Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Chris PeBenito <pebenito@g.o>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] selinux denials due to race conditions?
Date: Wed, 20 Jun 2007 18:01:37
Message-Id: 1182362319.4859.5.camel@defiant.pebenito.net
In Reply to: [gentoo-hardened] selinux denials due to race conditions? by Bill Sharer
1 On Tue, 2007-06-19 at 20:55 -0400, Bill Sharer wrote:
2 > I'm on the 2006.1 unstable profile for selinux and think I may have a
3 > race condition that results in avc denials before selinux has finished
4 > labeling things like /dev. For example, the first denial below appears
5 > to be where /etc/hotplug.d/default/default.hotplug is peeking and poking
6 > around with /dev/null. The denial has it as a system_u:object_r:file_t,
7 > but when I look at it from a running system I see it as a
8 > system_u:object_r:null_device_t. Should I be messing around in
9 > /etc/runlevels/boot to put dependencies in various scripts (although
10 > selinux isn't a script so how would I make it a dependency?)
11
12 This is indeed a race. Hotplug events can happen at any time, and when
13 that happens it results in the kernel calling userland to do some
14 handling, and in your case its happening during SELinux initialization.
15 This type of problem has been reported in the past, but its so
16 infrequent that I can't remember nor find the workaround. :x Its not a
17 boot runlevel fix as this is happening while init (the program, pid 1)
18 is starting, so the init scripts haven't started.
19
20 > snippet from a dmesg:
21 >
22 > security: 5 users, 5 roles, 1376 types, 81 bools
23 > security: 59 classes, 61906 rules
24 > security: class dccp_socket not defined in policy
25 > security: permission dccp_recv in class node not defined in policy
26 > security: permission dccp_send in class node not defined in policy
27 > security: permission dccp_recv in class netif not defined in policy
28 > security: permission dccp_send in class netif not defined in policy
29 > SELinux: Completing initialization.
30 > SELinux: Setting up existing superblocks.
31 > SELinux: initialized (dev sda5, type ext3), uses xattr
32 > inode_doinit_with_dentry: context_to_sid(unlabeled) returned 22 for
33 > dev=sda5 ino=1938273
34 > audit(1182137416.171:2): avc: denied { ioctl } for pid=884
35 > comm="default.hotplug" name="null" dev=sda5 ino=733068
36 > scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t
37 > tclass=chr_file
38 > audit(1182137416.203:3): avc: denied { read } for pid=889 comm="env"
39 > name="urandom" dev=sda5 ino=732962 scontext=system_u:system_r:kernel_t
40 > tcontext=system_u:object_r:file_t tclass=chr_file
41 > audit(1182137416.204:4): avc: denied { read } for pid=884
42 > comm="default.hotplug" name="default.hotplug" dev=sda5 ino=1356280
43 > scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sbin_t
44 > tclass=file
45 > audit(1182137416.206:5): avc: denied { search } for pid=884
46 > comm="default.hotplug" name="var" dev=sda5 ino=1254177
47 > scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_t
48 > tclass=dir
49 > audit(1182137416.221:6): avc: denied { search } for pid=884
50 > comm="default.hotplug" name="log" dev=sda5 ino=1255669
51 > scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_log_t
52 > tclass=dir
53 > SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
54 > SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
55 > SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
56 > SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
57 > SELinux: initialized (dev devpts, type devpts), uses transition SIDs
58 > SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs
59 > SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
60 > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
61 > SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
62 > SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
63 > SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
64 > SELinux: initialized (dev proc, type proc), uses genfs_contexts
65 > SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
66 > SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
67 > SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
68 > audit(1182137416.259:7): policy loaded auid=4294967295
69 > audit(1182137416.261:8): avc: denied { read write } for pid=1
70 > comm="init" name="console" dev=sda5 ino=734292
71 > scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t
72 > tclass=chr_file
73 > audit(1182137416.275:9): avc: denied { ioctl } for pid=1 comm="init"
74 > name="tty0" dev=sda5 ino=735467 scontext=system_u:system_r:init_t
75 > tcontext=system_u:object_r:file_t tclass=chr_file
76 > audit(1182137416.277:10): avc: denied { read } for pid=891
77 > comm="hotplug" name="urandom" dev=sda5 ino=732962
78 > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t
79 > tclass=chr_file
80 > audit(1182137416.279:11): avc: denied { write } for pid=891
81 > comm="hotplug" name="tty" dev=sda5 ino=734192
82 > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t
83 > tclass=chr_file
84 > audit(1182137416.296:12): avc: denied { ioctl } for pid=893
85 > comm="default.hotplug" name="null" dev=sda5 ino=733068
86 > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t
87 > tclass=chr_file
88 > audit(1182137416.758:13): avc: denied { read write } for pid=970
89 > comm="rc" name="console" dev=sda5 ino=734292
90 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t
91 > tclass=chr_file
92 > audit(1182137417.033:14): avc: denied { read write } for pid=994
93 > comm="consoletype" name="console" dev=sda5 ino=734292
94 > scontext=system_u:system_r:consoletype_t
95 > tcontext=system_u:object_r:file_t tclass=chr_file
96 > audit(1182137417.034:15): avc: denied { search } for pid=994
97 > comm="consoletype" name="dev" dev=sda5 ino=732961
98 > scontext=system_u:system_r:consoletype_t
99 > tcontext=system_u:object_r:file_t tclass=dir
100 > audit(1182137417.034:16): avc: denied { getattr } for pid=994
101 > comm="consoletype" name="console" dev=sda5 ino=734292
102 > scontext=system_u:system_r:consoletype_t
103 > tcontext=system_u:object_r:file_t tclass=chr_file
104 > audit(1182137417.035:17): avc: denied { ioctl } for pid=994
105 > comm="consoletype" name="console" dev=sda5 ino=734292
106 > scontext=system_u:system_r:consoletype_t
107 > tcontext=system_u:object_r:file_t tclass=chr_file
108 > audit(1182137417.082:18): avc: denied { ioctl } for pid=997
109 > comm="stty" name="console" dev=sda5 ino=734292
110 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t
111 > tclass=chr_file
112 > audit(1182137417.172:19): avc: denied { getattr } for pid=970
113 > comm="bash" name="null" dev=sda5 ino=733068
114 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t
115 > tclass=chr_file
116 > audit(1182137417.196:20): avc: denied { read write } for pid=1001
117 > comm="dmesg" name="console" dev=sda5 ino=734292
118 > scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t
119 > tclass=chr_file
120 > audit(1182137417.220:21): avc: denied { read write } for pid=1004
121 > comm="mount" name="console" dev=sda5 ino=734292
122 > scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t
123 > tclass=chr_file
124 > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
125 > audit(1182137417.478:22): avc: denied { read write } for pid=1038
126 > comm="restorecon" name="console" dev=sda5 ino=734292
127 > scontext=system_u:system_r:restorecon_t
128 > tcontext=system_u:object_r:file_t tclass=chr_file
129 > audit(1182137417.716:23): avc: denied { write } for pid=1042
130 > comm="bash" name="null" dev=tmpfs ino=2106
131 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t
132 > tclass=chr_file
133 > audit(1182137417.875:24): avc: denied { read write } for pid=1062
134 > comm="udevd" name="console" dev=sda5 ino=734292
135 > scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t
136 > tclass=chr_file
137 > audit(1182137418.770:25): avc: denied { read } for pid=1194
138 > comm="modprobe" name="console" dev=tmpfs ino=2100
139 > scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:device_t
140 > tclass=chr_file
141 > audit(1182137424.374:26): avc: denied { getattr } for pid=2059
142 > comm="modprobe.sh" name="modprobe.conf" dev=sda5 ino=1515100
143 > scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t
144 > tclass=file
145 > audit(1182137424.376:27): avc: denied { read } for pid=2112
146 > comm="grep" name="modprobe.conf" dev=sda5 ino=1515100
147 > scontext=system_u:system_r:udev_t tcontext=root:object_r:modules_conf_t
148 > tclass=file
149 --
150 Chris PeBenito
151 <pebenito@g.o>
152 Developer,
153 Hardened Gentoo Linux
154
155 Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
156 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups