sbin/proftpd"
> subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
>
> /var/log/messages includes:
>
> Jul 11 13:47:21 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1])
> - FTP session opened.
> Jul 11 12:47:26 roary proftpd[12071]: 10.9.2.1 (10.9.2.1[10.9.2.1])
> - Preparing to chroot to directory '/nis-home/phowarth'
> Jul 11 13:47:29 roary kernel: [2670919.902960] proftpd[12071]:
> pam_systemd(proftpd:session): Failed to lock runtime directory:
> Permission denied
> Jul 11 13:47:29 roary kernel: [2670919.902978] proftpd[12071]:
> pam_unix(proftpd:session): session closed for user phowarth
> Jul 11 13:47:29 roary kernel: [2670919.904278] proftpd[12071]:
> 10.9.2.1 (10.9.2.1[10.9.2.1]) - FTP session closed.
>
> audit2allow -R suggests:
>
> fs_manage_cgroup_dirs(ftpd_t)
> fs_manage_cgroup_files(ftpd_t)
> init_read_state(ftpd_t)
>
> proftpd does appear to work despite these messages, so I'm
> wondering if it would be better to dontaudit these rather than
> allow them?
>
> Paul.
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like proftpd is setting up its own cgroup and SELinux is
preventing this. Please open a bugzilla and we can discuss it with
the proftpd guys.
OK (I am proftpd co-maintainer in Fedora by the way), will do, though I
can't see anything relating to cgroups in the code.
Paul.