| 1 |
On Wed, Nov 23, 2016 at 12:58:34PM +0000, Robert Sharp wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> just done my weekly update and I noticed the following AVCs occurred |
| 5 |
> that suggest something missing in the portage policy? |
| 6 |
> |
| 7 |
> type=PROCTITLE msg=audit(1479900756.052:3548): |
| 8 |
> proctitle=6370002D61002D2D7265666C696E6B3D6175746F002F7661722F746D702F706F72746167652F6465762D707974686F6E2F70797061782D302E392E322F696D6167652F5F707974686F6E322E372F2E002F7661722F746D702F706F72746167652F6465762D707974686F6E2F70797061782D302E392E322F696D6167652F2F |
| 9 |
> type=PATH msg=audit(1479900756.052:3548): item=0 |
| 10 |
> name="/var/tmp/portage/dev-python/pypax-0.9.2/image/." inode=1182893 |
| 11 |
> dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 |
| 12 |
> obj=staff_u:object_r:portage_tmp_t nametype=NORMAL |
| 13 |
> type=CWD msg=audit(1479900756.052:3548): |
| 14 |
> cwd="/var/tmp/portage/dev-python/pypax-0.9.2/work/elfix-0.9.2/scripts" |
| 15 |
> type=SYSCALL msg=audit(1479900756.052:3548): arch=c000003e syscall=189 |
| 16 |
> success=yes exit=0 a0=44b69d9c40 a1=36fe2f5a763 a2=44b69d9df0 a3=1f |
| 17 |
> items=1 ppid=21441 pid=21661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 |
| 18 |
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="cp" |
| 19 |
> exe="/bin/cp" subj=staff_u:sysadm_r:portage_sandbox_t key=(null) |
| 20 |
> type=AVC msg=audit(1479900756.052:3548): avc: denied { relabelto } |
| 21 |
> for pid=21661 comm="cp" name="image" dev="dm-0" ino=1182893 |
| 22 |
> scontext=staff_u:sysadm_r:portage_sandbox_t |
| 23 |
> tcontext=staff_u:object_r:portage_tmp_t tclass=dir permissive=1 |
| 24 |
> type=AVC msg=audit(1479900756.052:3548): avc: denied { relabelfrom } |
| 25 |
> for pid=21661 comm="cp" name="image" dev="dm-0" ino=1182893 |
| 26 |
> scontext=staff_u:sysadm_r:portage_sandbox_t |
| 27 |
> tcontext=staff_u:object_r:portage_tmp_t tclass=dir permissive=1 |
| 28 |
> |
| 29 |
> I checked the policy for source=portage_sandbox_t and |
| 30 |
> target=portage_tmp_t and it is: |
| 31 |
> |
| 32 |
> # sesearch -s portage_sandbox_t -t portage_tmp_t -Ad |
| 33 |
> Found 5 semantic av rules: |
| 34 |
> allow portage_sandbox_t portage_tmp_t : lnk_file { ioctl read write |
| 35 |
> create getattr setattr lock unlink link rename } ; |
| 36 |
> allow portage_sandbox_t portage_tmp_t : dir { ioctl read write |
| 37 |
> create getattr setattr lock unlink link rename add_name remove_name |
| 38 |
> reparent search rmdir open } ; |
| 39 |
> allow portage_sandbox_t portage_tmp_t : fifo_file { ioctl read write |
| 40 |
> create getattr setattr lock append unlink link rename open } ; |
| 41 |
> allow portage_sandbox_t portage_tmp_t : file { ioctl read write |
| 42 |
> create getattr setattr lock relabelfrom relabelto append unlink link |
| 43 |
> rename execute execute_no_trans open } ; |
| 44 |
> allow portage_sandbox_t portage_tmp_t : sock_file { ioctl read write |
| 45 |
> create getattr setattr lock append unlink link rename open } ; |
| 46 |
> |
| 47 |
> It looks to me like portage was trying to relabelto/from a directory but |
| 48 |
> these ops are only allowed for files? |
| 49 |
|
| 50 |
I've definitely got perms towards dirs too. |
| 51 |
# sesearch -s portage_sandbox_t -t portage_tmp_t -A |
| 52 |
allow portage_sandbox_t non_auth_file_type:dir { open search getattr read lock ioctl }; |
| 53 |
allow portage_sandbox_t non_auth_file_type:file { getattr read open lock ioctl }; |
| 54 |
allow portage_sandbox_t non_auth_file_type:lnk_file { read getattr }; |
| 55 |
allow portage_sandbox_t portage_tmp_t:dir { add_name link remove_name unlink write open relabelfrom search getattr rename read lock reparent create rmdir setattr relabelto ioctl }; |
| 56 |
allow portage_sandbox_t portage_tmp_t:fifo_file { link append unlink write open getattr rename read lock create setattr ioctl }; |
| 57 |
allow portage_sandbox_t portage_tmp_t:file { link append unlink write open relabelfrom getattr rename read lock execute_no_trans create execute setattr relabelto ioctl }; |
| 58 |
allow portage_sandbox_t portage_tmp_t:lnk_file { link unlink write getattr rename read lock create setattr ioctl }; |
| 59 |
allow portage_sandbox_t portage_tmp_t:sock_file { link append unlink write open getattr rename read lock create setattr ioctl }; |
| 60 |
|
| 61 |
Are you on ~arch or stable? did you just upgrade to the 2.6 userland? |
| 62 |
What versions do you have installed of these: |
| 63 |
sys-libs/libsepol |
| 64 |
sys-libs/libselinux |
| 65 |
sys-libs/libsemanage |
| 66 |
sys-apps/checkpolicy |
| 67 |
sys-apps/policycoreutils |
| 68 |
dev-python/sepolgen |
| 69 |
app-admin/setools |
| 70 |
|
| 71 |
what does this return? |
| 72 |
ls -al /etc/selinux/*/policy/policy.* |
| 73 |
|
| 74 |
and in /etc/selinux/semanage.conf, do you have policy-version = set to anything? |
| 75 |
|
| 76 |
-- Jason |
| 77 |
|
| 78 |
> I also spotted AVCs involving directory access to portage_tmpfs_t (and |
| 79 |
> sandbox as the source), such as: |
| 80 |
> |
| 81 |
> type=PROCTITLE msg=audit(1479900586.938:3542): |
| 82 |
> proctitle=707974686F6E322E37002F7573722F6C696236342F707974686F6E322E372F736974652D7061636B616765732F696E636C7564655F7365727665722F696E636C7564655F7365727665722E7079002D2D706F7274002F746D702F6469737463632D70756D702E656B6A3330372F736F636B6574002D2D7069645F66696C65002F |
| 83 |
> type=PATH msg=audit(1479900586.938:3542): item=1 |
| 84 |
> name="/dev/shm/tmpgk84Lo.include_server-16244-1" inode=1246573 dev=00:13 |
| 85 |
> mode=040700 ouid=250 ogid=250 rdev=00:00 |
| 86 |
> obj=staff_u:object_r:portage_tmpfs_t nametype=DELETE |
| 87 |
> type=PATH msg=audit(1479900586.938:3542): item=0 name="/dev/shm/" |
| 88 |
> inode=8351 dev=00:13 mode=041777 ouid=0 ogid=0 rdev=00:00 |
| 89 |
> obj=system_u:object_r:tmpfs_t nametype=PARENT |
| 90 |
> type=CWD msg=audit(1479900586.938:3542): |
| 91 |
> cwd="/var/tmp/portage/dev-python/cffi-1.5.2/work/cffi-1.5.2" |
| 92 |
> type=SYSCALL msg=audit(1479900586.938:3542): arch=c000003e syscall=84 |
| 93 |
> success=yes exit=0 a0=3a6d7c7770 a1=0 a2=0 a3=36b items=2 ppid=1 |
| 94 |
> pid=16244 auid=4294967295 uid=250 gid=250 euid=250 suid=250 fsuid=250 |
| 95 |
> egid=250 sgid=250 fsgid=250 tty=pts0 ses=4294967295 comm="python2.7" |
| 96 |
> exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:portage_sandbox_t key=(null) |
| 97 |
> type=AVC msg=audit(1479900586.938:3542): avc: denied { rmdir } for |
| 98 |
> pid=16244 comm="python2.7" name="tmpgk84Lo.include_server-16244-1" |
| 99 |
> dev="tmpfs" ino=1246573 scontext=staff_u:sysadm_r:portage_sandbox_t |
| 100 |
> tcontext=staff_u:object_r:portage_tmpfs_t tclass=dir permissive=1 |
| 101 |
> |
| 102 |
> And a similar AVC for creating the same directory. |
| 103 |
> |
| 104 |
> Is this likely to be a policy gap or have I done something wrong or |
| 105 |
> failed to do something I should have. I cannot provide more details |
| 106 |
> about what was happening at the time, other than in the audit snippets |
| 107 |
> above - it was the middle of a lengthy update process. |
| 108 |
> |
| 109 |
> Thanks, |
| 110 |
> |
| 111 |
> Robert Sharp |
| 112 |
> |
Archives