6:01 a.m.
Hi all,
I'm running into a SELinux permission issue when simply changing the ownership of a
directory and I've got no clue why this happens.
The program in question is smokeping. It runs as root with the context of
"system_u:system_r:smokeping_t" and tries to write to /var/lib/smokeping/rrd.
When having /var/lib/smokeping (and its subfolders) owned by root, everything works fine.
As soon as I change the ownership to apache:apache and remove permissions for other users
(e.g. 0770), an EACCES pops up but no avc denied shows up in the audit log.
Here's what I got so far:
$ ls -dZ /var/lib/smokeping/rrd
drwxr-xr-x. root root system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd
$ runcon -t smokeping_t -r system_r smokeping --debug
# (works fine)
$ chown apache: /var/lib/smokeping/rrd
$ chmod 770 /var/lib/smokeping/rrd
$ ls -dZ /var/lib/smokeping/rrd
drwxrwx---. apache apache system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd
$ runcon -t smokeping_t -r system_r smokeping --debug
# (breaks)
an strace shows:
$ grep -h EACCES /tmp/smokeping.pid.*
open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo.rrd", 0x1219138) = -1 EACCES (Permission
denied)
open("/var/lib/smokeping/rrd/foo.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES
(Permission denied)
stat("/var/lib/smokeping/rrd/foo~bar.rrd", 0x1219138) = -1 EACCES (Permission
denied)
open("/var/lib/smokeping/rrd/foo~bar.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1
EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo~baz.rrd", 0x1219138) = -1 EACCES (Permission
denied)
open("/var/lib/smokeping/rrd/foo~baz.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1
EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/threshold", 0x1219138) = -1 EACCES (Permission
denied)
mkdir("/var/lib/smokeping/rrd/threshold", 0755) = -1 EACCES (Permission denied)
imho smokeping *should* be able to perform these actions (well, except for /etc/shadow):
$ sesearch -s smokeping_t -t smokeping_var_lib_t -Ad
Found 2 semantic av rules:
allow smokeping_t smokeping_var_lib_t : dir { ioctl read write create getattr setattr
lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow smokeping_t smokeping_var_lib_t : file { ioctl read write create getattr setattr
lock append unlink link rename open } ;
When circumventing SELinux using either setenforce 0 or semanage permissive -a smokeping_t
it works fine again.
Does anyone have a clue?
Thanks!
- Philippe
6:10 a.m.
New subject: permission denied without an (obvious) reason when changing
directory permissions
Hi Philippe
I'm running into a SELinux permission issue when simply changing
the ownership of a directory and I've got no clue why this happens.
The program in question is smokeping. It runs as root with the context of
"system_u:system_r:smokeping_t" and tries to write to /var/lib/smokeping/rrd.
When having /var/lib/smokeping (and its subfolders) owned by root, everything works
fine.
As soon as I change the ownership to apache:apache and remove permissions for other users
(e.g. 0770), an EACCES pops up but no avc denied shows up in the audit log.
Here's what I got so far:
$ ls -dZ /var/lib/smokeping/rrd
drwxr-xr-x. root root system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd
$ runcon -t smokeping_t -r system_r smokeping --debug
# (works fine)
$ chown apache: /var/lib/smokeping/rrd
$ chmod 770 /var/lib/smokeping/rrd
$ ls -dZ /var/lib/smokeping/rrd
drwxrwx---. apache apache system_u:object_r:smokeping_var_lib_t:s0
/var/lib/smokeping/rrd
$ runcon -t smokeping_t -r system_r smokeping --debug
# (breaks)
an strace shows:
$ grep -h EACCES /tmp/smokeping.pid.*
open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo.rrd", 0x1219138) = -1 EACCES (Permission
denied)
open("/var/lib/smokeping/rrd/foo.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1
EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo~bar.rrd", 0x1219138) = -1 EACCES (Permission
denied)
open("/var/lib/smokeping/rrd/foo~bar.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1
EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/foo~baz.rrd", 0x1219138) = -1 EACCES (Permission
denied)
open("/var/lib/smokeping/rrd/foo~baz.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1
EACCES (Permission denied)
stat("/var/lib/smokeping/rrd/threshold", 0x1219138) = -1 EACCES (Permission
denied)
mkdir("/var/lib/smokeping/rrd/threshold", 0755) = -1 EACCES (Permission denied)
As the process runs confined, root is not the same root as if you run it
interactively after sudo su - or the like.
Root for the somkeping process is like a normal user. It can't override
DAC permissions. If root has no permissions to write to the folder it
simply can't overrule that permission because DAC_OVERRIDE is denied.
There should be some audit messages logged with dac_override .
A Dan Walsh blogpost about dac override with some details:
https://danwalsh.livejournal.com/80232.html
- Thomas
6:18 a.m.
New subject: permission denied without an (obvious) reason when changing
directory permissions
Hi Philippe,
On 4/24/19 1:10 PM, Thomas Mueller wrote:
Hi Philippe
> I'm running into a SELinux permission issue when simply changing the
> ownership of a directory and I've got no clue why this happens.
>
> The program in question is smokeping. It runs as root with the context
> of "system_u:system_r:smokeping_t" and tries to write to
> /var/lib/smokeping/rrd.
> When having /var/lib/smokeping (and its subfolders) owned by root,
> everything works fine.
> As soon as I change the ownership to apache:apache and remove
> permissions for other users (e.g. 0770), an EACCES pops up but no avc
> denied shows up in the audit log.
>
> Here's what I got so far:
>
> $ ls -dZ /var/lib/smokeping/rrd
> drwxr-xr-x. root root system_u:object_r:smokeping_var_lib_t:s0
> /var/lib/smokeping/rrd
> $ runcon -t smokeping_t -r system_r smokeping --debug
> # (works fine)
>
> $ chown apache: /var/lib/smokeping/rrd
> $ chmod 770 /var/lib/smokeping/rrd
> $ ls -dZ /var/lib/smokeping/rrd
> drwxrwx---. apache apache system_u:object_r:smokeping_var_lib_t:s0
> /var/lib/smokeping/rrd
> $ runcon -t smokeping_t -r system_r smokeping --debug
> # (breaks)
>
> an strace shows:
>
> $ grep -h EACCES /tmp/smokeping.pid.*
> open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
> stat("/var/lib/smokeping/rrd/foo.rrd", 0x1219138) = -1 EACCES
> (Permission denied)
> open("/var/lib/smokeping/rrd/foo.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) =
> -1 EACCES (Permission denied)
> stat("/var/lib/smokeping/rrd/foo~bar.rrd", 0x1219138) = -1 EACCES
> (Permission denied)
> open("/var/lib/smokeping/rrd/foo~bar.rrd", O_RDWR|O_CREAT|O_TRUNC,
> 0666) = -1 EACCES (Permission denied)
> stat("/var/lib/smokeping/rrd/foo~baz.rrd", 0x1219138) = -1 EACCES
> (Permission denied)
> open("/var/lib/smokeping/rrd/foo~baz.rrd", O_RDWR|O_CREAT|O_TRUNC,
> 0666) = -1 EACCES (Permission denied)
> stat("/var/lib/smokeping/rrd/threshold", 0x1219138) = -1 EACCES
> (Permission denied)
> mkdir("/var/lib/smokeping/rrd/threshold", 0755) = -1 EACCES
> (Permission denied)
As the process runs confined, root is not the same root as if you run it
interactively after sudo su - or the like.
Root for the somkeping process is like a normal user. It can't override
DAC permissions. If root has no permissions to write to the folder it
simply can't overrule that permission because DAC_OVERRIDE is denied.
There should be some audit messages logged with dac_override .
A Dan Walsh blogpost about dac override with some details:
https://danwalsh.livejournal.com/80232.html
Just to be sure, could you please add rerun the scenario and execute
command:
# ausearch -m AVC -ts today
and attach the output ?
Thanks,
Lukas.
- Thomas
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.
7:17 a.m.
New subject: permission denied without an (obvious) reason when changing
directory permissions
Hi Lukas,
ausearch shows only irrelevant logs from other processes but, apart from me playing around
with runcon, nothing regarding smokeping:
--%snip%--
----
time->Wed Apr 24 11:43:39 2019
type=PROCTITLE msg=audit(1556099019.516:249260):
proctitle=72756E636F6E002D7400736D6F6B6570696E675F74002D720073797374656D5F72006964
type=PATH msg=audit(1556099019.516:249260): item=0 name="/usr/bin/id" inode=7818
dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0
objtype=NORMAL cap_fp=
0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1556099019.516:249260): cwd="/root"
type=SYSCALL msg=audit(1556099019.516:249260): arch=c000003e syscall=59 success=no
exit=-13 a0=7ffd17daa993 a1=7ffd17daabd0 a2=7ffd17daabe0 a3=7ffd17daa4a0 items=1
ppid=26931 pid=132
01 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5004
comm="runcon" exe="/usr/bin/runcon"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key
=(null)
type=AVC msg=audit(1556099019.516:249260): avc: denied { entrypoint } for pid=13201
comm="runcon" path="/usr/bin/id" dev="dm-1" ino=7818
scontext=unconfined_u:system_r:smokeping_t
:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
----
time->Wed Apr 24 11:45:25 2019
type=PROCTITLE msg=audit(1556099125.154:249313):
proctitle=72756E636F6E002D7400736D6F6B6570696E675F74002D720073797374656D5F72006C73002F7661722F6C69622F736D6F6B6570696E672F7272642F666
F6F
type=PATH msg=audit(1556099125.154:249313): item=0 name="/usr/bin/ls" inode=7824
dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0
objtype=NORMAL cap_fp=
0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1556099125.154:249313): cwd="/root"
type=SYSCALL msg=audit(1556099125.154:249313): arch=c000003e syscall=59 success=no
exit=-13 a0=7ffc3f10e103 a1=7ffc3f10e340 a2=7ffc3f10e358 a3=7ffc3f10dc20 items=1
ppid=26931 pid=141
85 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5004
comm="runcon" exe="/usr/bin/runcon"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key
=(null)
type=AVC msg=audit(1556099125.154:249313): avc: denied { entrypoint } for pid=14185
comm="runcon" path="/usr/bin/ls" dev="dm-1" ino=7824
scontext=unconfined_u:system_r:smokeping_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
--%snip%--
Also I do not have any dontaudit rules for smokeping_t that would hide the log events in
question.
- Philippe
7:17 a.m.
New subject: permission denied without an (obvious) reason when changing
directory permissions
Hi Thomas,
thanks a lot! Unfortunately the audit logs didn't show any denials for dac_override
and I missed the point completely here.
Dan's blogpost looks promising, I'll take a look.
- Philippe
1827
days inactive
1827
days old
selinux@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Lukas Vrabec -
Philippe Kueck -
Thomas Mueller