1 |
> I'll continue to try to identify and fix the avc I have, |
2 |
|
3 |
As promised, here are some other avcs : |
4 |
(Those appears in enforcing mode, after booting in permissive mode) |
5 |
|
6 |
--- |
7 |
|
8 |
The denies on search or gettattr on "/sys/fs/selinux" that appears on a |
9 |
lot of different actions (run_init, sudo, ssh ..) doesn't seem to have a |
10 |
negative impact. (I didn't check in details but nothing appears in basic |
11 |
tests). |
12 |
|
13 |
--- |
14 |
|
15 |
I have another group of denies that don't seem to have a direct impact: |
16 |
Whenever I manipulate iptables (run_init /etc/etc.init.d/iptables |
17 |
restart, iptables-save, iptables -vL ...). Those denies don't prevent |
18 |
iptables from saving, restoring or modifying its rules (on the filter or |
19 |
nat tables at least) |
20 |
|
21 |
Example: |
22 |
''' |
23 |
type=AVC msg=audit(1331040320.724:7829): avc: denied { getattr } for |
24 |
pid=4095 comm="iptables-restor" name="/" dev="proc" ino=1 |
25 |
scontext=system_u:system_r:iptables_t |
26 |
tcontext=system_u:object_r:proc_t tclass=filesystem |
27 |
type=SYSCALL msg=audit(1331040320.724:7829): arch=c000003e syscall=137 |
28 |
success=no exit=-13 a0=2f0ed1a8353 a1=3edf4358080 a2=3edf4357ff0 |
29 |
a3=3edf4358110 items=1 ppid=4088 pid=4095 auid=1000 uid=0 gid=0 euid=0 |
30 |
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=27 |
31 |
comm="iptables-restor" exe="/sbin/xtables-multi" |
32 |
subj=system_u:system_r:iptables_t key=(null) |
33 |
type=CWD msg=audit(1331040320.724:7829): cwd="/" |
34 |
type=PATH msg=audit(1331040320.724:7829): item=0 |
35 |
name="/proc/net/ip_tables_names" inode=4026532099 dev=00:03 mode=0100440 |
36 |
ouid=0 ogid=10 rdev=00:00 obj=system_u:object_r:proc_net_t |
37 |
''' |
38 |
|
39 |
From what I understand of the code, this test is used to determine if |
40 |
the modules needed for iptables are load or not in the function |
41 |
xtables_load_ko in iptables/xtables.c which is called by |
42 |
iptables-(restore|save) (but the return value is dropped). If we compare |
43 |
verbose audits of permissive mode VS enforcing mode, we ca see a new |
44 |
syscall that appears in enforcing mode only (I didn't used really |
45 |
verbose audits to their might be other impacts) : |
46 |
|
47 |
''' |
48 |
type=SYSCALL msg=audit(1331111858.712:27814): arch=c000003e syscall=2 |
49 |
success=no exit=-2 a0=3368a74f203 a1=0 a2=1 a3=3368a1bdf70 items=1 |
50 |
ppid=2763 pid=3547 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 |
51 |
egid=0 sgid=0 fsgid=0 tty=pts1 ses=9 comm="iptables-save" |
52 |
exe="/sbin/xtables-multi" subj=staff_u:sysadm_r:iptables_t key=(null) |
53 |
type=PATH msg=audit(1331111858.712:27814): item=0 |
54 |
name="/proc/sys/kernel/modprobe" |
55 |
''' |
56 |
|
57 |
---- |
58 |
|
59 |
During the boot in permissive mode: |
60 |
|
61 |
If unicode is set to "YES" in rc.conf: |
62 |
Mar 6 14:36:45 lerya kernel: [ 12.289270] type=1400 |
63 |
audit(1331041002.720:15): avc: denied { add_name } for pid=1459 |
64 |
comm="runscript.sh" name="unicode" scontext=system_u:system_r:initrc_t |
65 |
tcontext=system_u:object_r:lib_t tclass=dir |
66 |
Mar 6 14:36:45 lerya kernel: [ 12.289302] type=1400 |
67 |
audit(1331041002.720:16): avc: denied { create } for pid=1459 |
68 |
comm="runscript.sh" name="unicode" scontext=system_u:system_r:initrc_t |
69 |
tcontext=system_u:object_r:lib_t tclass=file |
70 |
|
71 |
It's probably cause by /etc/init.d/(keymaps|termencoding). As I don't |
72 |
need those two scripts I disactivated these two. After the first reboot, |
73 |
these "create" denies disappeared and after the second one the "remove" |
74 |
denies from bootmisc also disappeared (They creates those files and |
75 |
don't purge them after the reboot). |
76 |
|
77 |
-- |
78 |
|
79 |
I finally try to reboot in enforcing mode (after suppresing manually the |
80 |
wirting test on /var/run done by bootmisc). The system more or less |
81 |
correctly booted (in disorder): |
82 |
|
83 |
- a lot of sysfs_t denies (I ignored them) |
84 |
- fuser related denies (idem) |
85 |
- iptables "proc" denies (idem) |
86 |
- Asterisk denies (same as in the last email) |
87 |
- sysctl denies (the sames as for Tomas Dobrovolny) |
88 |
- Some new stuff: |
89 |
|
90 |
* |
91 |
|
92 |
kernel: [ 2.513633] type=1400 audit(1331043603.512:4): avc: denied |
93 |
{ search } for pid=1 comm="init" name="proc" dev="sda1" ino=131438 |
94 |
scontext=system_u:system_r:init_t tcontext=system_u:object_r:mnt_t |
95 |
tclass=dir |
96 |
Present 2 times, I don't know the impact of this yet |
97 |
|
98 |
* |
99 |
|
100 |
kernel: [ 3.902691] type=1400 audit(1331043604.901:9): avc: denied |
101 |
{ search } for pid=744 comm="mount" name="/" dev="cgroup" ino=1674 |
102 |
scontext=system_u:system_r:kernel_t |
103 |
tcontext=system_u:object_r:unlabeled_t tclass=dir |
104 |
(Appears each boot, on variable ino, sometime 1 time, sometime 4 times) |
105 |
(Each ino seems to be some directory in /sys/fs/cgroup/) |
106 |
|
107 |
Why do I have "unlabeled_t" dirs ? |
108 |
After the boot, all the directories in /sys/fs/cgroup/ are labbeled and |
109 |
mounted, so it's perhaps only some bad ordering of operation during the |
110 |
boot. |
111 |
|
112 |
Seems related to https://bugzilla.redhat.com/show_bug.cgi?id=700538 (I'm |
113 |
running on kernel 3.2.2-hardened-r1). |
114 |
|
115 |
* |
116 |
|
117 |
Chmod on /tmp: |
118 |
|
119 |
type=AVC msg=audit(1331115836.150:76): avc: denied { setattr } for |
120 |
pid=2121 comm="chmod" name="/" dev="tmpfs" ino=3136 |
121 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmp_t |
122 |
tclass=dir |
123 |
type=SYSCALL msg=audit(1331115836.150:76): arch=c000003e syscall=268 |
124 |
success=no exit=-13 a0=ffffffffffffff9c a1=35c5218e70 a2=3ff a3=0 |
125 |
items=1 ppid=1646 pid=2121 auid=4294967295 uid=0 gid=0 euid=0 suid=0 |
126 |
fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="chmod" |
127 |
exe="/bin/chmod" subj=system_u:system_r:initrc_t key=(null) |
128 |
type=CWD msg=audit(1331115836.150:76): cwd="/" |
129 |
type=PATH msg=audit(1331115836.150:76): item=0 name="/tmp" inode=3136 |
130 |
dev=00:19 mode=041777 ouid=0 ogid=0 rdev=00:00 |
131 |
obj=system_u:object_r:tmp_t |
132 |
|
133 |
I think it's bootmisc again, but no proof about that. |
134 |
|
135 |
* |
136 |
|
137 |
kernel: [ 14.256338] type=1400 audit(1331043615.680:69): avc: denied |
138 |
{ sys_admin } for pid=2127 comm="ip" capability=21 |
139 |
scontext=system_u:system_r:ifconfig_t |
140 |
tcontext=system_u:system_r:ifconfig_t tclass=capability |
141 |
|
142 |
I think this is related to (taken from the rc.log logs): |
143 |
"Cannot flush routing cache" |
144 |
No ideas on the real consequences... |
145 |
|
146 |
--- |
147 |
|
148 |
Is there a good spot to find avc already solved ? (I hope that most of |
149 |
the avc here are new and not some well-known bugs. I tried to search |
150 |
information on each of them, with only small success) |
151 |
|
152 |
Do you have anything new on the sysctl denies ? |
153 |
|
154 |
Sincerely yours, |
155 |
Vincent Brillault |