[gentoo-hardened] SELinux - Root and sudo commands denied - gentoo-hardened

From:	"Krzysztof Kozłowski" <krzysztof.kozlowski@×××××××××.pl>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] SELinux - Root and sudo commands denied
Date:	Sun, 10 Jun 2007 15:27:34
Message-Id:	`466C17DD.7010209@kozik.net.pl`

1

On many "normal" sudo commands like:

2

 - tail /var/log/messages (accessing logs)

3

 - editing system files (/etc, /boot)

4

i can see "denied" in /var/log/avc.log:

5

--------------

6

# tail /var/log/messages

7

Jun 10 16:56:02 bambo audit(1181487362.824:1013): avc:  denied  {

8

execute_no_trans } for  pid=24622 comm="sudo" name="tail" dev=sda5 ino=6264

9

scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:bin_t tclass=file

10

Jun 10 16:56:02 bambo audit(1181487362.824:1014): avc:  denied  { read } for

11

pid=24622 comm="sudo" name="tail" dev=sda5 ino=6264

12

scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:bin_t tclass=file

13

Jun 10 16:59:02 bambo audit(1181487542.218:1015): avc:  denied  { read } for

14

pid=24626 comm="tail" name="messages" dev=sda7 ino=178336

15

scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:var_log_t

16

tclass=file

17

Jun 10 16:59:02 bambo audit(1181487542.218:1016): avc:  denied  { getattr }

18

for  pid=24626 comm="tail" name="messages" dev=sda7 ino=178336

19

scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:var_log_t

20

tclass=file

21

--------------

22

# vi /boot/grub/grub.conf

23

Jun 10 17:00:38 bambo audit(1181487638.555:1017): avc:  denied  { search } for

24

 pid=24869 comm="vi" name="/" dev=sda1 ino=2

25

scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t tclass=dir

26

Jun 10 17:00:38 bambo audit(1181487638.571:1018): avc:  denied  { getattr }

27

for  pid=24869 comm="vi" name="grub.conf" dev=sda1 ino=4040

28

scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t

29

tclass=file

30

Jun 10 17:00:38 bambo audit(1181487638.659:1019): avc:  denied  { write } for

31

 pid=24869 comm="vi" name="grub.conf" dev=sda1 ino=4040

32

scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t

33

tclass=file

34

--------------

35

36

Performing these tasks from root acount:

37

--------------

38

# vi /boot/grub/grub.conf

39

Jun 10 17:16:28 bambo audit(1181488588.761:1083): avc:  denied  { read } for

40

pid=25719 comm="ls" name="boot" dev=sda1 ino=14

41

scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=lnk_file

42

Jun 10 17:16:43 bambo audit(1181488603.486:1084): avc:  denied  { write } for

43

 pid=25720 comm="vi" name="grub.conf" dev=sda1 ino=4040

44

scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=file

45

Jun 10 17:16:43 bambo audit(1181488603.486:1085): avc:  denied  { read } for

46

pid=25720 comm="vi" name="grub.conf" dev=sda1 ino=4040

47

scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=file

48

Jun 10 17:16:43 bambo audit(1181488603.486:1086): avc:  denied  { write } for

49

 pid=25720 comm="vi" name="grub" dev=sda1 ino=4017

50

scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=dir

51

--------------

52

53

These are only examples - almost all my root/sudo actions are denied. Why?

54

What settings or rules I have forgot? Should I explicitly allow

55

"staff_t/staff_sudo_t" access to /boot, /var/log and other important places?

56

I am searching for clues for many hours and "I still haven't found what I'm

57

looking for...".

Some detailed info:

63

64

Gentoo profile: /usr/portage/profiles/selinux/x86/2006.1

65

sec-policy/selinux-base-policy-20070329

66

--------------

67

# sestatus

68

SELinux status:                 enabled

69

SELinuxfs mount:                /selinux

70

Current mode:                   permissive

71

Mode from config file:          permissive

72

Policy version:                 21

73

Policy from config file:        strict

74

--------------

75

# semodule -l

76

clamav          1.2.1

77

gpm             1.2.1

78

logrotate       1.4.0

79

logwatch        1.3.1

80

munin           1.1.1

81

mysql           1.3.1

82

readahead       1.3.0

83

samba           1.4.3

84

slocate         1.3.1

85

smartmon        1.1.1

86

sudo            1.0.2

87

sxid            1.1.0

88

tmpreaper       1.2.0

89

unconfined      1.5.2

90

usbmodules      1.1.0

91

--------------

92

emerge --info can be found at:

93

http://www.kozik.net.pl/tmp/bambo-emerge.info.txt

94

95

Sudo commands are run from user with "context=staff_u:staff_r:staff_t"

96

(staff_u has roles "sysadm_r staff_r").

97

98

99

--

100

Krzysztof Kozłowski

101

http://www.kozik.net.pl

102

103

104

--

105

gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened

Replies

1	On many "normal" sudo commands like:
2	- tail /var/log/messages (accessing logs)
3	- editing system files (/etc, /boot)
4	i can see "denied" in /var/log/avc.log:
5	--------------
6	# tail /var/log/messages
7	Jun 10 16:56:02 bambo audit(1181487362.824:1013): avc: denied {
8	execute_no_trans } for pid=24622 comm="sudo" name="tail" dev=sda5 ino=6264
9	scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:bin_t tclass=file
10	Jun 10 16:56:02 bambo audit(1181487362.824:1014): avc: denied { read } for
11	pid=24622 comm="sudo" name="tail" dev=sda5 ino=6264
12	scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:bin_t tclass=file
13	Jun 10 16:59:02 bambo audit(1181487542.218:1015): avc: denied { read } for
14	pid=24626 comm="tail" name="messages" dev=sda7 ino=178336
15	scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:var_log_t
16	tclass=file
17	Jun 10 16:59:02 bambo audit(1181487542.218:1016): avc: denied { getattr }
18	for pid=24626 comm="tail" name="messages" dev=sda7 ino=178336
19	scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:var_log_t
20	tclass=file
21	--------------
22	# vi /boot/grub/grub.conf
23	Jun 10 17:00:38 bambo audit(1181487638.555:1017): avc: denied { search } for
24	pid=24869 comm="vi" name="/" dev=sda1 ino=2
25	scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t tclass=dir
26	Jun 10 17:00:38 bambo audit(1181487638.571:1018): avc: denied { getattr }
27	for pid=24869 comm="vi" name="grub.conf" dev=sda1 ino=4040
28	scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t
29	tclass=file
30	Jun 10 17:00:38 bambo audit(1181487638.659:1019): avc: denied { write } for
31	pid=24869 comm="vi" name="grub.conf" dev=sda1 ino=4040
32	scontext=staff_u:staff_r:staff_sudo_t tcontext=system_u:object_r:boot_t
33	tclass=file
34	--------------
35
36	Performing these tasks from root acount:
37	--------------
38	# vi /boot/grub/grub.conf
39	Jun 10 17:16:28 bambo audit(1181488588.761:1083): avc: denied { read } for
40	pid=25719 comm="ls" name="boot" dev=sda1 ino=14
41	scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=lnk_file
42	Jun 10 17:16:43 bambo audit(1181488603.486:1084): avc: denied { write } for
43	pid=25720 comm="vi" name="grub.conf" dev=sda1 ino=4040
44	scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=file
45	Jun 10 17:16:43 bambo audit(1181488603.486:1085): avc: denied { read } for
46	pid=25720 comm="vi" name="grub.conf" dev=sda1 ino=4040
47	scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=file
48	Jun 10 17:16:43 bambo audit(1181488603.486:1086): avc: denied { write } for
49	pid=25720 comm="vi" name="grub" dev=sda1 ino=4017
50	scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:boot_t tclass=dir
51	--------------
52
53	These are only examples - almost all my root/sudo actions are denied. Why?
54	What settings or rules I have forgot? Should I explicitly allow
55	"staff_t/staff_sudo_t" access to /boot, /var/log and other important places?
56	I am searching for clues for many hours and "I still haven't found what I'm
57	looking for...".
58
59
60
61
62	Some detailed info:
63
64	Gentoo profile: /usr/portage/profiles/selinux/x86/2006.1
65	sec-policy/selinux-base-policy-20070329
66	--------------
67	# sestatus
68	SELinux status: enabled
69	SELinuxfs mount: /selinux
70	Current mode: permissive
71	Mode from config file: permissive
72	Policy version: 21
73	Policy from config file: strict
74	--------------
75	# semodule -l
76	clamav 1.2.1
77	gpm 1.2.1
78	logrotate 1.4.0
79	logwatch 1.3.1
80	munin 1.1.1
81	mysql 1.3.1
82	readahead 1.3.0
83	samba 1.4.3
84	slocate 1.3.1
85	smartmon 1.1.1
86	sudo 1.0.2
87	sxid 1.1.0
88	tmpreaper 1.2.0
89	unconfined 1.5.2
90	usbmodules 1.1.0
91	--------------
92	emerge --info can be found at:
93	http://www.kozik.net.pl/tmp/bambo-emerge.info.txt
94
95	Sudo commands are run from user with "context=staff_u:staff_r:staff_t"
96	(staff_u has roles "sysadm_r staff_r").
97
98
99	--
100	Krzysztof Kozłowski
101	http://www.kozik.net.pl
102
103
104	--
105	gentoo-hardened@g.o mailing list