Unexpected behavior in permissive mode
Miroslav Grepl
mgrepl at redhat.com
Fri Apr 10 09:41:10 UTC 2015
On 04/09/2015 02:55 AM, Joseph L. Casale wrote:
>> What does if you switch the SELinux mode (which resets AVC cache)
>>
>> # setenforce 1; setenforce 0
>>
>> and then re-test it?
>>
>> Could you also post full raw AVC?
>
> Hi Miroslav,
> Thanks for the pointer about resetting the cache, that helped.
>
> After running the backup in permissive mode, I get the following:
>
> type=AVC msg=audit(1428538766.224:2373): avc: denied { execute } for pid=32056 comm="bacula-fd" name="su" dev="dm-0" ino=18110620 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
> type=AVC msg=audit(1428538766.224:2373): avc: denied { execute_no_trans } for pid=32056 comm="bacula-fd" path="/usr/bin/su" dev="dm-0" ino=18110620 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
> type=AVC msg=audit(1428538766.343:2374): avc: denied { create } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
> type=AVC msg=audit(1428538766.343:2375): avc: denied { bind } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
> type=AVC msg=audit(1428538766.343:2376): avc: denied { compute_av } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
> type=AVC msg=audit(1428538766.344:2377): avc: denied { create } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
> type=AVC msg=audit(1428538766.344:2378): avc: denied { nlmsg_relay } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
> type=AVC msg=audit(1428538766.344:2378): avc: denied { audit_write } for pid=32056 comm="su" capability=29 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=capability
> type=USER_AVC msg=audit(1428538766.344:2379): pid=32056 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:bacula_t:s0 msg='avc: denied { passwd } for scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
> type=AVC msg=audit(1428538766.345:2383): avc: denied { setsched } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=process
> type=AVC msg=audit(1428538766.345:2384): avc: denied { write } for pid=32056 comm="su" name="system_bus_socket" dev="tmpfs" ino=14052 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
> type=AVC msg=audit(1428538766.345:2384): avc: denied { connectto } for pid=32056 comm="su" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> type=USER_AVC msg=audit(1428538766.370:2385): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=32056 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1428538766.374:2386): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=32056 tpid=693 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1428538766.393:2391): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1688 spid=693 tpid=32056 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=AVC msg=audit(1428538766.393:2392): avc: denied { write } for pid=32056 comm="su" name="lastlog" dev="dm-0" ino=8572341 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file
> type=AVC msg=audit(1428538766.424:2394): avc: denied { execute } for pid=32063 comm="bash" name="hostname" dev="dm-0" ino=16887470 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
> type=AVC msg=audit(1428538766.424:2394): avc: denied { execute_no_trans } for pid=32063 comm="bash" path="/usr/bin/hostname" dev="dm-0" ino=16887470 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
> type=AVC msg=audit(1428538773.500:2395): avc: denied { write } for pid=32056 comm="su" name="system_bus_socket" dev="tmpfs" ino=14052 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
>
> which generates the following policy:
>
> require {
> type su_exec_t;
> type system_dbusd_var_run_t;
> type security_t;
> type system_dbusd_t;
> type systemd_logind_t;
> type lastlog_t;
> type hostname_exec_t;
> type bacula_t;
> class process setsched;
> class unix_stream_socket connectto;
> class dbus send_msg;
> class capability audit_write;
> class passwd passwd;
> class netlink_selinux_socket { bind create };
> class file { write execute execute_no_trans };
> class netlink_audit_socket { nlmsg_relay create };
> class sock_file write;
> class security compute_av;
> }
>
> #============= bacula_t ==============
> allow bacula_t hostname_exec_t:file { execute execute_no_trans };
> allow bacula_t lastlog_t:file write;
> allow bacula_t security_t:security compute_av;
> allow bacula_t self:capability audit_write;
> allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
> allow bacula_t self:netlink_selinux_socket { bind create };
> allow bacula_t self:passwd passwd;
> allow bacula_t self:process setsched;
> allow bacula_t su_exec_t:file { execute execute_no_trans };
> allow bacula_t system_dbusd_t:dbus send_msg;
> allow bacula_t system_dbusd_t:unix_stream_socket connectto;
> allow bacula_t system_dbusd_var_run_t:sock_file write;
> allow bacula_t systemd_logind_t:dbus send_msg;
>
> #============= systemd_logind_t ==============
> allow systemd_logind_t bacula_t:dbus send_msg;
>
> And after loading this I get the following which was not present initially:
>
> type=AVC msg=audit(1428539366.385:377): avc: denied { execute } for pid=2809 comm="su" name="unix_chkpwd" dev="dm-0" ino=25441120 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
> type=AVC msg=audit(1428539366.386:378): avc: denied { write } for pid=2808 comm="su" name="btmp" dev="dm-0" ino=9085718 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=file
>
> So rebuilding from the new output yields:
>
> require {
> type system_dbusd_var_run_t;
> type security_t;
> type faillog_t;
> type chkpwd_exec_t;
> type systemd_logind_t;
> type hostname_exec_t;
> type bacula_t;
> type su_exec_t;
> type lastlog_t;
> type system_dbusd_t;
> class process setsched;
> class unix_stream_socket connectto;
> class dbus send_msg;
> class capability audit_write;
> class passwd passwd;
> class netlink_selinux_socket { bind create };
> class file { write execute execute_no_trans };
> class netlink_audit_socket { nlmsg_relay create };
> class sock_file write;
> class security compute_av;
> }
>
> #============= bacula_t ==============
> allow bacula_t chkpwd_exec_t:file execute;
> allow bacula_t faillog_t:file write;
> allow bacula_t hostname_exec_t:file { execute execute_no_trans };
> allow bacula_t lastlog_t:file write;
> allow bacula_t security_t:security compute_av;
> allow bacula_t self:capability audit_write;
> allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
> allow bacula_t self:netlink_selinux_socket { bind create };
> allow bacula_t self:passwd passwd;
> allow bacula_t self:process setsched;
> allow bacula_t su_exec_t:file { execute execute_no_trans };
> allow bacula_t system_dbusd_t:dbus send_msg;
> allow bacula_t system_dbusd_t:unix_stream_socket connectto;
> allow bacula_t system_dbusd_var_run_t:sock_file write;
> allow bacula_t systemd_logind_t:dbus send_msg;
>
> #============= systemd_logind_t ==============
> allow systemd_logind_t bacula_t:dbus send_msg;
>
Are there any scripts which you can defined? Or did you get it by
default? It looks bacula is an administrative tool which is going to be
unconfined domain.
>
> Which adds:
> allow bacula_t chkpwd_exec_t:file execute;
> allow bacula_t faillog_t:file write;
>
> However, after removing the old and loading this new policy I get another denial:
>
> type=AVC msg=audit(1428540219.458:501): avc: denied { execute_no_trans } for pid=4309 comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=25441120 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
>
> Rerunning the backup yields this same avc, and audit2allow would suggest its permitted.
>
> Thanks so much for assistance.
> jlc
>
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
More information about the selinux
mailing list