1 |
On Fri 2.Mar'12 at 18:59:14 +0000, Sven Vermeulen wrote: |
2 |
> > Mar 2 10:54:51 ***** kernel: [ 8.354336] type=1400 |
3 |
> > audit(1330682087.785:7): avc: denied { write } for pid=1062 comm="rm" |
4 |
> > name="console" dev="sda1" ino=423795 scontext=system_u:system_r:initrc_t |
5 |
> > tcontext=system_u:object_r:lib_t tclass=dir |
6 |
> |
7 |
> Any idea what it is trying to delete here? I think it is something in |
8 |
> /lib(64)/rc/console (gut feeling) but I don't know what it is. At least, I |
9 |
> don't get those, but that might be because the system doesn't get here in |
10 |
> enforcing mode (i.e. earlier denials are prohibiting it from reaching this |
11 |
> point). |
12 |
|
13 |
Perhaps, yes... I'll try to boot in enforcing mode when violent denials |
14 |
will be solved. |
15 |
|
16 |
> > Mar 2 10:54:51 ***** kernel: [ 8.354358] type=1400 |
17 |
> > audit(1330682087.785:8): avc: denied { remove_name } for pid=1062 |
18 |
> > comm="rm" name="keymap" dev="sda1" ino=393305 |
19 |
> > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
20 |
> > tclass=dir |
21 |
> > Mar 2 10:54:51 ***** kernel: [ 8.354373] type=1400 |
22 |
> > audit(1330682087.785:9): avc: denied { unlink } for pid=1062 |
23 |
> > comm="rm" name="keymap" dev="sda1" ino=393305 |
24 |
> > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
25 |
> > tclass=file |
26 |
> |
27 |
> I think these are related with the earlier one. |
28 |
> |
29 |
Correct, it seems it's trying to remove "/lib64/rc/console/keymap": |
30 |
|
31 |
type=AVC msg=audit(1330777582.322:10): avc: denied { write } for |
32 |
pid=1102 comm="rm" name="console" dev="sda1" ino=423795 |
33 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
34 |
tclass=dir |
35 |
type=AVC msg=audit(1330777582.322:10): avc: denied { remove_name } for |
36 |
pid=1102 comm="rm" name="keymap" dev="sda1" ino=393305 |
37 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
38 |
tclass=dir |
39 |
type=AVC msg=audit(1330777582.322:10): avc: denied { unlink } for |
40 |
pid=1102 comm="rm" name="keymap" dev="sda1" ino=393305 |
41 |
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lib_t |
42 |
tclass=file |
43 |
type=SYSCALL msg=audit(1330777582.322:10): arch=c000003e syscall=263 |
44 |
success=yes exit=0 a0=ffffffffffffff9c a1=6d4752bda0 a2=0 |
45 |
a3=6f63696e752f65 items=2 ppid=1096 pid=1102 auid=4294967295 uid=0 gid=0 |
46 |
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 |
47 |
comm="rm" exe="/bin/rm" subj=system_u:system_r:initrc_t key=(null) |
48 |
type=PATH msg=audit(1330777582.322:10): item=0 name="/lib64/rc/console/" |
49 |
inode=423795 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 |
50 |
obj=system_u:object_r:lib_t |
51 |
type=PATH msg=audit(1330777582.322:10): item=1 |
52 |
name="/lib64/rc/console/keymap" inode=393305 dev=08:01 mode=0100644 |
53 |
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t |
54 |
|
55 |
|
56 |
> > Mar 2 10:54:51 ***** kernel: [ 8.365926] type=1400 |
57 |
> > audit(1330682087.796:10): avc: denied { create } for pid=1063 |
58 |
> > comm="mkdir" name=".test.1056" scontext=system_u:system_r:initrc_t |
59 |
> > tcontext=system_u:object_r:var_run_t tclass=dir |
60 |
> |
61 |
> This means an init script (source context is "initrc_t") is trying to create |
62 |
> a directory most likely in /var/run. If you could find out which init script |
63 |
> it is? Creating temporary directories there isn't exactly a good practice, |
64 |
> even though I think it is merely checking (in the init script) if the script |
65 |
> can write there. |
66 |
|
67 |
Found it, it's in /etc/init.d/bootmisc: |
68 |
The dir_writable() creates and removes it, when it's called on "/var/run" |
69 |
It's clearly a test. It's perhaps linked to the fuser avc as this test |
70 |
conditions some fuser invocations: |
71 |
''' |
72 |
if type fuser >/dev/null 2>&1; then |
73 |
fuser "$x" >/dev/null 2>&1 || rm -- "$x" |
74 |
''' |
75 |
|
76 |
> For more information about SELinux bug reporting, please see |
77 |
> http://www.gentoo.org/proj/en/hardened/selinux-bugreporting.xml |
78 |
|
79 |
Sorry about that first mail with all these unsorted denials. |
80 |
|
81 |
------- |
82 |
|
83 |
Concerning asterisk (version 1.8.8.2 with selinux module 1.10.0 |
84 |
(selinux-asterisk 2.20120215)): |
85 |
|
86 |
-- |
87 |
|
88 |
type=AVC msg=audit(1330764560.260:48): avc: denied { add_name } for |
89 |
pid=1860 comm="runscript.sh" name="wrapper_loop.pid" |
90 |
scontext=system_u:system_r:initrc_t |
91 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=dir |
92 |
type=AVC msg=audit(1330764560.260:48): avc: denied { create } for |
93 |
pid=1860 comm="runscript.sh" name="wrapper_loop.pid" |
94 |
scontext=system_u:system_r:initrc_t |
95 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=file |
96 |
type=AVC msg=audit(1330764560.260:48): avc: denied { write } for |
97 |
pid=1860 comm="runscript.sh" name="wrapper_loop.pid" dev="sda1" |
98 |
ino=524353 scontext=system_u:system_r:initrc_t |
99 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=file |
100 |
type=SYSCALL msg=audit(1330764560.260:48): arch=c000003e syscall=2 |
101 |
success=yes exit=3 a0=304f144be0 a1=241 a2=1b6 a3=304eead429 items=2 |
102 |
ppid=1857 pid=1860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 |
103 |
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 |
104 |
comm="runscript.sh" exe="/bin/bash" subj=system_u:system_r:initrc_t |
105 |
key=(null) |
106 |
type=PATH msg=audit(1330764560.260:48): item=0 name="/var/run/asterisk/" |
107 |
inode=568583 dev=08:01 mode=040770 ouid=103 ogid=205 rdev=00:00 |
108 |
obj=system_u:object_r:asterisk_var_run_t |
109 |
type=PATH msg=audit(1330764560.260:48): item=1 |
110 |
name="/var/run/asterisk/wrapper_loop.pid" inode=524353 dev=08:01 |
111 |
mode=0100644 ouid=0 ogid=0 rdev=00:00 |
112 |
obj=system_u:object_r:asterisk_var_run_t |
113 |
|
114 |
I think that it directly comes from the init script that contains: |
115 |
cut -f4 -d' ' < /proc/self/stat > /var/run/asterisk/wrapper_loop.pid |
116 |
|
117 |
This error only impacts the init script and not the asterisk process. |
118 |
I don't know what's the better way to fix that. Perhaps by moving this |
119 |
file somewhere where it can have a initrc_* context. |
120 |
|
121 |
In enforcing mode, it obviously results in (but doesn't crash the |
122 |
application): |
123 |
Mar 3 11:36:12 ***** asterisk_wrapper: Initializing asterisk wrapper |
124 |
Mar 3 11:36:12 ***** asterisk_wrapper: /etc/init.d/asterisk: line 35: |
125 |
/var/run/asterisk/wrapper_loop.pid: Permission denied |
126 |
|
127 |
-- |
128 |
|
129 |
Then we have a denied 'setattr', here is the verbose audit: |
130 |
|
131 |
type=AVC msg=audit(1330764560.503:50): avc: denied { setattr } for |
132 |
pid=1861 comm="asterisk" name="asterisk" dev="sda1" ino=568583 |
133 |
scontext=system_u:system_r:asterisk_t |
134 |
tcontext=system_u:object_r:asterisk_var_run_t tclass=dir |
135 |
type=SYSCALL msg=audit(1330764560.503:50): arch=c000003e syscall=92 |
136 |
success=yes exit=0 a0=287bab7e0 a1=67 a2=ffffffff a3=0 items=1 ppid=1857 |
137 |
pid=1861 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 |
138 |
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="asterisk" |
139 |
exe="/usr/sbin/asterisk" subj=system_u:system_r:asterisk_t key=(null) |
140 |
type=PATH msg=audit(1330764560.503:50): item=0 name="/var/run/asterisk" |
141 |
inode=568583 dev=08:01 mode=040770 ouid=103 ogid=205 rdev=00:00 |
142 |
obj=system_u:object_r:asterisk_var_run_t |
143 |
|
144 |
from the source code, we have: |
145 |
''' |
146 |
if (runuser && !ast_test_flag(&ast_options, AST_OPT_FLAG_REMOTE)) { |
147 |
... |
148 |
if (chown(ast_config_AST_RUN_DIR, pw->pw_uid, -1)) { |
149 |
ast_log(LOG_WARNING, "Unable to chown run directory to %d (%s)\n", |
150 |
(int) pw->pw_uid, runuser); |
151 |
} |
152 |
''' |
153 |
|
154 |
In enforcing mode, it results in: |
155 |
"Unable to chown run directory to 103 (asterisk)" |
156 |
|
157 |
This error could probably be ignored (dontaudit ?) as the ebuild |
158 |
contains: |
159 |
diropts -m 0770 -o asterisk -g asterisk |
160 |
... |
161 |
keepdir /var/run/asterisk |
162 |
|
163 |
Nevertheless, for people that don't use the default run directory or |
164 |
default user it could result in errors... |
165 |
|
166 |
-- |
167 |
|
168 |
In enforcing mode, asterisk can start but won't work. The deny is only |
169 |
visible if I disable dontaudit rules: |
170 |
|
171 |
==> /var/log/avc.log <== |
172 |
Mar 3 12:51:28 .... kernel: [ 374.048619] type=1400 |
173 |
audit(1330775488.478:103): avc: denied { name_bind } for pid=2591 |
174 |
comm="asterisk" src=10290 ipaddr=***.***.***.*** |
175 |
scontext=system_u:system_r:asterisk_t |
176 |
tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket |
177 |
|
178 |
==> /var/log/asterisk/full <== |
179 |
[Mar 3 12:51:28] ERROR[2591] res_rtp_asterisk.c: Oh dear... we couldn't |
180 |
allocate a port for RTP instance '0x339d0007688' |
181 |
[Mar 3 12:51:28] NOTICE[2591] chan_sip.c: Failed to authenticate device |
182 |
|
183 |
I don't know if we want to make asterisk able to bind on unreserved |
184 |
ports or a somehow more precise range (the range in which this port can |
185 |
be allocated is defined in rtp.conf) |
186 |
|
187 |
----- |
188 |
|
189 |
Concerning the sysfs bug, it seems related to /sys/fs/selinux: |
190 |
type=AVC msg=audit(1330778502.425:149): avc: denied { search } for |
191 |
pid=2514 comm="unix_chkpwd" name="/" dev="sysfs" ino=1 |
192 |
ipaddr=194.29.25.170 scontext=staff_u:staff_r:chkpwd_t |
193 |
tcontext=system_u:object_r:sysfs_t tclass=dir |
194 |
type=SYSCALL msg=audit(1330778502.425:149): arch=c000003e syscall=137 |
195 |
success=no exit=-13 a0=26fff23a6a7 a1=3ce4d3efb50 a2=fffffffffff6c3f7 |
196 |
a3=5 items=1 ppid=2513 pid=2514 auid=1000 uid=1000 gid=1000 euid=0 |
197 |
suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=10 |
198 |
comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=staff_u:staff_r:chkpwd_t |
199 |
key=(null) |
200 |
type=PATH msg=audit(1330778502.425:149): item=0 name="/sys/fs/selinux" |
201 |
|
202 |
"/sys/fs/selinux" does exist but don't contain anything |
203 |
|
204 |
----- |
205 |
|
206 |
I'll continue to try to identify and fix the avc I have, |
207 |
|
208 |
Sincerely yours, |
209 |
Vincent Brillault |