[DSE-Dev] Bug#963497: selinux-policy-default: Let's Encrypt certbot tools crashed into Segmentation fault with SELinux Enforcing mode
Maksim K.
debian_bug at k-max.name
Mon Jun 22 15:16:07 BST 2020
Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: grave
Justification: renders package unusable
Control: -1 = certbot
Dear Maintainer,
I have tried to run Apache server with Let's Encrypt security
certificates. I enabled SELinux in Enforcing mode.
I've installed certbot with dependent pacheges.
And when I try to run it, certbot command failed with error Segmentation
fault:
***
root at vps:~# getenforce
Enforcing
root at vps:~# certbot --apache -d virt.domain -d www.virt.domain
Segmentation fault
root at vps:~# man certbot
root at vps:~# certbot --apache -d virt.domain -d www.virt.domain --debug
Segmentation fault
root at vps:~#
***
There is auth.log messages when certbot fired:
***
root at vps:/etc/bind# grep certbot /var/log/audit/audit.log
type=AVC msg=audit(1592778047.217:76615): avc: denied { execmem } for pid=22641 comm="certbot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=SYSCALL msg=audit(1592778047.217:76615): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=17778 pid=22641 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1405 comm="certbot" exe="/usr/bin/python3.5" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1592778047.221:76616): auid=0 uid=0 gid=0 ses=1405 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=22641 comm="certbot" exe="/usr/bin/python3.5" sig=11
type=AVC msg=audit(1592778051.169:76617): avc: denied { execmem } for pid=22643 comm="certbot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=SYSCALL msg=audit(1592778051.169:76617): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=17778 pid=22643 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1405 comm="certbot" exe="/usr/bin/python3.5" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1592778051.173:76618): auid=0 uid=0 gid=0 ses=1405 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=22643 comm="certbot" exe="/usr/bin/python3.5" sig=11
type=AVC msg=audit(1592778288.940:76901): avc: denied { execmem } for pid=23208 comm="certbot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=SYSCALL msg=audit(1592778288.940:76901): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=17778 pid=23208 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1405 comm="certbot" exe="/usr/bin/python3.5" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1592778288.944:76902): auid=0 uid=0 gid=0 ses=1405 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=23208 comm="certbot" exe="/usr/bin/python3.5" sig=11
type=AVC msg=audit(1592778319.924:76911): avc: denied { execmem } for pid=23219 comm="certbot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=SYSCALL msg=audit(1592778319.924:76911): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=17778 pid=23219 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1405 comm="certbot" exe="/usr/bin/python3.5" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1592778319.928:76912): auid=0 uid=0 gid=0 ses=1405 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=23219 comm="certbot" exe="/usr/bin/python3.5" sig=11
type=AVC msg=audit(1592824753.138:84440): avc: denied { execmem } for pid=26179 comm="certbot" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1592824753.138:84440): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=1 pid=26179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certbot" exe="/usr/bin/python3.5" subj=system_u:system_r:initrc_t:s0 key=(null)
type=ANOM_ABEND msg=audit(1592824753.142:84441): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:initrc_t:s0 pid=26179 comm="certbot" exe="/usr/bin/python3.5" sig=11
type=SERVICE_START msg=audit(1592824753.150:84442): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=certbot comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1592832902.769:84609): avc: denied { execmem } for pid=26849 comm="certbot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=SYSCALL msg=audit(1592832902.769:84609): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=17778 pid=26849 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1405 comm="certbot" exe="/usr/bin/python3.5" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1592832902.773:84610): auid=0 uid=0 gid=0 ses=1405 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=26849 comm="certbot" exe="/usr/bin/python3.5" sig=11
type=AVC msg=audit(1592832936.869:84611): avc: denied { execmem } for pid=26868 comm="certbot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=SYSCALL msg=audit(1592832936.869:84611): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=17778 pid=26868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1405 comm="certbot" exe="/usr/bin/python3.5" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1592832936.873:84612): auid=0 uid=0 gid=0 ses=1405 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=26868 comm="certbot" exe="/usr/bin/python3.5" sig=11
root at vps:/etc/bind#
***
autit2allow suggested me to enable those boleans: allow_execmem and allow_execstack:
***
root at vps:/etc/bind# grep certbot /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1592778047.217:76615): avc: denied { execmem } for pid=22641 comm="certbot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
Allow access by executing:
# setsebool -P allow_execmem 1
Description:
Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
Allow access by executing:
# setsebool -P allow_execstack 1
***
After place SELinux into Permessive mode, it works fine:
***
root at vps:/tmp# setenforce 0
root at vps:/tmp# certbot --apache -d example.com -d www.example.com --debug
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): mc.sim at k-max.***
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
<...>
***
Current version of certbot packages are:
***
Versions of packages certbot depends on:
ii init-system-helpers 1.48
ii python3 3.5.3-1
ii python3-certbot 0.28.0-1~deb9u2
certbot recommends no packages.
Versions of packages certbot suggests:
pn python-certbot-doc <none>
ii python3-certbot-apache 0.28.0-1~deb9u1
pn python3-certbot-nginx <none>
***
So, I could say certbot does not work at all with SELinux Enforcing mode.
-- System Information:
Debian Release: 9.12
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libselinux1 2.6-3+b3
ii libsemanage1 2.6-2
ii libsepol1 2.6-2
ii policycoreutils 2.6-3
ii selinux-utils 2.6-3+b3
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.6-2
ii setools 4.0.1-6
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
More information about the SELinux-devel
mailing list