[DSE-Dev] Bug#1018833: refpolicy: misc missing permissions

Christian Göttsche cgzones at googlemail.com
Sat Apr 1 19:15:18 BST 2023 

Re-checked on a new installed bookworm system:


type=PROCTITLE msg=audit(01/04/23 19:09:55.035:61) :
proctitle=restorecon -vv -R -F -n -T 0 /
type=PATH msg=audit(01/04/23 19:09:55.035:61) : item=0
name=/proc/sys/vm/overcommit_memory inode=14256 dev=00:14
mode=file,644 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:sysctl_vm_overcommit_t:s0 nametype=NORMAL
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap
_frootid=0
type=CWD msg=audit(01/04/23 19:09:55.035:61) : cwd=/root
type=SYSCALL msg=audit(01/04/23 19:09:55.035:61) : arch=x86_64
syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7f509abf42f0
a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=589 pid=609 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=roo
t tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/04/23 19:09:55.035:61) : avc:  denied  { open }
for  pid=609 comm=restorecon path=/proc/sys/vm/overcommit_memory
dev="proc" ino=14256
scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0
 tclass=file permissive=1
type=AVC msg=audit(01/04/23 19:09:55.035:61) : avc:  denied  { read }
for  pid=609 comm=restorecon name=overcommit_memory dev="proc"
ino=14256 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file
permissive=1

Probably due to the usage of the -T flag

+kernel_read_vm_overcommit_sysctl(setfiles_t)


type=PROCTITLE msg=audit(01/04/23 19:09:13.052:32) :
proctitle=/usr/sbin/vnstatd -n
type=PATH msg=audit(01/04/23 19:09:13.052:32) : item=0
name=/dev/urandom inode=18 dev=00:2c mode=character,666 ouid=root
ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=CWD msg=audit(01/04/23 19:09:13.052:32) : cwd=/
type=SYSCALL msg=audit(01/04/23 19:09:13.052:32) : arch=x86_64
syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f76a2fa5acc
a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=557 auid=unset
uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat
sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd
exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)
type=AVC msg=audit(01/04/23 19:09:13.052:32) : avc:  denied  { open }
for  pid=557 comm=vnstatd path=/dev/urandom dev="tmpfs" ino=18
scontext=system_u:system_r:vnstatd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
permissive=1
type=AVC msg=audit(01/04/23 19:09:13.052:32) : avc:  denied  { read }
for  pid=557 comm=vnstatd name=urandom dev="tmpfs" ino=18
scontext=system_u:system_r:vnstatd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
permissive=1

+dev_read_urand(vnstatd_t)


Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
audit(1680368952.624:6): avc:  denied  { relabelfrom } for  pid=488
comm="systemd-tmpfile" name="mtab" dev="vda1" ino=261264
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
audit(1680368952.624:7): avc:  denied  { relabelto } for  pid=488
comm="systemd-tmpfile" name="mtab" dev="vda1" ino=261264
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
audit(1680368952.624:8): avc:  denied  { relabelfrom } for  pid=488
comm="systemd-tmpfile" name="root" dev="vda1" ino=1044482
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
permissive=1
Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
audit(1680368952.628:9): avc:  denied  { relabelto } for  pid=488
comm="systemd-tmpfile" name="root" dev="vda1" ino=1044482
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
permissive=1
Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
audit(1680368952.628:10): avc:  denied  { relabelfrom } for  pid=488
comm="systemd-tmpfile" name=".ssh" dev="vda1" ino=1044487
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1

Caused by /usr/lib/tmpfiles.d/provision.conf

+allow systemd_tmpfiles_t etc_t:lnk_file { relabelfrom relabelto };
+allow systemd_tmpfiles_t ssh_home_t:dir { relabelfrom relabelto };
+allow systemd_tmpfiles_t user_home_dir_t:dir { relabelfrom relabelto };
# label files with user unconfined_u running as user system_u
+domain_obj_id_change_exemption(systemd_tmpfiles_t)



type=PROCTITLE msg=audit(01/04/23 19:42:13.993:72) : proctitle=userdel vnstat
type=PATH msg=audit(01/04/23 19:42:13.993:72) : item=0
name=/proc/484/root inode=2 dev=fe:01 mode=dir,755 ouid=root ogid=root
rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/04/23 19:42:13.993:72) : cwd=/
type=SYSCALL msg=audit(01/04/23 19:42:13.993:72) : arch=x86_64
syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x7ffcaa762780
a2=0x7ffcaa7626d0 a3=0x0 items=1 ppid=659 pid=660 auid=root uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=roo
t tty=pts4 ses=1 comm=userdel exe=/usr/sbin/userdel
subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/04/23 19:42:13.993:72) : avc:  denied  {
sys_ptrace } for  pid=660 comm=userdel capability=sys_ptrace
scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
tclass=capability permis
sive=1

+allow useradd_t self:capability sys_ptrace;


type=PROCTITLE msg=audit(01/04/23 19:43:51.042:119) :
proctitle=/sbin/groupadd -g 110 vnstat
type=SYSCALL msg=audit(01/04/23 19:43:51.042:119) : arch=x86_64
syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffeed32c5c0 a2=0x0
a3=0x0 items=0 ppid=856 pid=857 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts4 ses=1 c
omm=groupadd exe=/usr/sbin/groupadd
subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/04/23 19:43:51.042:119) : avc:  denied  {
getattr } for  pid=857 comm=groupadd name=/ dev="proc" ino=1
scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1

+kernel_getattr_proc(groupadd_t)


type=PROCTITLE msg=audit(01/04/23 19:47:34.834:196) : proctitle=plocate /
type=SYSCALL msg=audit(01/04/23 19:47:34.834:196) : arch=x86_64
syscall=io_uring_setup success=yes exit=4 a0=0x100 a1=0x7ffc94fad5c0
a2=0x7ffc94fad5c0 a3=0x7f17e70aa570 items=0 ppid=1224 pid=1225
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid
=root fsgid=root tty=pts4 ses=1 comm=plocate exe=/usr/bin/plocate
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/04/23 19:47:34.834:196) : avc:  denied  { create
} for  pid=1225 comm=plocate anonclass=[io_uring]
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode
permissive=1
----
type=PROCTITLE msg=audit(01/04/23 19:47:34.834:197) : proctitle=plocate /
type=MMAP msg=audit(01/04/23 19:47:34.834:197) : fd=4
flags=MAP_SHARED|MAP_POPULATE
type=SYSCALL msg=audit(01/04/23 19:47:34.834:197) : arch=x86_64
syscall=mmap success=yes exit=139740637237248 a0=0x0 a1=0x2540
a2=PROT_READ|PROT_WRITE a3=MAP_SHARED|MAP_POPULATE items=0 ppid=1224
pid=1225 auid=root uid=root gid=root euid=root suid=root fsuid=root
egid=
root sgid=root fsgid=root tty=pts4 ses=1 comm=plocate
exe=/usr/bin/plocate
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/04/23 19:47:34.834:197) : avc:  denied  { read
write } for  pid=1225 comm=plocate path=anon_inode:[io_uring]
dev="anon_inodefs" ino=20748
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_t:s0
 tclass=anon_inode permissive=1
type=AVC msg=audit(01/04/23 19:47:34.834:197) : avc:  denied  { map }
for  pid=1225 comm=plocate path=anon_inode:[io_uring]
dev="anon_inodefs" ino=20748
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_t:s0 tclass
=anon_inode permissive=1

Usage of io_uring, e.g. in plocate

+allow unconfined_t self:anon_inode { create map read write };



Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
audit(1680368952.052:3): avc:  denied  { create } for  pid=375
comm="mkdir" name="console-setup" scontext=system_u:system_r:udev_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
audit(1680368952.052:4): avc:  denied  { create } for  pid=334
comm="cached_setup_fo" name="font-loaded"
scontext=system_u:system_r:udev_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
audit(1680368952.052:5): avc:  denied  { write open } for  pid=334
comm="cached_setup_fo" path="/run/console-setup/font-loaded"
dev="tmpfs" ino=721 scontext=system_u:system_r:udev_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1

Since there are some Debian patches to the refpolicy regarding
/run/console-setup, I am not sure what your preferred resolution would
be.

More information about the SELinux-devel mailing list