Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Stan Sander <stsander@×××××.net>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Thoughts on these AVC denials
Date: Thu, 25 Oct 2012 00:02:30
Message-Id: 50886A1D.4020908@sblan.net
In Reply to: Re: [gentoo-hardened] Thoughts on these AVC denials by Sven Vermeulen
1 On 10/24/2012 08:46 AM, Sven Vermeulen wrote:
2 > On Tue, Oct 23, 2012 at 12:50:22PM -0600, Stan Sander wrote:
3 >> This is the invalid context that I think I need to address:
4 >>
5 >> Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.497:8823983):
6 >> security_compute_sid: invalid context stan:system_r:initrc_t for
7 >> scontext=stan:sysadm_r:sysadm_t
8 >> tcontext=system_u:object_r:asterisk_initrc_exec_t tclass=process
9 >>
10 > Meh,
11 >
12 > Seems my reply didn't hit the list first.
13 >
14 > You probably forgot to add in the system_r role to the SELinux user, see
15 > http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=1#serviceadmin
16 >
17 > Wkr,
18 > Sven Vermeulen
19
20 Thanks, asterisk now starts with SELinux enforcing. However, it did
21 produce some new denials, two of which I believe impact the correct
22 running of the daemon and associated scripts, etc. Here are all the
23 denials generated at startup:
24
25 Oct 24 15:48:45 iax kernel: type=1400 audit(1351115325.194:8824301):
26 avc: denied { entrypoint } for pid=14590 comm="runscript.sh"
27 path="/bin/rm" dev="sda3" ino=6837732 scontext=stan:system_r:initrc_t
28 tcontext=system_u:object_r:bin_t tclass=file
29 Oct 24 15:48:45 iax kernel: type=1400 audit(1351115325.203:8824302):
30 avc: denied { read write } for pid=14592 comm="asterisk"
31 path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t
32 tcontext=stan:object_r:user_devpts_t tclass=chr_file
33 Oct 24 15:48:45 iax kernel: type=1400 audit(1351115325.203:8824303):
34 avc: denied { read write } for pid=14592 comm="asterisk"
35 path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t
36 tcontext=stan:object_r:user_devpts_t tclass=chr_file
37 Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.462:8824304):
38 avc: denied { write } for pid=14669 comm="runscript.sh"
39 name="wrapper_loop.pid" dev="sda3" ino=6422541
40 scontext=stan:system_r:initrc_t
41 tcontext=stan:object_r:asterisk_var_run_t tclass=file
42 Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.464:8824305):
43 avc: denied { read write } for pid=14670 comm="asterisk"
44 path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t
45 tcontext=stan:object_r:user_devpts_t tclass=chr_file
46 Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.464:8824306):
47 avc: denied { read write } for pid=14670 comm="asterisk"
48 path="/dev/pts/2" dev="devpts" ino=5 scontext=stan:system_r:asterisk_t
49 tcontext=stan:object_r:user_devpts_t tclass=chr_file
50 Oct 24 15:48:46 iax kernel: type=1400 audit(1351115326.469:8824307):
51 avc: denied { setattr } for pid=14670 comm="asterisk" name="asterisk"
52 dev="sda3" ino=6446976 scontext=stan:system_r:asterisk_t
53 tcontext=system_u:object_r:asterisk_var_run_t tclass=dir
54
55
56
57 The write denial for the wrapper_loop.pid file will lead to trouble, and
58 the denial for setattr on the /var/run/asterisk directory has the
59 potential (IMHO) to get us off in the weeds. The others, AFAICT are
60 candidates for dontaudit rules. Based on the above, it seems initrc_t
61 needs to be allowed to write asterisk_var_run_t files. Since
62 runscript.sh is trying to write the pid, I really don't see any
63 alternatives. I believe it needs this info to properly signal the
64 wrapper for a graceful daemon stoppage. The last denial (for setattr)
65 is trying to ensure 770 permissions on /var/run/asterisk and likely user
66 and group ownership also.
67
68 I can throw a couple rules at this in a local policy module, and let
69 this run for a few days to see if anything else pops out, then file what
70 I find in a bug against the policy module.
71
72 --
73 Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
74 PR - Cindy and Jenny - Sammamish, WA NWR
75 http://www.cci.org

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-hardened] Thoughts on these AVC denials Sven Vermeulen <swift@g.o>
Report Message
Find on MARC Find on Google Groups