On Tue, 2007-08-21 at 19:19 -0500, Joe Nall wrote:
> I built and fully updated a F7/MLS system today and was unable to
> login in MLS enforcing from the console or ssh (no X, init level 2 or
> 3). I rebooted with a clean audit.log in permissive mode, logged in
> and found two login related denials
>
> type=AVC msg=audit(1187740851.272:22): avc: denied
> { audit_control } for pid=2299 comm="login" capability=30
> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
> tclass=capability
Hmmm...why does the Fedora policy differ from refpolicy in its
audit-related permissions and interfaces?
> and a second dbus related one that I was unable to replicate for this
> email
>
> I created a quick policy to see if I could log in in enforcing mode.
>
> policy_module(f7fix,1.0.0)
>
> gen_require(`
> type local_login_t, initrc_t;
> class dbus send_msg;
> ')
>
> allow local_login_t initrc_t:dbus send_msg;
> allow local_login_t self:capability audit_control;
Should really be using a refpolicy interface if one exists to grant
these kinds of permissions. Sadly, audit2allow -R doesn't seem to turn
anything up here for the avc above.
> and got this nasty result
>
> Aug 21 18:19:12 f7 kernel: ds: 007b es: 007b fs: 00d8 gs: 0000
> ss: 0068
> Aug 21 18:19:12 f7 kernel: Process login (pid: 2310, ti=f7f98000
> task=f70de2b0 task.ti=f7f98000)
> Aug 21 18:19:12 f7 kernel: Stack: c06ab7d9 fffffff3 00000000 c06f27ac
> fffffff3 fffffff3 00000000 c04ad93d
> Aug 21 18:19:12 f7 kernel: c06f27a0 f77b8878 c04ad987 f77b8800
> f77b8800 f77b8878 c0555fae f7c8df00
> Aug 21 18:19:12 f7 kernel: c05509ee f77b8800 f773e938 00000000
> 00000000 c0550a20 f70aa800 c053660d
> Aug 21 18:19:12 f7 kernel: Call Trace:
> Aug 21 18:19:12 f7 kernel: [<c04ad93d>] remove_files+0x15/0x1e
> Aug 21 18:19:12 f7 kernel: [<c04ad987>] sysfs_remove_group+0x41/0x57
> Aug 21 18:19:12 f7 kernel: [<c0555fae>] device_pm_remove+0x32/0x70
> Aug 21 18:19:12 f7 kernel: [<c05509ee>] device_del+0x183/0x1ad
> Aug 21 18:19:12 f7 kernel: [<c0550a20>] device_unregister+0x8/0x10
> Aug 21 18:19:12 f7 kernel: [<c053660d>] vcs_remove_sysfs+0x17/0x31
> Aug 21 18:19:12 f7 kernel: [<c053b24a>] con_close+0x49/0x5b
> Aug 21 18:19:12 f7 kernel: [<c052fec7>] release_dev+0x1df/0x5e3
> Aug 21 18:19:12 f7 kernel: [<c045d35e>] free_pages_bulk+0x100/0x16e
> Aug 21 18:19:12 f7 kernel: [<c045d585>] __pagevec_free+0x14/0x1a
> Aug 21 18:19:12 f7 kernel: [<c045f7a5>] release_pages+0x10a/0x112
> Aug 21 18:19:12 f7 kernel: [<c05302da>] tty_release+0xf/0x18
> Aug 21 18:19:12 f7 kernel: [<c04765eb>] __fput+0xb4/0x16a
> Aug 21 18:19:12 f7 kernel: [<c04740f9>] filp_close+0x51/0x58
> Aug 21 18:19:12 f7 kernel: [<c0428683>] put_files_struct+0x5f/0xa7
> Aug 21 18:19:12 f7 kernel: [<c04296be>] do_exit+0x21f/0x6d3
> Aug 21 18:19:12 f7 kernel: [<c0429bdf>] sys_exit_group+0x0/0xd
> Aug 21 18:19:12 f7 kernel: [<c0404f70>] syscall_call+0x7/0xb
> Aug 21 18:19:12 f7 kernel: [<c0600000>] __sched_text_start+0x6e8/0x89e
> Aug 21 18:19:12 f7 kernel: =======================
> Aug 21 18:19:12 f7 kernel: Code: 8b 40 24 8b 40 24 c3 8b 40 14 8b 00
> c3 8b 40 14 8b 00 c3 55 57 56 53 83 ec 0c 85 c0 89 44 24 04 89 14 24
> 0f 84 ed 00 00 00 89 c2 <8b> 40 0c 85 c0 0f 84 e0 00 00 00 8b 52 54
> 83 c0 74 89 54 24 08
> Aug 21 18:19:12 f7 kernel: EIP: [<c04ab620>] sysfs_hash_and_remove
> +0x18/0x110 SS:ESP 0068:f7f98e04
> Aug 21 18:19:12 f7 kernel: Fixing recursive fault but reboot is needed!
That should have shown up as a denial on sysfs_t unless it was
dontaudit'd. sysfs code had a bug where it wasn't checking for failure
on a lookup, triggerable upon SELinux permission denial. Already fixed
in the mainline kernel as of 2.6.23-rc1 and later I believe.
>
> potentially relevant rpm versions
>
> kernel-2.6.21-1.3194.fc7
> audit-1.5.3-1.fc7
> util-linux-2.13-0.52.fc7
> checkpolicy-2.0.3-1.fc7
> policycoreutils-2.0.16-11.fc7
> policycoreutils-gui-2.0.16-11.fc7
> policycoreutils-newrole-2.0.16-11.fc7
> seedit-policy-2.1.1-2.fc7.2
> selinux-policy-2.6.4-33.fc7
> selinux-policy-devel-2.6.4-33.fc7
> selinux-policy-mls-2.6.4-33.fc7
> selinux-policy-targeted-2.6.4-33.fc7
>
> joe
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
