Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Stan Sander <stsander@×××××.net>
To: gentoo-hardened <gentoo-hardened@l.g.o>
Subject: [gentoo-hardened] Thoughts on these AVC denials
Date: Tue, 23 Oct 2012 21:02:21
Message-Id: 5086E6EE.3060805@sblan.net
1 I'm trying to work on getting SELinux running in enforcing mode on my
2 x86 stable server. Everything seems OK if I switch enforcing on until
3 asterisk needs to be (re)started. Running /etc/init.d/asterisk results
4 in a bad interpreter (permission denied) error if SELinux is enforcing.
5 Only thing that I noticed in the logs was an invalid security context.
6 So today I disabled all the dontaudit rules and ran the init script (in
7 permissive mode) from the command line. The invalid context seems to be
8 the root of the issue, but here are the AVC that I captured. I'm not
9 sure the best way to handle the invalid context. So I'd like to get
10 some thoughts/suggestions from the list before I start making changes.
11
12 This is the invalid context that I think I need to address:
13
14 Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.497:8823983):
15 security_compute_sid: invalid context stan:system_r:initrc_t for
16 scontext=stan:sysadm_r:sysadm_t
17 tcontext=system_u:object_r:asterisk_initrc_exec_t tclass=process
18
19 By way of context, here are all the denials as they appeared.
20
21 Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.497:8823983):
22 security_compute_sid: invalid context stan:system_r:initrc_t for
23 scontext=stan:sysadm_r:sysadm_t
24 tcontext=system_u:object_r:asterisk_initrc_exec_t tclass=process
25 Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823984):
26 avc: denied { rlimitinh } for pid=10978 comm="asterisk"
27 scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t
28 tclass=process
29 Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823985):
30 avc: denied { siginh } for pid=10978 comm="asterisk"
31 scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t
32 tclass=process
33 Oct 23 11:47:21 iax kernel: type=1400 audit(1351014441.497:8823986):
34 avc: denied { noatsecure } for pid=10978 comm="asterisk"
35 scontext=stan:sysadm_r:sysadm_t tcontext=stan:system_r:initrc_t
36 tclass=process
37 Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.500:8823987):
38 security_compute_sid: invalid context stan:system_r:initrc_t for
39 scontext=stan:system_r:initrc_t tcontext=system_u:object_r:rc_exec_t
40 tclass=process
41 Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.508:8823988):
42 security_compute_sid: invalid context stan:system_r:initrc_t for
43 scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
44 tclass=process
45 Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.515:8823989):
46 security_compute_sid: invalid context stan:system_r:initrc_t for
47 scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
48 tclass=process
49 Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.517:8823990):
50 security_compute_sid: invalid context stan:system_r:initrc_t for
51 scontext=stan:system_r:initrc_t tcontext=system_u:object_r:rc_exec_t
52 tclass=process
53 Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.530:8823991):
54 security_compute_sid: invalid context stan:system_r:initrc_t for
55 scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
56 tclass=process
57 Oct 23 11:47:21 iax kernel: type=1401 audit(1351014441.542:8823992):
58 security_compute_sid: invalid context stan:system_r:initrc_t for
59 scontext=stan:system_r:initrc_t tcontext=system_u:object_r:bin_t
60 tclass=process
61 Oct 23 11:47:22 iax asterisk_wrapper: Initializing asterisk wrapper
62
63 And, the current file contexts:
64
65 #ls -lZ /etc/init.d/asterisk
66 -rwxr-xr-x. 1 root root system_u:object_r:asterisk_initrc_exec_t 6489
67 Oct 5 13:12 /etc/init.d/asterisk
68 #ls -lZ /usr/sbin/asterisk
69 -rwxr-xr-x. 1 root root system_u:object_r:asterisk_exec_t 24247031 Oct
70 5 13:01 /usr/sbin/asterisk
71
72 The resulting processes show:
73
74 #ps -efZ |grep asterisk
75 stan:system_r:initrc_t root 11062 1 0 11:47 pts/2
76 00:00:00 /bin/sh /lib/rc/sh/runscript.sh /etc/init.d/asterisk start
77 stan:system_r:initrc_t root 11063 1 0 11:47 pts/2
78 00:00:00 logger -t asterisk_wrapper
79 stan:system_r:asterisk_t asterisk 11066 11062 0 11:47 pts/2
80 00:00:01 /usr/sbin/asterisk -f -g -U asterisk
81 stan:system_r:asterisk_t asterisk 11067 11066 0 11:47 pts/2
82 00:00:00 astcanary
83 /var/run/asterisk/alt.asterisk.canary.tweet.tweet.tweet 11066
84
85 Which is interesting that they are running under my SELinux user name
86 instead of system_u like other processes I may need to (re)start in a
87 similar fashion. Also the asterisk script does not seem to call/use
88 runscript_selinux.so like the others do as I am not prompted for root's
89 password.
90
91 And lastly, my shell that I am executing all of this from:
92
93 #id
94 uid=0(root) gid=0(root)
95 groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),11(floppy),26(tape),27(video)
96 context=stan:sysadm_r:sysadm_t
97
98 --
99 Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
100 PR - Cindy and Jenny - Sammamish, WA NWR
101 http://www.cci.org

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-hardened] Thoughts on these AVC denials Sven Vermeulen <swift@g.o>
Report Message
Find on MARC Find on Google Groups