[DSE-Dev] Bug#1018833: refpolicy: misc missing permissions

Russell Coker russell at coker.com.au
Wed Apr 19 10:53:16 BST 2023


On Sunday, 2 April 2023 04:15:18 AEST Christian Göttsche wrote:
> 
> Probably due to the usage of the -T flag
> 
> +kernel_read_vm_overcommit_sysctl(setfiles_t)

added
 

> 
> +dev_read_urand(vnstatd_t)

added
 
> Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
> audit(1680368952.624:6): avc:  denied  { relabelfrom } for  pid=488
> comm="systemd-tmpfile" name="mtab" dev="vda1" ino=261264
> scontext=system_u:system_r:systemd_tmpfiles_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
> Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
> audit(1680368952.624:7): avc:  denied  { relabelto } for  pid=488
> comm="systemd-tmpfile" name="mtab" dev="vda1" ino=261264
> scontext=system_u:system_r:systemd_tmpfiles_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
> Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
> audit(1680368952.624:8): avc:  denied  { relabelfrom } for  pid=488
> comm="systemd-tmpfile" name="root" dev="vda1" ino=1044482
> scontext=system_u:system_r:systemd_tmpfiles_t:s0
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> permissive=1
> Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
> audit(1680368952.628:9): avc:  denied  { relabelto } for  pid=488
> comm="systemd-tmpfile" name="root" dev="vda1" ino=1044482
> scontext=system_u:system_r:systemd_tmpfiles_t:s0
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> permissive=1
> Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
> audit(1680368952.628:10): avc:  denied  { relabelfrom } for  pid=488
> comm="systemd-tmpfile" name=".ssh" dev="vda1" ino=1044487
> scontext=system_u:system_r:systemd_tmpfiles_t:s0
> tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1
> 
> Caused by /usr/lib/tmpfiles.d/provision.conf
> 
> +allow systemd_tmpfiles_t etc_t:lnk_file { relabelfrom relabelto };
> +allow systemd_tmpfiles_t ssh_home_t:dir { relabelfrom relabelto };
> +allow systemd_tmpfiles_t user_home_dir_t:dir { relabelfrom relabelto };
> # label files with user unconfined_u running as user system_u
> +domain_obj_id_change_exemption(systemd_tmpfiles_t)

I'll look into that one later.

> type=PROCTITLE msg=audit(01/04/23 19:42:13.993:72) : proctitle=userdel
> vnstat type=PATH msg=audit(01/04/23 19:42:13.993:72) : item=0
> name=/proc/484/root inode=2 dev=fe:01 mode=dir,755 ouid=root ogid=root
> rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=CWD msg=audit(01/04/23 19:42:13.993:72) : cwd=/
> type=SYSCALL msg=audit(01/04/23 19:42:13.993:72) : arch=x86_64
> syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x7ffcaa762780
> a2=0x7ffcaa7626d0 a3=0x0 items=1 ppid=659 pid=660 auid=root uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=roo
> t tty=pts4 ses=1 comm=userdel exe=/usr/sbin/userdel
> subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(01/04/23 19:42:13.993:72) : avc:  denied  {
> sys_ptrace } for  pid=660 comm=userdel capability=sys_ptrace
> scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
> tclass=capability permis
> sive=1
> 
> +allow useradd_t self:capability sys_ptrace;

How can you reproduce that?  I had been considering it but don't know what 
it's for.

> type=PROCTITLE msg=audit(01/04/23 19:43:51.042:119) :
> proctitle=/sbin/groupadd -g 110 vnstat
> type=SYSCALL msg=audit(01/04/23 19:43:51.042:119) : arch=x86_64
> syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffeed32c5c0 a2=0x0
> a3=0x0 items=0 ppid=856 pid=857 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts4 ses=1 c
> omm=groupadd exe=/usr/sbin/groupadd
> subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(01/04/23 19:43:51.042:119) : avc:  denied  {
> getattr } for  pid=857 comm=groupadd name=/ dev="proc" ino=1
> scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
> 
> +kernel_getattr_proc(groupadd_t)

Added.

> 
> type=PROCTITLE msg=audit(01/04/23 19:47:34.834:196) : proctitle=plocate /
> type=SYSCALL msg=audit(01/04/23 19:47:34.834:196) : arch=x86_64
> syscall=io_uring_setup success=yes exit=4 a0=0x100 a1=0x7ffc94fad5c0
> a2=0x7ffc94fad5c0 a3=0x7f17e70aa570 items=0 ppid=1224 pid=1225
> auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid
> =root fsgid=root tty=pts4 ses=1 comm=plocate exe=/usr/bin/plocate
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(01/04/23 19:47:34.834:196) : avc:  denied  { create
> } for  pid=1225 comm=plocate anonclass=[io_uring]
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode
> permissive=1
> ----
> type=PROCTITLE msg=audit(01/04/23 19:47:34.834:197) : proctitle=plocate /
> type=MMAP msg=audit(01/04/23 19:47:34.834:197) : fd=4
> flags=MAP_SHARED|MAP_POPULATE
> type=SYSCALL msg=audit(01/04/23 19:47:34.834:197) : arch=x86_64
> syscall=mmap success=yes exit=139740637237248 a0=0x0 a1=0x2540
> a2=PROT_READ|PROT_WRITE a3=MAP_SHARED|MAP_POPULATE items=0 ppid=1224
> pid=1225 auid=root uid=root gid=root euid=root suid=root fsuid=root
> egid=
> root sgid=root fsgid=root tty=pts4 ses=1 comm=plocate
> exe=/usr/bin/plocate
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(01/04/23 19:47:34.834:197) : avc:  denied  { read
> write } for  pid=1225 comm=plocate path=anon_inode:[io_uring]
> dev="anon_inodefs" ino=20748
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:unconfined_t:s0
>  tclass=anon_inode permissive=1
> type=AVC msg=audit(01/04/23 19:47:34.834:197) : avc:  denied  { map }
> for  pid=1225 comm=plocate path=anon_inode:[io_uring]
> dev="anon_inodefs" ino=20748
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:unconfined_t:s0 tclass
> =anon_inode permissive=1
> 
> Usage of io_uring, e.g. in plocate
> 
> +allow unconfined_t self:anon_inode { create map read write };

added

> 
> 
> Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
> audit(1680368952.052:3): avc:  denied  { create } for  pid=375
> comm="mkdir" name="console-setup" scontext=system_u:system_r:udev_t:s0
> tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
> Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
> audit(1680368952.052:4): avc:  denied  { create } for  pid=334
> comm="cached_setup_fo" name="font-loaded"
> scontext=system_u:system_r:udev_t:s0
> tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
> Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400
> audit(1680368952.052:5): avc:  denied  { write open } for  pid=334
> comm="cached_setup_fo" path="/run/console-setup/font-loaded"
> dev="tmpfs" ino=721 scontext=system_u:system_r:udev_t:s0
> tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
> 
> Since there are some Debian patches to the refpolicy regarding
> /run/console-setup, I am not sure what your preferred resolution would
> be.

I'll look into that later.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/



More information about the SELinux-devel mailing list