Re: avc denied from logrotate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 10 Jul 2004 16:57, Richard Hally <rhallyx@xxxxxxxxxxxxxx> wrote:
> Jul 10 02:44:08 new2 richard: now doing logrotate
> Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc:  denied  {
> transition } for  pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups
> dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t
> tcontext=root:system_r:initrc_t tclass=process

The role sysadm_r is not permitted to have domain initrc_t.  The options for 
solving this are 1:
role sysadm_r types initrc_t;
2:
role_transition sysadm_r initrc_exec_t system_r;
domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
3:
role_transition sysadm_r logrotate_exec_t system_r;

In option 2 the domain_auto_trans() is needed to prevent the 
command /etc/init.d/whatever from ending up in the context 
root:system_r:sysadm_t which is not a valid context.

The problem with option 1 is that initrc_t then launches other domains so it 
doesn't work.

Steve, what do you think about option 2 vs option 3?

> Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc:  denied  {
> use } for  pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2
> ino=1064669 scontext=root:system_r:consoletype_t
> tcontext=root:sysadm_r:logrotate_t tclass=fd

I guess we need a dontaudit rule for that as there is:
can_exec(logrotate_t, consoletype_exec_t)

So I put the following in logrotate.te:
dontaudit consoletype_t logrotate_t:fd use;

> Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded
> Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc:  denied  {
> ioctl } for  pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
> ino=2 scontext=root:system_r:cupsd_t
> tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
> Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc:  denied  {
> getattr } for  pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
> ino=2 scontext=root:system_r:cupsd_t
> tcontext=root:object_r:sysadm_devpts_t tclass=chr_file

The attached patch takes care of that.

> Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc:  denied  {
> read } for  pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311
> scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t
> tclass=file

In enforcing mode access to the parent directory is denied and that file will 
never be accessed.

> Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc:  denied  {
> read } for  pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871
> scontext=root:system_r:cupsd_t
> tcontext=system_u:object_r:selinux_config_t tclass=file

Maybe we should change id to read /proc/self/attr/current directly?  We don't 
want to have to put in allow or dontaudit rules for every shell script that 
runs "id".

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
--- macros/global_macros.te	2004-07-11 16:32:30.000000000 +1000
+++ macros/global_macros.te.new	2004-07-11 16:33:12.000000000 +1000
@@ -326,7 +326,7 @@
 read_sysctl($1_t)
 
 ifdef(`direct_sysadm_daemon', `
-dontaudit $1_t admin_tty_type:chr_file { read write };
+dontaudit $1_t admin_tty_type:chr_file rw_file_perms;
 ')
 
 #

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux