Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Bill Sharer <bsharer@××××××××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] selinux denials due to race conditions?
Date: Fri, 22 Jun 2007 02:57:17
Message-Id: 467B39CC.901@sharerland.com
In Reply to: [gentoo-hardened] selinux denials due to race conditions? by Bill Sharer
1 As a followup to my initial message (thanks to everyone for the replies)...
2
3 I realized that hotplug had been obsoleted by udev and unmerged both
4 sys-apps/hotplug and sys-apps/hotplug-base. That got rid of the
5 default.hotplug denials, but I was still getting the denials on /dev
6 nodes labeled as file_t.
7
8 Per Joern's comment I looked at the static /dev by doing the following
9
10 # mkdir /mnt/rawroot
11 # mount --bind / /mnt/rawroot
12 # cd /mnt/rawroot/dev
13
14 That showed me that indeed there were a mess of static nodes laying
15 around in there with a file_t context. I used setfilecon to manually
16 relabel the crucial ones such as console, tty0 and null. I'm still
17 getting some denials on startup, but now they are real policy tweaks
18 that need to happen.
19
20 Bill Sharer wrote:
21 > I'm on the 2006.1 unstable profile for selinux and think I may have a
22 > race condition that results in avc denials before selinux has finished
23 > labeling things like /dev. For example, the first denial below appears
24 > to be where /etc/hotplug.d/default/default.hotplug is peeking and
25 > poking around with /dev/null. The denial has it as a
26 > system_u:object_r:file_t, but when I look at it from a running system
27 > I see it as a system_u:object_r:null_device_t. Should I be messing
28 > around in /etc/runlevels/boot to put dependencies in various scripts
29 > (although selinux isn't a script so how would I make it a dependency?)
30 >
31 > snippet from a dmesg:
32 >
33 > security: 5 users, 5 roles, 1376 types, 81 bools
34 > security: 59 classes, 61906 rules
35 > security: class dccp_socket not defined in policy
36 > security: permission dccp_recv in class node not defined in policy
37 > security: permission dccp_send in class node not defined in policy
38 > security: permission dccp_recv in class netif not defined in policy
39 > security: permission dccp_send in class netif not defined in policy
40 > SELinux: Completing initialization.
41 > SELinux: Setting up existing superblocks.
42 > SELinux: initialized (dev sda5, type ext3), uses xattr
43 > inode_doinit_with_dentry: context_to_sid(unlabeled) returned 22 for
44 > dev=sda5 ino=1938273
45 > audit(1182137416.171:2): avc: denied { ioctl } for pid=884
46 > comm="default.hotplug" name="null" dev=sda5 ino=733068
47 > scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t
48 > tclass=chr_file
49 > audit(1182137416.203:3): avc: denied { read } for pid=889
50 > comm="env" name="urandom" dev=sda5 ino=732962
51 > scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t
52 > tclass=chr_file
53 > audit(1182137416.204:4): avc: denied { read } for pid=884
54 > comm="default.hotplug" name="default.hotplug" dev=sda5 ino=1356280
55 > scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sbin_t
56 > tclass=file
57 > audit(1182137416.206:5): avc: denied { search } for pid=884
58 > comm="default.hotplug" name="var" dev=sda5 ino=1254177
59 > scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_t
60 > tclass=dir
61 > audit(1182137416.221:6): avc: denied { search } for pid=884
62 > comm="default.hotplug" name="log" dev=sda5 ino=1255669
63 > scontext=system_u:system_r:kernel_t
64 > tcontext=system_u:object_r:var_log_t tclass=dir
65 > SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
66 > SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
67 > SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
68 > SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
69 > SELinux: initialized (dev devpts, type devpts), uses transition SIDs
70 > SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs
71 > SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
72 > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
73 > SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
74 > SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
75 > SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
76 > SELinux: initialized (dev proc, type proc), uses genfs_contexts
77 > SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
78 > SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
79 > SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
80 > audit(1182137416.259:7): policy loaded auid=4294967295
81 > audit(1182137416.261:8): avc: denied { read write } for pid=1
82 > comm="init" name="console" dev=sda5 ino=734292
83 > scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t
84 > tclass=chr_file
85 > audit(1182137416.275:9): avc: denied { ioctl } for pid=1
86 > comm="init" name="tty0" dev=sda5 ino=735467
87 > scontext=system_u:system_r:init_t tcontext=system_u:object_r:file_t
88 > tclass=chr_file
89 > audit(1182137416.277:10): avc: denied { read } for pid=891
90 > comm="hotplug" name="urandom" dev=sda5 ino=732962
91 > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t
92 > tclass=chr_file
93 > audit(1182137416.279:11): avc: denied { write } for pid=891
94 > comm="hotplug" name="tty" dev=sda5 ino=734192
95 > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t
96 > tclass=chr_file
97 > audit(1182137416.296:12): avc: denied { ioctl } for pid=893
98 > comm="default.hotplug" name="null" dev=sda5 ino=733068
99 > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:file_t
100 > tclass=chr_file
101 > audit(1182137416.758:13): avc: denied { read write } for pid=970
102 > comm="rc" name="console" dev=sda5 ino=734292
103 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t
104 > tclass=chr_file
105 > audit(1182137417.033:14): avc: denied { read write } for pid=994
106 > comm="consoletype" name="console" dev=sda5 ino=734292
107 > scontext=system_u:system_r:consoletype_t
108 > tcontext=system_u:object_r:file_t tclass=chr_file
109 > audit(1182137417.034:15): avc: denied { search } for pid=994
110 > comm="consoletype" name="dev" dev=sda5 ino=732961
111 > scontext=system_u:system_r:consoletype_t
112 > tcontext=system_u:object_r:file_t tclass=dir
113 > audit(1182137417.034:16): avc: denied { getattr } for pid=994
114 > comm="consoletype" name="console" dev=sda5 ino=734292
115 > scontext=system_u:system_r:consoletype_t
116 > tcontext=system_u:object_r:file_t tclass=chr_file
117 > audit(1182137417.035:17): avc: denied { ioctl } for pid=994
118 > comm="consoletype" name="console" dev=sda5 ino=734292
119 > scontext=system_u:system_r:consoletype_t
120 > tcontext=system_u:object_r:file_t tclass=chr_file
121 > audit(1182137417.082:18): avc: denied { ioctl } for pid=997
122 > comm="stty" name="console" dev=sda5 ino=734292
123 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t
124 > tclass=chr_file
125 > audit(1182137417.172:19): avc: denied { getattr } for pid=970
126 > comm="bash" name="null" dev=sda5 ino=733068
127 > scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_t
128 > tclass=chr_file
129 > audit(1182137417.196:20): avc: denied { read write } for pid=1001
130 > comm="dmesg" name="console" dev=sda5 ino=734292
131 > scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:file_t
132 > tclass=chr_file
133 > audit(1182137417.220:21): avc: denied { read write } for pid=1004
134 > comm="mount" name="console" dev=sda5 ino=734292
135 > scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t
136 > tclass=chr_file
137 > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
138 > audit(1182137417.478:22): avc: denied { read write } for pid=1038
139 > comm="restorecon" name="console" dev=sda5 ino=734292
140 > scontext=system_u:system_r:restorecon_t
141 > tcontext=system_u:object_r:file_t tclass=chr_file
142 > audit(1182137417.716:23): avc: denied { write } for pid=1042
143 > comm="bash" name="null" dev=tmpfs ino=2106
144 > scontext=system_u:system_r:initrc_t
145 > tcontext=system_u:object_r:device_t tclass=chr_file
146 > audit(1182137417.875:24): avc: denied { read write } for pid=1062
147 > comm="udevd" name="console" dev=sda5 ino=734292
148 > scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_t
149 > tclass=chr_file
150 > audit(1182137418.770:25): avc: denied { read } for pid=1194
151 > comm="modprobe" name="console" dev=tmpfs ino=2100
152 > scontext=system_u:system_r:insmod_t
153 > tcontext=system_u:object_r:device_t tclass=chr_file
154 > audit(1182137424.374:26): avc: denied { getattr } for pid=2059
155 > comm="modprobe.sh" name="modprobe.conf" dev=sda5 ino=1515100
156 > scontext=system_u:system_r:udev_t
157 > tcontext=root:object_r:modules_conf_t tclass=file
158 > audit(1182137424.376:27): avc: denied { read } for pid=2112
159 > comm="grep" name="modprobe.conf" dev=sda5 ino=1515100
160 > scontext=system_u:system_r:udev_t
161 > tcontext=root:object_r:modules_conf_t tclass=file
162
163 --
164 gentoo-hardened@g.o mailing list
Report Message
Find on MARC Find on Google Groups