Re: [gentoo-hardened] Unsolved AVCs on a hardened/linux/amd64/selinux - gentoo-hardened

From:	Vincent Brillault <gentoo@×××××.net>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] Unsolved AVCs on a hardened/linux/amd64/selinux
Date:	Sat, 03 Mar 2012 13:57:53
Message-Id:	`20120303135658.GD20442@Fea.lerya.net`
In Reply to:	Re: [gentoo-hardened] Unsolved AVCs on a hardened/linux/amd64/selinux by Sven Vermeulen

1

On Fri  2.Mar'12 at 18:59:14 +0000, Sven Vermeulen wrote:

2

> > Mar  2 10:54:51 ***** kernel: [    8.354336] type=1400

3

> > audit(1330682087.785:7): avc:  denied  { write } for  pid=1062 comm="rm"

4

> > name="console" dev="sda1" ino=423795 scontext=system_u:system_r:initrc_t

5

> > tcontext=system_u:object_r:lib_t tclass=dir

6

>

7

> Any idea what it is trying to delete here? I think it is something in

8

> /lib(64)/rc/console (gut feeling) but I don't know what it is. At least, I

9

> don't get those, but that might be because the system doesn't get here in

10

> enforcing mode (i.e. earlier denials are prohibiting it from reaching this

11

> point).

12

13

Perhaps, yes... I'll try to boot in enforcing mode when violent denials

14

will be solved. 

15

16

> > Mar  2 10:54:51 ***** kernel: [    8.354358] type=1400

17

> > audit(1330682087.785:8): avc:  denied  { remove_name } for  pid=1062

18

> > comm="rm" name="keymap" dev="sda1" ino=393305

19

> > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t

20

> > tclass=dir

21

> > Mar  2 10:54:51 ***** kernel: [    8.354373] type=1400

22

> > audit(1330682087.785:9): avc:  denied  { unlink } for  pid=1062

23

> > comm="rm" name="keymap" dev="sda1" ino=393305

24

> > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t

25

> > tclass=file

26

>

27

> I think these are related with the earlier one.

28

>

29

Correct, it seems it's trying to remove  "/lib64/rc/console/keymap":

30

31

type=AVC msg=audit(1330777582.322:10): avc:  denied  { write } for

32

pid=1102 comm="rm" name="console" dev="sda1" ino=423795

33

scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t

34

tclass=dir

35

type=AVC msg=audit(1330777582.322:10): avc:  denied  { remove_name } for

36

pid=1102 comm="rm" name="keymap" dev="sda1" ino=393305

37

scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t

38

tclass=dir

39

type=AVC msg=audit(1330777582.322:10): avc:  denied  { unlink } for

40

pid=1102 comm="rm" name="keymap" dev="sda1" ino=393305

41

scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t

42

tclass=file

43

type=SYSCALL msg=audit(1330777582.322:10): arch=c000003e syscall=263

44

success=yes exit=0 a0=ffffffffffffff9c a1=6d4752bda0 a2=0

45

a3=6f63696e752f65 items=2 ppid=1096 pid=1102 auid=4294967295 uid=0 gid=0

46

euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295

47

comm="rm" exe="/bin/rm" subj=system_u:system_r:initrc_t key=(null)

48

type=PATH msg=audit(1330777582.322:10): item=0 name="/lib64/rc/console/"

49

inode=423795 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00

50

obj=system_u:object_r:lib_t

51

type=PATH msg=audit(1330777582.322:10): item=1

52

name="/lib64/rc/console/keymap" inode=393305 dev=08:01 mode=0100644

53

ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t

54

55

56

> > Mar  2 10:54:51 ***** kernel: [    8.365926] type=1400

57

> > audit(1330682087.796:10): avc:  denied  { create } for  pid=1063

58

> > comm="mkdir" name=".test.1056" scontext=system_u:system_r:initrc_t

59

> > tcontext=system_u:object_r:var_run_t tclass=dir

60

>

61

> This means an init script (source context is "initrc_t") is trying to create

62

> a directory most likely in /var/run. If you could find out which init script

63

> it is? Creating temporary directories there isn't exactly a good practice,

64

> even though I think it is merely checking (in the init script) if the script

65

> can write there.

66

67

Found it, it's in /etc/init.d/bootmisc:

68

The dir_writable() creates and removes it, when it's called on "/var/run"

69

It's clearly a test. It's perhaps linked to the fuser avc as this test

70

conditions some fuser invocations:

71

'''

72

  if type fuser >/dev/null 2>&1; then

73

    fuser "$x" >/dev/null 2>&1 || rm -- "$x"

74

'''

75

76

> For more information about SELinux bug reporting, please see

77

> http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml

78

79

Sorry about that first mail with all these unsorted denials.

80

81

-------

82

83

Concerning asterisk (version 1.8.8.2 with selinux module 1.10.0

84

(selinux-asterisk 2.20120215)):

85

86

--

87

88

type=AVC msg=audit(1330764560.260:48): avc:  denied  { add_name } for

89

pid=1860 comm="runscript.sh" name="wrapper_loop.pid"

90

scontext=system_u:system_r:initrc_t

91

tcontext=system_u:object_r:asterisk_var_run_t tclass=dir

92

type=AVC msg=audit(1330764560.260:48): avc:  denied  { create } for

93

pid=1860 comm="runscript.sh" name="wrapper_loop.pid"

94

scontext=system_u:system_r:initrc_t

95

tcontext=system_u:object_r:asterisk_var_run_t tclass=file

96

type=AVC msg=audit(1330764560.260:48): avc:  denied  { write } for

97

pid=1860 comm="runscript.sh" name="wrapper_loop.pid" dev="sda1"

98

ino=524353 scontext=system_u:system_r:initrc_t

99

tcontext=system_u:object_r:asterisk_var_run_t tclass=file

100

type=SYSCALL msg=audit(1330764560.260:48): arch=c000003e syscall=2

101

success=yes exit=3 a0=304f144be0 a1=241 a2=1b6 a3=304eead429 items=2

102

ppid=1857 pid=1860 auid=4294967295 uid=0 gid=0 euid=0 suid=0

103

fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295

104

comm="runscript.sh" exe="/bin/bash" subj=system_u:system_r:initrc_t

105

key=(null)

106

type=PATH msg=audit(1330764560.260:48): item=0 name="/var/run/asterisk/"

107

inode=568583 dev=08:01 mode=040770 ouid=103 ogid=205 rdev=00:00

108

obj=system_u:object_r:asterisk_var_run_t

109

type=PATH msg=audit(1330764560.260:48): item=1

110

name="/var/run/asterisk/wrapper_loop.pid" inode=524353 dev=08:01

111

mode=0100644 ouid=0 ogid=0 rdev=00:00

112

obj=system_u:object_r:asterisk_var_run_t

113

114

I think that it directly comes from the init script that contains:

115

cut -f4 -d' ' < /proc/self/stat > /var/run/asterisk/wrapper_loop.pid

116

117

This error only impacts the init script and not the asterisk process.

118

I don't know what's the better way to fix that. Perhaps by moving this

119

file somewhere where it can have a initrc_* context.  

120

121

In enforcing mode, it obviously results in (but doesn't crash the

122

application):

123

Mar  3 11:36:12 ***** asterisk_wrapper: Initializing asterisk wrapper

124

Mar  3 11:36:12 ***** asterisk_wrapper: /etc/init.d/asterisk: line 35:

125

/var/run/asterisk/wrapper_loop.pid: Permission denied

126

127

--

128

129

Then we have a denied 'setattr', here is the verbose audit:

130

131

type=AVC msg=audit(1330764560.503:50): avc:  denied  { setattr } for

132

pid=1861 comm="asterisk" name="asterisk" dev="sda1" ino=568583

133

scontext=system_u:system_r:asterisk_t

134

tcontext=system_u:object_r:asterisk_var_run_t tclass=dir

135

type=SYSCALL msg=audit(1330764560.503:50): arch=c000003e syscall=92

136

success=yes exit=0 a0=287bab7e0 a1=67 a2=ffffffff a3=0 items=1 ppid=1857

137

pid=1861 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0

138

egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="asterisk"

139

exe="/usr/sbin/asterisk" subj=system_u:system_r:asterisk_t key=(null)

140

type=PATH msg=audit(1330764560.503:50): item=0 name="/var/run/asterisk"

141

inode=568583 dev=08:01 mode=040770 ouid=103 ogid=205 rdev=00:00

142

obj=system_u:object_r:asterisk_var_run_t

143

144

from the source code, we have:

145

'''

146

  if (runuser && !ast_test_flag(&ast_options, AST_OPT_FLAG_REMOTE)) {

147

...

148

    if (chown(ast_config_AST_RUN_DIR, pw->pw_uid, -1)) {

149

      ast_log(LOG_WARNING, "Unable to chown run directory to %d (%s)\n",

150

      (int) pw->pw_uid, runuser);

151

}

152

'''

153

154

In enforcing mode, it results in:

155

"Unable to chown run directory to 103 (asterisk)"

156

157

This error could probably be ignored (dontaudit ?) as the ebuild

158

contains:

159

diropts -m 0770 -o asterisk -g asterisk

160

...

161

keepdir /var/run/asterisk

162

163

Nevertheless, for people that don't use the default run directory or

164

default user it could result in errors... 

165

166

--

167

168

In enforcing mode, asterisk can start but won't work. The deny is only

169

visible if I disable dontaudit rules:

170

171

==> /var/log/avc.log <==

172

Mar  3 12:51:28 .... kernel: [  374.048619] type=1400

173

audit(1330775488.478:103): avc:  denied  { name_bind } for  pid=2591

174

comm="asterisk" src=10290 ipaddr=***.***.***.***

175

scontext=system_u:system_r:asterisk_t

176

tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket

177

178

==> /var/log/asterisk/full <==

179

[Mar  3 12:51:28] ERROR[2591] res_rtp_asterisk.c: Oh dear... we couldn't

180

allocate a port for RTP instance '0x339d0007688'

181

[Mar  3 12:51:28] NOTICE[2591] chan_sip.c: Failed to authenticate device

182

183

I don't know if we want to make asterisk able to bind on unreserved

184

ports or a somehow more precise range (the range in which this port can

185

be allocated is defined in rtp.conf) 

186

187

-----

188

189

Concerning the sysfs bug, it seems related to /sys/fs/selinux:

190

type=AVC msg=audit(1330778502.425:149): avc:  denied  { search } for

191

pid=2514 comm="unix_chkpwd" name="/" dev="sysfs" ino=1

192

ipaddr=194.29.25.170 scontext=staff_u:staff_r:chkpwd_t

193

tcontext=system_u:object_r:sysfs_t tclass=dir

194

type=SYSCALL msg=audit(1330778502.425:149): arch=c000003e syscall=137

195

success=no exit=-13 a0=26fff23a6a7 a1=3ce4d3efb50 a2=fffffffffff6c3f7

196

a3=5 items=1 ppid=2513 pid=2514 auid=1000 uid=1000 gid=1000 euid=0

197

suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=10

198

comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=staff_u:staff_r:chkpwd_t

199

key=(null)

200

type=PATH msg=audit(1330778502.425:149): item=0 name="/sys/fs/selinux"

201

202

"/sys/fs/selinux" does exist but don't contain anything 

203

204

-----

205

206

I'll continue to try to identify and fix the avc I have,

207

208

Sincerely yours,

209

Vincent Brillault

Gentoo Archives: gentoo-hardened

Replies

1	On Fri 2.Mar'12 at 18:59:14 +0000, Sven Vermeulen wrote:
2	> > Mar 2 10:54:51 ***** kernel: [ 8.354336] type=1400
3	> > audit(1330682087.785:7): avc: denied { write } for pid=1062 comm="rm"
4	> > name="console" dev="sda1" ino=423795 scontext=system_u:system_r:initrc_t
5	> > tcontext=system_u:object_r:lib_t tclass=dir
6	>
7	> Any idea what it is trying to delete here? I think it is something in
8	> /lib(64)/rc/console (gut feeling) but I don't know what it is. At least, I
9	> don't get those, but that might be because the system doesn't get here in
10	> enforcing mode (i.e. earlier denials are prohibiting it from reaching this
11	> point).
12
13	Perhaps, yes... I'll try to boot in enforcing mode when violent denials
14	will be solved.
15
16	> > Mar 2 10:54:51 ***** kernel: [ 8.354358] type=1400
17	> > audit(1330682087.785:8): avc: denied { remove_name } for pid=1062
18	> > comm="rm" name="keymap" dev="sda1" ino=393305
19	> > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t
20	> > tclass=dir
21	> > Mar 2 10:54:51 ***** kernel: [ 8.354373] type=1400
22	> > audit(1330682087.785:9): avc: denied { unlink } for pid=1062
23	> > comm="rm" name="keymap" dev="sda1" ino=393305
24	> > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t
25	> > tclass=file
26	>
27	> I think these are related with the earlier one.
28	>
29	Correct, it seems it's trying to remove "/lib64/rc/console/keymap":
30
31	type=AVC msg=audit(1330777582.322:10): avc: denied { write } for
32	pid=1102 comm="rm" name="console" dev="sda1" ino=423795
33	scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t
34	tclass=dir
35	type=AVC msg=audit(1330777582.322:10): avc: denied { remove_name } for
36	pid=1102 comm="rm" name="keymap" dev="sda1" ino=393305
37	scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t
38	tclass=dir
39	type=AVC msg=audit(1330777582.322:10): avc: denied { unlink } for
40	pid=1102 comm="rm" name="keymap" dev="sda1" ino=393305
41	scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t
42	tclass=file
43	type=SYSCALL msg=audit(1330777582.322:10): arch=c000003e syscall=263
44	success=yes exit=0 a0=ffffffffffffff9c a1=6d4752bda0 a2=0
45	a3=6f63696e752f65 items=2 ppid=1096 pid=1102 auid=4294967295 uid=0 gid=0
46	euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295
47	comm="rm" exe="/bin/rm" subj=system_u:system_r:initrc_t key=(null)
48	type=PATH msg=audit(1330777582.322:10): item=0 name="/lib64/rc/console/"
49	inode=423795 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00
50	obj=system_u:object_r:lib_t
51	type=PATH msg=audit(1330777582.322:10): item=1
52	name="/lib64/rc/console/keymap" inode=393305 dev=08:01 mode=0100644
53	ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t
54
55
56	> > Mar 2 10:54:51 ***** kernel: [ 8.365926] type=1400
57	> > audit(1330682087.796:10): avc: denied { create } for pid=1063
58	> > comm="mkdir" name=".test.1056" scontext=system_u:system_r:initrc_t
59	> > tcontext=system_u:object_r:var_run_t tclass=dir
60	>
61	> This means an init script (source context is "initrc_t") is trying to create
62	> a directory most likely in /var/run. If you could find out which init script
63	> it is? Creating temporary directories there isn't exactly a good practice,
64	> even though I think it is merely checking (in the init script) if the script
65	> can write there.
66
67	Found it, it's in /etc/init.d/bootmisc:
68	The dir_writable() creates and removes it, when it's called on "/var/run"
69	It's clearly a test. It's perhaps linked to the fuser avc as this test
70	conditions some fuser invocations:
71	'''
72	if type fuser >/dev/null 2>&1; then
73	fuser "$x" >/dev/null 2>&1 \|\| rm -- "$x"
74	'''
75
76	> For more information about SELinux bug reporting, please see
77	> http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml
78
79	Sorry about that first mail with all these unsorted denials.
80
81	-------
82
83	Concerning asterisk (version 1.8.8.2 with selinux module 1.10.0
84	(selinux-asterisk 2.20120215)):
85
86	--
87
88	type=AVC msg=audit(1330764560.260:48): avc: denied { add_name } for
89	pid=1860 comm="runscript.sh" name="wrapper_loop.pid"
90	scontext=system_u:system_r:initrc_t
91	tcontext=system_u:object_r:asterisk_var_run_t tclass=dir
92	type=AVC msg=audit(1330764560.260:48): avc: denied { create } for
93	pid=1860 comm="runscript.sh" name="wrapper_loop.pid"
94	scontext=system_u:system_r:initrc_t
95	tcontext=system_u:object_r:asterisk_var_run_t tclass=file
96	type=AVC msg=audit(1330764560.260:48): avc: denied { write } for
97	pid=1860 comm="runscript.sh" name="wrapper_loop.pid" dev="sda1"
98	ino=524353 scontext=system_u:system_r:initrc_t
99	tcontext=system_u:object_r:asterisk_var_run_t tclass=file
100	type=SYSCALL msg=audit(1330764560.260:48): arch=c000003e syscall=2
101	success=yes exit=3 a0=304f144be0 a1=241 a2=1b6 a3=304eead429 items=2
102	ppid=1857 pid=1860 auid=4294967295 uid=0 gid=0 euid=0 suid=0
103	fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
104	comm="runscript.sh" exe="/bin/bash" subj=system_u:system_r:initrc_t
105	key=(null)
106	type=PATH msg=audit(1330764560.260:48): item=0 name="/var/run/asterisk/"
107	inode=568583 dev=08:01 mode=040770 ouid=103 ogid=205 rdev=00:00
108	obj=system_u:object_r:asterisk_var_run_t
109	type=PATH msg=audit(1330764560.260:48): item=1
110	name="/var/run/asterisk/wrapper_loop.pid" inode=524353 dev=08:01
111	mode=0100644 ouid=0 ogid=0 rdev=00:00
112	obj=system_u:object_r:asterisk_var_run_t
113
114	I think that it directly comes from the init script that contains:
115	cut -f4 -d' ' < /proc/self/stat > /var/run/asterisk/wrapper_loop.pid
116
117	This error only impacts the init script and not the asterisk process.
118	I don't know what's the better way to fix that. Perhaps by moving this
119	file somewhere where it can have a initrc_* context.
120
121	In enforcing mode, it obviously results in (but doesn't crash the
122	application):
123	Mar 3 11:36:12 ***** asterisk_wrapper: Initializing asterisk wrapper
124	Mar 3 11:36:12 ***** asterisk_wrapper: /etc/init.d/asterisk: line 35:
125	/var/run/asterisk/wrapper_loop.pid: Permission denied
126
127	--
128
129	Then we have a denied 'setattr', here is the verbose audit:
130
131	type=AVC msg=audit(1330764560.503:50): avc: denied { setattr } for
132	pid=1861 comm="asterisk" name="asterisk" dev="sda1" ino=568583
133	scontext=system_u:system_r:asterisk_t
134	tcontext=system_u:object_r:asterisk_var_run_t tclass=dir
135	type=SYSCALL msg=audit(1330764560.503:50): arch=c000003e syscall=92
136	success=yes exit=0 a0=287bab7e0 a1=67 a2=ffffffff a3=0 items=1 ppid=1857
137	pid=1861 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
138	egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="asterisk"
139	exe="/usr/sbin/asterisk" subj=system_u:system_r:asterisk_t key=(null)
140	type=PATH msg=audit(1330764560.503:50): item=0 name="/var/run/asterisk"
141	inode=568583 dev=08:01 mode=040770 ouid=103 ogid=205 rdev=00:00
142	obj=system_u:object_r:asterisk_var_run_t
143
144	from the source code, we have:
145	'''
146	if (runuser && !ast_test_flag(&ast_options, AST_OPT_FLAG_REMOTE)) {
147	...
148	if (chown(ast_config_AST_RUN_DIR, pw->pw_uid, -1)) {
149	ast_log(LOG_WARNING, "Unable to chown run directory to %d (%s)\n",
150	(int) pw->pw_uid, runuser);
151	}
152	'''
153
154	In enforcing mode, it results in:
155	"Unable to chown run directory to 103 (asterisk)"
156
157	This error could probably be ignored (dontaudit ?) as the ebuild
158	contains:
159	diropts -m 0770 -o asterisk -g asterisk
160	...
161	keepdir /var/run/asterisk
162
163	Nevertheless, for people that don't use the default run directory or
164	default user it could result in errors...
165
166	--
167
168	In enforcing mode, asterisk can start but won't work. The deny is only
169	visible if I disable dontaudit rules:
170
171	==> /var/log/avc.log <==
172	Mar 3 12:51:28 .... kernel: [ 374.048619] type=1400
173	audit(1330775488.478:103): avc: denied { name_bind } for pid=2591
174	comm="asterisk" src=10290 ipaddr=*...*
175	scontext=system_u:system_r:asterisk_t
176	tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
177
178	==> /var/log/asterisk/full <==
179	[Mar 3 12:51:28] ERROR[2591] res_rtp_asterisk.c: Oh dear... we couldn't
180	allocate a port for RTP instance '0x339d0007688'
181	[Mar 3 12:51:28] NOTICE[2591] chan_sip.c: Failed to authenticate device
182
183	I don't know if we want to make asterisk able to bind on unreserved
184	ports or a somehow more precise range (the range in which this port can
185	be allocated is defined in rtp.conf)
186
187	-----
188
189	Concerning the sysfs bug, it seems related to /sys/fs/selinux:
190	type=AVC msg=audit(1330778502.425:149): avc: denied { search } for
191	pid=2514 comm="unix_chkpwd" name="/" dev="sysfs" ino=1
192	ipaddr=194.29.25.170 scontext=staff_u:staff_r:chkpwd_t
193	tcontext=system_u:object_r:sysfs_t tclass=dir
194	type=SYSCALL msg=audit(1330778502.425:149): arch=c000003e syscall=137
195	success=no exit=-13 a0=26fff23a6a7 a1=3ce4d3efb50 a2=fffffffffff6c3f7
196	a3=5 items=1 ppid=2513 pid=2514 auid=1000 uid=1000 gid=1000 euid=0
197	suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=10
198	comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=staff_u:staff_r:chkpwd_t
199	key=(null)
200	type=PATH msg=audit(1330778502.425:149): item=0 name="/sys/fs/selinux"
201
202	"/sys/fs/selinux" does exist but don't contain anything
203
204	-----
205
206	I'll continue to try to identify and fix the avc I have,
207
208	Sincerely yours,
209	Vincent Brillault