1 |
Hi, |
2 |
|
3 |
just done my weekly update and I noticed the following AVCs occurred |
4 |
that suggest something missing in the portage policy? |
5 |
|
6 |
type=PROCTITLE msg=audit(1479900756.052:3548): |
7 |
proctitle=6370002D61002D2D7265666C696E6B3D6175746F002F7661722F746D702F706F72746167652F6465762D707974686F6E2F70797061782D302E392E322F696D6167652F5F707974686F6E322E372F2E002F7661722F746D702F706F72746167652F6465762D707974686F6E2F70797061782D302E392E322F696D6167652F2F |
8 |
type=PATH msg=audit(1479900756.052:3548): item=0 |
9 |
name="/var/tmp/portage/dev-python/pypax-0.9.2/image/." inode=1182893 |
10 |
dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 |
11 |
obj=staff_u:object_r:portage_tmp_t nametype=NORMAL |
12 |
type=CWD msg=audit(1479900756.052:3548): |
13 |
cwd="/var/tmp/portage/dev-python/pypax-0.9.2/work/elfix-0.9.2/scripts" |
14 |
type=SYSCALL msg=audit(1479900756.052:3548): arch=c000003e syscall=189 |
15 |
success=yes exit=0 a0=44b69d9c40 a1=36fe2f5a763 a2=44b69d9df0 a3=1f |
16 |
items=1 ppid=21441 pid=21661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 |
17 |
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="cp" |
18 |
exe="/bin/cp" subj=staff_u:sysadm_r:portage_sandbox_t key=(null) |
19 |
type=AVC msg=audit(1479900756.052:3548): avc: denied { relabelto } |
20 |
for pid=21661 comm="cp" name="image" dev="dm-0" ino=1182893 |
21 |
scontext=staff_u:sysadm_r:portage_sandbox_t |
22 |
tcontext=staff_u:object_r:portage_tmp_t tclass=dir permissive=1 |
23 |
type=AVC msg=audit(1479900756.052:3548): avc: denied { relabelfrom } |
24 |
for pid=21661 comm="cp" name="image" dev="dm-0" ino=1182893 |
25 |
scontext=staff_u:sysadm_r:portage_sandbox_t |
26 |
tcontext=staff_u:object_r:portage_tmp_t tclass=dir permissive=1 |
27 |
|
28 |
I checked the policy for source=portage_sandbox_t and |
29 |
target=portage_tmp_t and it is: |
30 |
|
31 |
# sesearch -s portage_sandbox_t -t portage_tmp_t -Ad |
32 |
Found 5 semantic av rules: |
33 |
allow portage_sandbox_t portage_tmp_t : lnk_file { ioctl read write |
34 |
create getattr setattr lock unlink link rename } ; |
35 |
allow portage_sandbox_t portage_tmp_t : dir { ioctl read write |
36 |
create getattr setattr lock unlink link rename add_name remove_name |
37 |
reparent search rmdir open } ; |
38 |
allow portage_sandbox_t portage_tmp_t : fifo_file { ioctl read write |
39 |
create getattr setattr lock append unlink link rename open } ; |
40 |
allow portage_sandbox_t portage_tmp_t : file { ioctl read write |
41 |
create getattr setattr lock relabelfrom relabelto append unlink link |
42 |
rename execute execute_no_trans open } ; |
43 |
allow portage_sandbox_t portage_tmp_t : sock_file { ioctl read write |
44 |
create getattr setattr lock append unlink link rename open } ; |
45 |
|
46 |
It looks to me like portage was trying to relabelto/from a directory but |
47 |
these ops are only allowed for files? |
48 |
|
49 |
I also spotted AVCs involving directory access to portage_tmpfs_t (and |
50 |
sandbox as the source), such as: |
51 |
|
52 |
type=PROCTITLE msg=audit(1479900586.938:3542): |
53 |
proctitle=707974686F6E322E37002F7573722F6C696236342F707974686F6E322E372F736974652D7061636B616765732F696E636C7564655F7365727665722F696E636C7564655F7365727665722E7079002D2D706F7274002F746D702F6469737463632D70756D702E656B6A3330372F736F636B6574002D2D7069645F66696C65002F |
54 |
type=PATH msg=audit(1479900586.938:3542): item=1 |
55 |
name="/dev/shm/tmpgk84Lo.include_server-16244-1" inode=1246573 dev=00:13 |
56 |
mode=040700 ouid=250 ogid=250 rdev=00:00 |
57 |
obj=staff_u:object_r:portage_tmpfs_t nametype=DELETE |
58 |
type=PATH msg=audit(1479900586.938:3542): item=0 name="/dev/shm/" |
59 |
inode=8351 dev=00:13 mode=041777 ouid=0 ogid=0 rdev=00:00 |
60 |
obj=system_u:object_r:tmpfs_t nametype=PARENT |
61 |
type=CWD msg=audit(1479900586.938:3542): |
62 |
cwd="/var/tmp/portage/dev-python/cffi-1.5.2/work/cffi-1.5.2" |
63 |
type=SYSCALL msg=audit(1479900586.938:3542): arch=c000003e syscall=84 |
64 |
success=yes exit=0 a0=3a6d7c7770 a1=0 a2=0 a3=36b items=2 ppid=1 |
65 |
pid=16244 auid=4294967295 uid=250 gid=250 euid=250 suid=250 fsuid=250 |
66 |
egid=250 sgid=250 fsgid=250 tty=pts0 ses=4294967295 comm="python2.7" |
67 |
exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:portage_sandbox_t key=(null) |
68 |
type=AVC msg=audit(1479900586.938:3542): avc: denied { rmdir } for |
69 |
pid=16244 comm="python2.7" name="tmpgk84Lo.include_server-16244-1" |
70 |
dev="tmpfs" ino=1246573 scontext=staff_u:sysadm_r:portage_sandbox_t |
71 |
tcontext=staff_u:object_r:portage_tmpfs_t tclass=dir permissive=1 |
72 |
|
73 |
And a similar AVC for creating the same directory. |
74 |
|
75 |
Is this likely to be a policy gap or have I done something wrong or |
76 |
failed to do something I should have. I cannot provide more details |
77 |
about what was happening at the time, other than in the audit snippets |
78 |
above - it was the middle of a lengthy update process. |
79 |
|
80 |
Thanks, |
81 |
|
82 |
Robert Sharp |