On 01/27/2015 05:11 PM, Casper wrote:
This avc (execmem) looks like it is allowed in FedoraOr is it a luajit problem ? Dear devs hello. I would like to determine if these AVC are caused by prosody, lua, or a wrong SELinux policy. selinux-policy-3.13.1-105.fc21.src.rpm Does prosody have a log file error.log? lancaster ~ # systemctl status prosody ● prosody.service - Prosody XMPP (Jabber) server Loaded: loaded (/usr/lib/systemd/system/prosody.service; disabled) Active: inactive (dead) lancaster ~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29 lancaster ~ # rpm -q prosody luajit prosody-0.9.4-4.fc21.x86_64 luajit-2.0.3-3.fc21.x86_64 systemd start: janv. 27 19:28:03 lancaster prosodyctl[21208]: PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?) janv. 27 19:28:04 lancaster prosodyctl[21208]: PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?) janv. 27 19:28:04 lancaster systemd[1]: prosody.service: control process exited, code=killed status=11 janv. 27 19:28:04 lancaster systemd[1]: Failed to start Prosody XMPP (Jabber) server. janv. 27 19:28:04 lancaster systemd[1]: Unit prosody.service entered failed state. janv. 27 19:28:04 lancaster systemd[1]: prosody.service failed. kernel log: janv. 27 19:28:03 lancaster prosodyctl[21208]: PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?) janv. 27 19:28:03 lancaster kernel: luajit[21209]: segfault at bcefddd ip 000000000bcefddd sp 00007fff98c8cf00 error 15 janv. 27 19:28:04 lancaster prosodyctl[21208]: PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?) janv. 27 19:28:04 lancaster kernel: luajit[21208]: segfault at bcefe33 ip 000000000bcefe33 sp 00007fffe6d4a6b0 error 15 janv. 27 19:28:04 lancaster systemd[1]: prosody.service: control process exited, code=killed status=11 janv. 27 19:28:04 lancaster systemd[1]: Failed to start Prosody XMPP (Jabber) server. janv. 27 19:28:04 lancaster systemd[1]: Unit prosody.service entered failed state. janv. 27 19:28:04 lancaster systemd[1]: prosody.service failed. janv. 27 19:28:05 lancaster dbus[904]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' janv. 27 19:28:14 lancaster setroubleshoot[21211]: Plugin Exception restorecon_source janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is preventing /usr/bin/luajit-2.0.3 from read access on the file /var/log/prosody/debug.log. For complete SELinux messages. run sealert -l 4598d861-a393-472b-9dda-2c1c3b069fd4 janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is preventing /usr/bin/luajit-2.0.3 from read access on the file /var/log/prosody/info.log. For complete SELinux messages. run sealert -l 4598d861-a393-472b-9dda-2c1c3b069fd4 janv. 27 19:28:14 lancaster setroubleshoot[21211]: SELinux is preventing /usr/bin/luajit-2.0.3 from read access on the file /var/log/prosody/error.log. For complete SELinux messages. run sealert -l 4598d861-a393-472b-9dda-2c1c3b069fd4 janv. 27 19:28:15 lancaster setroubleshoot[21211]: SELinux is preventing /usr/bin/luajit-2.0.3 from using the execmem access on a process. For complete SELinux messages. run sealert -l e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb janv. 27 19:28:15 lancaster setroubleshoot[21211]: SELinux is preventing /usr/bin/luajit-2.0.3 from using the execmem access on a process. For complete SELinux messages. run sealert -l e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb lancaster ~ # sealert -l 4598d861-a393-472b-9dda-2c1c3b069fd4 SELinux is preventing /usr/bin/luajit-2.0.3 from read access on the file /var/log/prosody/error.log. ***** Plugin catchall (100. confidence) suggests ************************** If vous pensez que luajit-2.0.3 devrait être autorisé à accéder read sur error.log file par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # grep luajit /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:prosody_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/prosody/error.log [ file ] Source luajit Source Path /usr/bin/luajit-2.0.3 Port <Unknown> Host lancaster Source RPM Packages luajit-2.0.3-3.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-103.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name lancaster Platform Linux lancaster 3.17.8-300.fc21.x86_64 #1 SMP Thu Jan 8 23:32:49 UTC 2015 x86_64 x86_64 Alert Count 7 First Seen 2015-01-18 08:59:03 CET Last Seen 2015-01-27 19:28:02 CET Local ID 4598d861-a393-472b-9dda-2c1c3b069fd4 Raw Audit Messages type=AVC msg=audit(1422383282.541:154043): avc: denied { read } for pid=21209 comm="luajit" name="error.log" dev="dm-1" ino=2228909 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1422383282.541:154043): arch=x86_64 syscall=open success=no exit=EACCES a0=4154f8c0 a1=442 a2=1b6 a3=241 items=0 ppid=21208 pid=21209 auid=4294967295 uid=991 gid=990 euid=991 suid=991 fsuid=991 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=luajit exe=/usr/bin/luajit-2.0.3 subj=system_u:system_r:prosody_t:s0 key=(null) Hash: luajit,prosody_t,var_log_t,file,read lancaster ~ # sealert -l e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb SELinux is preventing /usr/bin/luajit-2.0.3 from using the execmem access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If vous pensez que luajit-2.0.3 devrait être autorisé à accéder execmem sur les processus étiquetés prosody_t par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # grep luajit /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:prosody_t:s0 Target Context system_u:system_r:prosody_t:s0 Target Objects Unknown [ process ] Source luajit Source Path /usr/bin/luajit-2.0.3 Port <Unknown> Host lancaster Source RPM Packages luajit-2.0.3-3.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-103.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name lancaster Platform Linux lancaster 3.17.8-300.fc21.x86_64 #1 SMP Thu Jan 8 23:32:49 UTC 2015 x86_64 x86_64 Alert Count 12 First Seen 2015-01-17 18:00:51 CET Last Seen 2015-01-27 19:28:04 CET Local ID e0b419ae-9eb4-45ec-9d8e-0ef19df4f5cb Raw Audit Messages type=AVC msg=audit(1422383284.804:154046): avc: denied { execmem } for pid=21208 comm="luajit" scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:system_r:prosody_t:s0 tclass=process permissive=0 type=SYSCALL msg=audit(1422383284.804:154046): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=bce0000 a1=10000 a2=5 a3=47e items=0 ppid=1 pid=21208 auid=429496795 uid=991 gid=990 euid=991 suid=991 fsuid=991 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=luajit exe=/usr/bin/luajit-2.0.3 subj=system_u:system_r:prosody_t:s0 key=(null) Hash: luajit,prosody_t,prosody_t,process,execmem lancaster ~ # ll -Za /var/log/prosody drwxrwx---. root prosody system_u:object_r:var_log_t:s0 . drwxr-xr-x. root root system_u:object_r:var_log_t:s0 .. -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0 debug.log -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0 debug.log-20130727 -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0 error.log -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0 error.log-20130727 -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0 info.log -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0 info.log-20130727 -rw-rw-r--. root prosody system_u:object_r:var_log_t:s0 prosody.log An opinion on this ? Best regards, Matthieu Saulnier |
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct