Is it a SELinux policy problem ?

Casper fantom at fedoraproject.org
Tue Jan 27 22:11:35 UTC 2015 

Or is it a luajit problem ?

Dear devs hello.
I would like to determine if these AVC are caused by prosody, lua, or
a wrong SELinux policy.



lancaster ~ # systemctl status prosody
● prosody.service - Prosody XMPP (Jabber) server
   Loaded: loaded (/usr/lib/systemd/system/prosody.service; disabled)
         Active: inactive (dead)

lancaster ~ # sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      29

lancaster ~ # rpm -q prosody luajit
prosody-0.9.4-4.fc21.x86_64
luajit-2.0.3-3.fc21.x86_64


systemd start:
janv. 27 19:28:03 lancaster prosodyctl[21208]: PANIC: unprotected
error in call to Lua API (runtime code generation failed, restricted
kernel?)
janv. 27 19:28:04 lancaster prosodyctl[21208]: PANIC: unprotected
error in call to Lua API (runtime code generation failed, restricted
kernel?)
janv. 27 19:28:04 lancaster systemd[1]: prosody.service: control
process exited, code=killed status=11
janv. 27 19:28:04 lancaster systemd[1]: Failed to start Prosody XMPP
(Jabber) server.
janv. 27 19:28:04 lancaster systemd[1]: Unit prosody.service entered
failed state.
janv. 27 19:28:04 lancaster systemd[1]: prosody.service failed.

kernel log:
janv. 27 19:28:03 lancaster prosodyctl[21208]: PANIC: unprotected
error in call to Lua API (runtime code generation failed, restricted
kernel?)
janv. 27 19:28:03 lancaster kernel: luajit[21209]: segfault at bcefddd
ip 000000000bcefddd sp 00007fff98c8cf00 error 15
janv. 27 19:28:04 lancaster prosodyctl[21208]: PANIC: unprotected
error in call to Lua API (runtime code generation failed, restricted
kernel?)
janv. 27 19:28:04 lancaster kernel: luajit[21208]: segfault at bcefe33
ip 000000000bcefe33 sp 00007fffe6d4a6b0 error 15
janv. 27 19:28:04 lancaster systemd[1]: prosody.service: control
process exited, code=killed status=11
janv. 27 19:28:04 lancaster systemd[1]: Failed to start Prosody XMPP
(Jabber) server.
janv. 27 19:28:04 lancaster systemd[1]: Unit prosody.service entered
failed state.
janv. 27 19:28:04 lancaster systemd[1]: prosody.service failed.
janv. 27 19:28:05 lancaster dbus[904]: [system] Successfully activated
service 'org.fedoraproject.Setroubleshootd'
janv. 27 19:28:14 lancaster setroubleshoot[21211]: Plugin Exception
restorecon_source
janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is
preventing /usr/bin/luajit-2.0.3 from read access on the file
/var/log/prosody/debug.log. For complete SELinux messages. run sealert
-l 4598d861-a393-472b-9dda-2c1c3b069fd4
janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is
preventing /usr/bin/luajit-2.0.3 from read access on the file
/var/log/prosody/info.log. For complete SELinux messages. run sealert
-l 4598d861-a393-472b-9dda-2c1c3b069fd4
janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is
preventing /usr/bin/luajit-2.0.3 from read access on the file
/var/log/prosody/error.log. For complete SELinux messages. run sealert
-l 4598d861-a393-472b-9dda-2c1c3b069fd4
janv. 27 19:28:15 lancaster setroubleshoot[21211]: SELinux is
preventing /usr/bin/luajit-2.0.3 from using the execmem access on a
process. For complete SELinux messages. run sealert -l
e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb
janv. 27 19:28:15 lancaster setroubleshoot[21211]: SELinux is
preventing /usr/bin/luajit-2.0.3 from using the execmem access on a
process. For complete SELinux messages. run sealert -l
e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb


lancaster ~ # sealert -l 4598d861-a393-472b-9dda-2c1c3b069fd4
SELinux is preventing /usr/bin/luajit-2.0.3 from read access on the
file /var/log/prosody/error.log.

*****  Plugin catchall (100. confidence) suggests
       **************************

If vous pensez que luajit-2.0.3 devrait être autorisé à accéder read
sur error.log file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet
accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep luajit /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:prosody_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/prosody/error.log [ file ]
Source                        luajit
Source Path                   /usr/bin/luajit-2.0.3
Port                          <Unknown>
Host                          lancaster
Source RPM Packages           luajit-2.0.3-3.fc21.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lancaster
Platform                      Linux lancaster 3.17.8-300.fc21.x86_64
#1 SMP Thu
                              Jan 8 23:32:49 UTC 2015 x86_64 x86_64
			      Alert Count                   7
			      First Seen		    2015-01-18
			      08:59:03 CET
			      Last Seen			2015-01-27
			      19:28:02 CET
			      Local ID 4598d861-a393-472b-9dda-2c1c3b069fd4

Raw Audit Messages
type=AVC msg=audit(1422383282.541:154043): avc:  denied  { read } for
pid=21209 comm="luajit" name="error.log" dev="dm-1" ino=2228909
scontext=system_u:system_r:prosody_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1422383282.541:154043): arch=x86_64
syscall=open success=no exit=EACCES a0=4154f8c0 a1=442 a2=1b6 a3=241
items=0 ppid=21208 pid=21209 auid=4294967295 uid=991 gid=990 euid=991
suid=991 fsuid=991 egid=990 sgid=990 fsgid=990 tty=(none)
ses=4294967295 comm=luajit exe=/usr/bin/luajit-2.0.3
subj=system_u:system_r:prosody_t:s0 key=(null)

Hash: luajit,prosody_t,var_log_t,file,read


lancaster ~ # sealert -l e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb
SELinux is preventing /usr/bin/luajit-2.0.3 from using the execmem
access on a process.

*****  Plugin catchall (100. confidence) suggests
       **************************

If vous pensez que luajit-2.0.3 devrait être autorisé à accéder
execmem sur les processus étiquetés prosody_t par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet
accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep luajit /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:prosody_t:s0
Target Context                system_u:system_r:prosody_t:s0
Target Objects                Unknown [ process ]
Source                        luajit
Source Path                   /usr/bin/luajit-2.0.3
Port                          <Unknown>
Host                          lancaster
Source RPM Packages           luajit-2.0.3-3.fc21.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lancaster
Platform                      Linux lancaster 3.17.8-300.fc21.x86_64
#1 SMP Thu
                              Jan 8 23:32:49 UTC 2015 x86_64 x86_64
			      Alert Count    	      	12
			      First Seen		2015-01-17
			      18:00:51 CET
			      Last Seen 2015-01-27 19:28:04 CET
			      Local ID e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb

Raw Audit Messages
type=AVC msg=audit(1422383284.804:154046): avc:  denied  { execmem }
for  pid=21208 comm="luajit" scontext=system_u:system_r:prosody_t:s0
tcontext=system_u:system_r:prosody_t:s0 tclass=process permissive=0


type=SYSCALL msg=audit(1422383284.804:154046): arch=x86_64
syscall=mprotect success=no exit=EACCES a0=bce0000 a1=10000 a2=5
a3=47e items=0 ppid=1 pid=21208 auid=429496795 uid=991 gid=990
euid=991 suid=991 fsuid=991 egid=990 sgid=990 fsgid=990 tty=(none)
ses=4294967295 comm=luajit exe=/usr/bin/luajit-2.0.3
subj=system_u:system_r:prosody_t:s0 key=(null)

Hash: luajit,prosody_t,prosody_t,process,execmem


lancaster ~ # ll -Za /var/log/prosody
drwxrwx---. root prosody system_u:object_r:var_log_t:s0   .
drwxr-xr-x. root root    system_u:object_r:var_log_t:s0   ..
-rw-rw-r--. root prosody system_u:object_r:var_log_t:s0   debug.log
-rw-rw-r--. root prosody system_u:object_r:var_log_t:s0
debug.log-20130727
-rw-rw-r--. root prosody system_u:object_r:var_log_t:s0   error.log
-rw-rw-r--. root prosody system_u:object_r:var_log_t:s0
error.log-20130727
-rw-rw-r--. root prosody system_u:object_r:var_log_t:s0   info.log
-rw-rw-r--. root prosody system_u:object_r:var_log_t:s0
info.log-20130727
-rw-rw-r--. root prosody system_u:object_r:var_log_t:s0   prosody.log


An opinion on this ?

Best regards,
Matthieu Saulnier
-- 
Autorité de Certification: http://casperlefantom.net/root.pem
Empreinte: 0975 864A 2036 0F94 A139  114A D32E 8EBE 30F2 2429

Clef GPG ID: 83288189 @ hkp://keys.fedoraproject.org
Empreinte: CC26 692F 5205 AC8F 7912  7783 D7A7 F4C5 8328 8189
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150127/15743bd8/attachment.sig>

More information about the devel mailing list