[DSE-Dev] Bug#690477: selinux-policy-default: multiple avc denies and su problem
cgzones
cgzones at googlemail.com
Sun Oct 14 17:55:41 UTC 2012
Package: selinux-policy-default
Version: 2:2.20110726-11
I'm using smartmontools and the daemon needs to read and write into it's
lib directory /var/lib/smartmontools.
This directory is not labeled, so i get the following denies:
Oct 14 19:29:27 debian kernel: [ 18.444435] type=1400
audit(1350235767.006:11): avc: denied { read } for pid=2386
comm="smartd" name="smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state"
dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Oct 14 19:29:27 debian kernel: [ 18.444456] type=1400
audit(1350235767.006:12): avc: denied { open } for pid=2386
comm="smartd" name="smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state"
dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
Oct 14 19:29:27 debian kernel: [ 18.444488] type=1400
audit(1350235767.006:13): avc: denied { getattr } for pid=2386
comm="smartd"
path="/var/lib/smartmontools/smartd.SAMSUNG_SP0812N-S00MJ10X928870.ata.state"
dev=dm-0 ino=917609 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
i use
.fc file
/var/lib/smartmontools(/.*)?
gen_context(system_u:object_r:fsdaemon_var_lib_t,s0)
.te file
type fsdaemon_var_lib_t;
files_type(fsdaemon_var_lib_t)
allow fsdaemon_t var_lib_t:dir search_dir_perms;
manage_dirs_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
to avoid this.
When relabeling manually with restorecond i get the following denies:
setfiles_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tclass=netlink_audit_socket
/var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667177] type=1400
audit(1349451350.806:159): avc: denied { write } for pid=5240
comm="restorecon" scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tclass=netlink_audit_socket
/var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667259] type=1400
audit(1349451350.806:160): avc: denied { nlmsg_relay } for pid=5240
comm="restorecon" scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tclass=netlink_audit_socket
/var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667336] type=1400
audit(1349451350.806:161): avc: denied { audit_write } for pid=5240
comm="restorecon" capability=29
scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023 tclass=capability
/var/log/syslog:Oct 5 17:35:50 debian kernel: [ 2826.667696] type=1400
audit(1349451350.806:162): avc: denied { read } for pid=5240
comm="restorecon" scontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:setfiles_t:s0-s0:c0.c1023
tclass=netlink_audit_socket
While booting i get these denies:
Oct 14 19:29:23 debian kernel: [ 7.465566] type=1400
audit(1350235756.026:3): avc: denied { read write } for pid=581
comm="hostname" name="tty1" dev=devtmpfs ino=1201
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
Oct 14 19:29:23 debian kernel: [ 8.116923] type=1400
audit(1350235756.678:4): avc: denied { read write } for pid=647
comm="swapon" name="tty1" dev=devtmpfs ino=1201
scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
Oct 14 19:29:23 debian kernel: [ 11.908177] type=1400
audit(1350235760.470:5): avc: denied { read write } for pid=1257
comm="swapon" name="tty1" dev=devtmpfs ino=1201
scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
Oct 14 19:29:23 debian kernel: [ 13.505206] type=1400
audit(1350235762.066:6): avc: denied { read write } for pid=1532
comm="ip" name="tty1" dev=devtmpfs ino=1201
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
I'm not using users in unconfined context so my config is:
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
root sysadm SystemLow SystemLow-SystemHigh
staff_r sysadm_r system_r
staff_u user SystemLow SystemLow-SystemHigh
staff_r sysadm_r
sysadm_u sysadm SystemLow SystemLow-SystemHigh
sysadm_r
system_u user SystemLow SystemLow-SystemHigh
system_r
unconfined_u user SystemLow SystemLow
unconfined_r
user_u user SystemLow SystemLow user_r
semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u SystemLow
systemuser staff_u SystemLow-SystemHigh
root staff_u SystemLow-SystemHigh
system_u system_u SystemLow-SystemHigh
When running with this config, i am not able to su from systemuser to
root in enforced modus because of this denies:
/var/log/syslog:Oct 5 14:41:00 debian kernel: [ 1957.455462] type=1400
audit(1349440860.398:127): avc: denied { search } for pid=3114
comm="su" name="/" dev=sysfs ino=1
scontext=staff_u:staff_r:staff_su_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
/var/log/syslog:Oct 5 14:42:48 debian kernel: [ 2065.949967] type=1400
audit(1349440968.892:194): avc: denied { search } for pid=3214
comm="su" name="/" dev=sysfs ino=1
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
/var/log/syslog:Oct 5 15:26:31 debian kernel: [ 4688.219894] type=1400
audit(1349443591.161:240): avc: denied { signal } for pid=3214
comm="su" scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
/var/log/syslog:Oct 5 16:52:50 debian kernel: [ 246.233184] type=1400
audit(1349448770.375:43): avc: denied { search } for pid=2579
comm="su" name="/" dev=sysfs ino=1
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
/var/log/syslog:Oct 5 18:52:58 debian kernel: [ 7454.686219] type=1400
audit(1349455978.827:710): avc: denied { signal } for pid=2579
comm="su" scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
/var/log/syslog:Oct 5 19:27:36 debian kernel: [ 90.957618] type=1400
audit(1349458056.264:13): avc: denied { search } for pid=2587
comm="su" name="/" dev=sysfs ino=1
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
/var/log/syslog:Oct 5 20:00:45 debian kernel: [ 2080.568903] type=1400
audit(1349460045.873:25): avc: denied { signal } for pid=2588
comm="su" scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
/var/log/syslog:Oct 5 20:02:00 debian kernel: [ 36.429997] type=1400
audit(1349460120.545:11): avc: denied { search } for pid=2593
comm="su" name="/" dev=sysfs ino=1
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
/var/log/syslog:Oct 5 20:02:00 debian kernel: [ 36.430069] type=1400
audit(1349460120.545:12): avc: denied { getattr } for pid=2593
comm="su" name="/" dev=dm-0 ino=2
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
/var/log/syslog:Oct 5 20:02:00 debian kernel: [ 36.430369] type=1400
audit(1349460120.545:13): avc: denied { search } for pid=2593
comm="su" name="/" dev=sysfs ino=1
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
/var/log/syslog:Oct 5 20:02:05 debian kernel: [ 41.386092] type=1400
audit(1349460125.496:14): avc: denied { search } for pid=2594
comm="su" name="/" dev=sysfs ino=1
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
/var/log/syslog:Oct 5 20:02:05 debian kernel: [ 41.386171] type=1400
audit(1349460125.496:15): avc: denied { getattr } for pid=2594
comm="su" name="/" dev=dm-0 ino=2
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
/var/log/syslog:Oct 5 20:02:05 debian kernel: [ 41.386443] type=1400
audit(1349460125.496:16): avc: denied { search } for pid=2594
comm="su" name="/" dev=sysfs ino=1
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
/var/log/syslog:Oct 5 20:02:12 debian kernel: [ 47.961754] type=1400
audit(1349460132.076:17): avc: denied { search } for pid=2595
comm="su" name="/" dev=sysfs ino=1
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
/var/log/syslog:Oct 5 20:02:12 debian kernel: [ 47.961813] type=1400
audit(1349460132.076:18): avc: denied { getattr } for pid=2595
comm="su" name="/" dev=dm-0 ino=2
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
/var/log/syslog:Oct 5 20:02:12 debian kernel: [ 47.962074] type=1400
audit(1349460132.076:19): avc: denied { search } for pid=2595
comm="su" name="/" dev=sysfs ino=1
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
/var/log/syslog:Oct 5 20:03:32 debian kernel: [ 128.496202] type=1400
audit(1349460212.611:21): avc: denied { search } for pid=2708
comm="su" name="/" dev=sysfs ino=1
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
/var/log/syslog:Oct 5 20:14:53 debian kernel: [ 809.008708] type=1400
audit(1349460893.123:166): avc: denied { read } for pid=3075
comm="su" name="shadow" dev=dm-0 ino=132290
scontext=staff_u:staff_r:staff_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file
In particular staff_su_t needs to read /etc/shadow.
I use the following to allow su, but maybe it's to permissive:
allow staff_su_t fs_t:filesystem getattr;
allow staff_su_t staff_t:process signal;
allow staff_su_t sysfs_t:dir search_dir_perms;
auth_can_read_shadow_passwords(staff_su_t)
auth_tunable_read_shadow(staff_su_t)
Best regards,
Christian Göttsche
-- System
Information:
Debian Release:
wheezy/sid
APT prefers
testing
APT policy: (500,
'testing')
Architecture: i386
(i686)
Kernel: Linux 3.2.0-3-686-pae (SMP w/1 CPU
core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to
/bin/bash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.3-7.1
ii libselinux1 2.1.9-5
ii libsepol1 2.1.4-3
ii policycoreutils 2.1.10-9
ii python 2.7.3~rc2-1
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.1.8-2
ii setools 3.3.7-3
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13]
Permission denied:
u'/etc/selinux/default/modules/active/file_contexts.local'
-- no debconf information
More information about the SELinux-devel
mailing list