Re: [gentoo-hardened] Unsolved AVCs on a hardened/linux/amd64/selinux - gentoo-hardened

From:	Vincent Brillault <gentoo@×××××.net>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] Unsolved AVCs on a hardened/linux/amd64/selinux
Date:	Wed, 07 Mar 2012 12:25:19
Message-Id:	`20120307122431.GA25018@Fea.lerya.net`
In Reply to:	Re: [gentoo-hardened] Unsolved AVCs on a hardened/linux/amd64/selinux by Vincent Brillault

1

> I'll continue to try to identify and fix the avc I have,

2

3

As promised, here are some other avcs :

4

(Those appears in enforcing mode, after booting in permissive mode)

5

6

---

7

8

The denies on search or gettattr on "/sys/fs/selinux" that appears on a

9

lot of different actions (run_init, sudo, ssh ..) doesn't seem to have a

10

negative impact. (I didn't check in details but nothing appears in basic

11

tests).

12

13

---

14

15

I have another group of denies that don't seem to have a direct impact:

16

Whenever I manipulate iptables (run_init /etc/etc.init.d/iptables

17

restart, iptables-save, iptables -vL ...). Those denies don't prevent

18

iptables from saving, restoring or modifying its rules (on the filter or

19

nat tables at least)

20

21

Example:

22

'''

23

type=AVC msg=audit(1331040320.724:7829): avc:  denied  { getattr } for

24

pid=4095 comm="iptables-restor" name="/" dev="proc" ino=1

25

scontext=system_u:system_r:iptables_t

26

tcontext=system_u:object_r:proc_t tclass=filesystem

27

type=SYSCALL msg=audit(1331040320.724:7829): arch=c000003e syscall=137

28

success=no exit=-13 a0=2f0ed1a8353 a1=3edf4358080 a2=3edf4357ff0

29

a3=3edf4358110 items=1 ppid=4088 pid=4095 auid=1000 uid=0 gid=0 euid=0

30

suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=27

31

comm="iptables-restor" exe="/sbin/xtables-multi"

32

subj=system_u:system_r:iptables_t key=(null)

33

type=CWD msg=audit(1331040320.724:7829):  cwd="/"

34

type=PATH msg=audit(1331040320.724:7829): item=0

35

name="/proc/net/ip_tables_names" inode=4026532099 dev=00:03 mode=0100440

36

ouid=0 ogid=10 rdev=00:00 obj=system_u:object_r:proc_net_t

37

'''

38

39

From what I understand of the code, this test is used to determine if

40

the modules needed for iptables are load or not in the function

41

xtables_load_ko in iptables/xtables.c which is called by

42

iptables-(restore|save) (but the return value is dropped). If we compare

43

verbose audits of permissive mode VS enforcing mode, we ca see a new

44

syscall that appears in enforcing mode only (I didn't used really

45

verbose audits to their might be other impacts) : 

46

47

'''

48

type=SYSCALL msg=audit(1331111858.712:27814): arch=c000003e syscall=2

49

success=no exit=-2 a0=3368a74f203 a1=0 a2=1 a3=3368a1bdf70 items=1

50

ppid=2763 pid=3547 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0

51

egid=0 sgid=0 fsgid=0 tty=pts1 ses=9 comm="iptables-save"

52

exe="/sbin/xtables-multi" subj=staff_u:sysadm_r:iptables_t key=(null)

53

type=PATH msg=audit(1331111858.712:27814): item=0

54

name="/proc/sys/kernel/modprobe"

55

'''

56

57

----

58

59

During the boot in permissive mode:

60

61

If unicode is set to "YES" in rc.conf:

62

Mar  6 14:36:45 lerya kernel: [   12.289270] type=1400

63

audit(1331041002.720:15): avc:  denied  { add_name } for  pid=1459

64

comm="runscript.sh" name="unicode" scontext=system_u:system_r:initrc_t

65

tcontext=system_u:object_r:lib_t tclass=dir

66

Mar  6 14:36:45 lerya kernel: [   12.289302] type=1400

67

audit(1331041002.720:16): avc:  denied  { create } for  pid=1459

68

comm="runscript.sh" name="unicode" scontext=system_u:system_r:initrc_t

69

tcontext=system_u:object_r:lib_t tclass=file

70

71

It's probably cause by /etc/init.d/(keymaps|termencoding). As I don't

72

need those two scripts I disactivated these two. After the first reboot,

73

these "create" denies disappeared and after the second one the "remove"

74

denies from bootmisc also disappeared (They creates those files and

75

don't purge them after the reboot).

76

77

--

78

79

I finally try to reboot in enforcing mode (after suppresing manually the

80

wirting test on /var/run done by bootmisc). The system more or less

81

correctly booted (in disorder):

82

83

- a lot of sysfs_t denies (I ignored them)

84

- fuser related denies (idem)

85

- iptables "proc" denies (idem)

86

- Asterisk denies (same as in the last email)

87

- sysctl denies (the sames as for Tomas Dobrovolny)

88

- Some new stuff:

89

90

*

91

92

kernel: [    2.513633] type=1400 audit(1331043603.512:4): avc:  denied

93

{ search } for  pid=1 comm="init" name="proc" dev="sda1" ino=131438

94

scontext=system_u:system_r:init_t tcontext=system_u:object_r:mnt_t

95

tclass=dir 

96

Present 2 times, I don't know the impact of this yet

97

98

*

99

100

kernel: [    3.902691] type=1400 audit(1331043604.901:9): avc:  denied

101

{ search } for  pid=744 comm="mount" name="/" dev="cgroup" ino=1674

102

scontext=system_u:system_r:kernel_t

103

tcontext=system_u:object_r:unlabeled_t tclass=dir

104

(Appears each boot, on variable ino, sometime 1 time, sometime 4 times)

105

(Each ino seems to be some directory in /sys/fs/cgroup/)

106

107

Why do I have "unlabeled_t" dirs ?

108

After the boot, all the directories in /sys/fs/cgroup/ are labbeled and

109

mounted, so it's perhaps only some bad ordering of operation during the

110

boot.

111

112

Seems related to https://bugzilla.redhat.com/show_bug.cgi?id=700538 (I'm

113

running on kernel 3.2.2-hardened-r1).

114

115

*

116

117

Chmod on /tmp:

118

119

type=AVC msg=audit(1331115836.150:76): avc:  denied  { setattr } for

120

pid=2121 comm="chmod" name="/" dev="tmpfs" ino=3136

121

scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmp_t

122

tclass=dir

123

type=SYSCALL msg=audit(1331115836.150:76): arch=c000003e syscall=268

124

success=no exit=-13 a0=ffffffffffffff9c a1=35c5218e70 a2=3ff a3=0

125

items=1 ppid=1646 pid=2121 auid=4294967295 uid=0 gid=0 euid=0 suid=0

126

fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="chmod"

127

exe="/bin/chmod" subj=system_u:system_r:initrc_t key=(null)

128

type=CWD msg=audit(1331115836.150:76):  cwd="/"

129

type=PATH msg=audit(1331115836.150:76): item=0 name="/tmp" inode=3136

130

dev=00:19 mode=041777 ouid=0 ogid=0 rdev=00:00

131

obj=system_u:object_r:tmp_t

132

133

I think it's bootmisc again, but no proof about that. 

134

135

*

136

137

kernel: [   14.256338] type=1400 audit(1331043615.680:69): avc:  denied

138

{ sys_admin } for  pid=2127 comm="ip" capability=21

139

scontext=system_u:system_r:ifconfig_t

140

tcontext=system_u:system_r:ifconfig_t tclass=capability

141

142

I think this is related to (taken from the rc.log logs):

143

"Cannot flush routing cache"

144

No ideas on the real consequences...

145

146

---

147

148

Is there a good spot to find avc already solved ? (I hope that most of

149

the avc here are new and not some well-known bugs. I tried to search

150

information on each of them, with only small success)

151

152

Do you have anything new on the sysctl denies ?

153

154

Sincerely yours,

155

Vincent Brillault

1	> I'll continue to try to identify and fix the avc I have,
2
3	As promised, here are some other avcs :
4	(Those appears in enforcing mode, after booting in permissive mode)
5
6	---
7
8	The denies on search or gettattr on "/sys/fs/selinux" that appears on a
9	lot of different actions (run_init, sudo, ssh ..) doesn't seem to have a
10	negative impact. (I didn't check in details but nothing appears in basic
11	tests).
12
13	---
14
15	I have another group of denies that don't seem to have a direct impact:
16	Whenever I manipulate iptables (run_init /etc/etc.init.d/iptables
17	restart, iptables-save, iptables -vL ...). Those denies don't prevent
18	iptables from saving, restoring or modifying its rules (on the filter or
19	nat tables at least)
20
21	Example:
22	'''
23	type=AVC msg=audit(1331040320.724:7829): avc: denied { getattr } for
24	pid=4095 comm="iptables-restor" name="/" dev="proc" ino=1
25	scontext=system_u:system_r:iptables_t
26	tcontext=system_u:object_r:proc_t tclass=filesystem
27	type=SYSCALL msg=audit(1331040320.724:7829): arch=c000003e syscall=137
28	success=no exit=-13 a0=2f0ed1a8353 a1=3edf4358080 a2=3edf4357ff0
29	a3=3edf4358110 items=1 ppid=4088 pid=4095 auid=1000 uid=0 gid=0 euid=0
30	suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=27
31	comm="iptables-restor" exe="/sbin/xtables-multi"
32	subj=system_u:system_r:iptables_t key=(null)
33	type=CWD msg=audit(1331040320.724:7829): cwd="/"
34	type=PATH msg=audit(1331040320.724:7829): item=0
35	name="/proc/net/ip_tables_names" inode=4026532099 dev=00:03 mode=0100440
36	ouid=0 ogid=10 rdev=00:00 obj=system_u:object_r:proc_net_t
37	'''
38
39	From what I understand of the code, this test is used to determine if
40	the modules needed for iptables are load or not in the function
41	xtables_load_ko in iptables/xtables.c which is called by
42	iptables-(restore\|save) (but the return value is dropped). If we compare
43	verbose audits of permissive mode VS enforcing mode, we ca see a new
44	syscall that appears in enforcing mode only (I didn't used really
45	verbose audits to their might be other impacts) :
46
47	'''
48	type=SYSCALL msg=audit(1331111858.712:27814): arch=c000003e syscall=2
49	success=no exit=-2 a0=3368a74f203 a1=0 a2=1 a3=3368a1bdf70 items=1
50	ppid=2763 pid=3547 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
51	egid=0 sgid=0 fsgid=0 tty=pts1 ses=9 comm="iptables-save"
52	exe="/sbin/xtables-multi" subj=staff_u:sysadm_r:iptables_t key=(null)
53	type=PATH msg=audit(1331111858.712:27814): item=0
54	name="/proc/sys/kernel/modprobe"
55	'''
56
57	----
58
59	During the boot in permissive mode:
60
61	If unicode is set to "YES" in rc.conf:
62	Mar 6 14:36:45 lerya kernel: [ 12.289270] type=1400
63	audit(1331041002.720:15): avc: denied { add_name } for pid=1459
64	comm="runscript.sh" name="unicode" scontext=system_u:system_r:initrc_t
65	tcontext=system_u:object_r:lib_t tclass=dir
66	Mar 6 14:36:45 lerya kernel: [ 12.289302] type=1400
67	audit(1331041002.720:16): avc: denied { create } for pid=1459
68	comm="runscript.sh" name="unicode" scontext=system_u:system_r:initrc_t
69	tcontext=system_u:object_r:lib_t tclass=file
70
71	It's probably cause by /etc/init.d/(keymaps\|termencoding). As I don't
72	need those two scripts I disactivated these two. After the first reboot,
73	these "create" denies disappeared and after the second one the "remove"
74	denies from bootmisc also disappeared (They creates those files and
75	don't purge them after the reboot).
76
77	--
78
79	I finally try to reboot in enforcing mode (after suppresing manually the
80	wirting test on /var/run done by bootmisc). The system more or less
81	correctly booted (in disorder):
82
83	- a lot of sysfs_t denies (I ignored them)
84	- fuser related denies (idem)
85	- iptables "proc" denies (idem)
86	- Asterisk denies (same as in the last email)
87	- sysctl denies (the sames as for Tomas Dobrovolny)
88	- Some new stuff:
89
90	*
91
92	kernel: [ 2.513633] type=1400 audit(1331043603.512:4): avc: denied
93	{ search } for pid=1 comm="init" name="proc" dev="sda1" ino=131438
94	scontext=system_u:system_r:init_t tcontext=system_u:object_r:mnt_t
95	tclass=dir
96	Present 2 times, I don't know the impact of this yet
97
98	*
99
100	kernel: [ 3.902691] type=1400 audit(1331043604.901:9): avc: denied
101	{ search } for pid=744 comm="mount" name="/" dev="cgroup" ino=1674
102	scontext=system_u:system_r:kernel_t
103	tcontext=system_u:object_r:unlabeled_t tclass=dir
104	(Appears each boot, on variable ino, sometime 1 time, sometime 4 times)
105	(Each ino seems to be some directory in /sys/fs/cgroup/)
106
107	Why do I have "unlabeled_t" dirs ?
108	After the boot, all the directories in /sys/fs/cgroup/ are labbeled and
109	mounted, so it's perhaps only some bad ordering of operation during the
110	boot.
111
112	Seems related to https://bugzilla.redhat.com/show_bug.cgi?id=700538 (I'm
113	running on kernel 3.2.2-hardened-r1).
114
115	*
116
117	Chmod on /tmp:
118
119	type=AVC msg=audit(1331115836.150:76): avc: denied { setattr } for
120	pid=2121 comm="chmod" name="/" dev="tmpfs" ino=3136
121	scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmp_t
122	tclass=dir
123	type=SYSCALL msg=audit(1331115836.150:76): arch=c000003e syscall=268
124	success=no exit=-13 a0=ffffffffffffff9c a1=35c5218e70 a2=3ff a3=0
125	items=1 ppid=1646 pid=2121 auid=4294967295 uid=0 gid=0 euid=0 suid=0
126	fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="chmod"
127	exe="/bin/chmod" subj=system_u:system_r:initrc_t key=(null)
128	type=CWD msg=audit(1331115836.150:76): cwd="/"
129	type=PATH msg=audit(1331115836.150:76): item=0 name="/tmp" inode=3136
130	dev=00:19 mode=041777 ouid=0 ogid=0 rdev=00:00
131	obj=system_u:object_r:tmp_t
132
133	I think it's bootmisc again, but no proof about that.
134
135	*
136
137	kernel: [ 14.256338] type=1400 audit(1331043615.680:69): avc: denied
138	{ sys_admin } for pid=2127 comm="ip" capability=21
139	scontext=system_u:system_r:ifconfig_t
140	tcontext=system_u:system_r:ifconfig_t tclass=capability
141
142	I think this is related to (taken from the rc.log logs):
143	"Cannot flush routing cache"
144	No ideas on the real consequences...
145
146	---
147
148	Is there a good spot to find avc already solved ? (I hope that most of
149	the avc here are new and not some well-known bugs. I tried to search
150	information on each of them, with only small success)
151
152	Do you have anything new on the sysctl denies ?
153
154	Sincerely yours,
155	Vincent Brillault

Gentoo Archives: gentoo-hardened