Re: Unexpected behavior in permissive mode

Miroslav Grepl <mgrepl@xxxxxxxxxx> · Fri, 10 Apr 2015 11:41:10 +0200

On 04/09/2015 02:55 AM, Joseph L. Casale wrote:
>> What does if you switch the SELinux mode (which resets AVC cache)
>>
>> # setenforce 1; setenforce 0
>>
>> and then re-test it?
>>
>> Could you also post full raw AVC?
> 
> Hi Miroslav,
> Thanks for the pointer about resetting the cache, that helped.
> 
> After running the backup in permissive mode, I get the following:
> 
> type=AVC msg=audit(1428538766.224:2373): avc:  denied  { execute } for  pid=32056 comm="bacula-fd" name="su" dev="dm-0" ino=18110620 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
> type=AVC msg=audit(1428538766.224:2373): avc:  denied  { execute_no_trans } for  pid=32056 comm="bacula-fd" path="/usr/bin/su" dev="dm-0" ino=18110620 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
> type=AVC msg=audit(1428538766.343:2374): avc:  denied  { create } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
> type=AVC msg=audit(1428538766.343:2375): avc:  denied  { bind } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
> type=AVC msg=audit(1428538766.343:2376): avc:  denied  { compute_av } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
> type=AVC msg=audit(1428538766.344:2377): avc:  denied  { create } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
> type=AVC msg=audit(1428538766.344:2378): avc:  denied  { nlmsg_relay } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
> type=AVC msg=audit(1428538766.344:2378): avc:  denied  { audit_write } for  pid=32056 comm="su" capability=29  scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=capability
> type=USER_AVC msg=audit(1428538766.344:2379): pid=32056 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:bacula_t:s0 msg='avc:  denied  { passwd } for  scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=passwd  exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
> type=AVC msg=audit(1428538766.345:2383): avc:  denied  { setsched } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=process
> type=AVC msg=audit(1428538766.345:2384): avc:  denied  { write } for  pid=32056 comm="su" name="system_bus_socket" dev="tmpfs" ino=14052 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
> type=AVC msg=audit(1428538766.345:2384): avc:  denied  { connectto } for  pid=32056 comm="su" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> type=USER_AVC msg=audit(1428538766.370:2385): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=32056 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1428538766.374:2386): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=32056 tpid=693 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1428538766.393:2391): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1688 spid=693 tpid=32056 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=AVC msg=audit(1428538766.393:2392): avc:  denied  { write } for  pid=32056 comm="su" name="lastlog" dev="dm-0" ino=8572341 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file
> type=AVC msg=audit(1428538766.424:2394): avc:  denied  { execute } for  pid=32063 comm="bash" name="hostname" dev="dm-0" ino=16887470 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
> type=AVC msg=audit(1428538766.424:2394): avc:  denied  { execute_no_trans } for  pid=32063 comm="bash" path="/usr/bin/hostname" dev="dm-0" ino=16887470 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
> type=AVC msg=audit(1428538773.500:2395): avc:  denied  { write } for  pid=32056 comm="su" name="system_bus_socket" dev="tmpfs" ino=14052 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
> 
> which generates the following policy:
> 
> require {
>         type su_exec_t;
>         type system_dbusd_var_run_t;
>         type security_t;
>         type system_dbusd_t;
>         type systemd_logind_t;
>         type lastlog_t;
>         type hostname_exec_t;
>         type bacula_t;
>         class process setsched;
>         class unix_stream_socket connectto;
>         class dbus send_msg;
>         class capability audit_write;
>         class passwd passwd;
>         class netlink_selinux_socket { bind create };
>         class file { write execute execute_no_trans };
>         class netlink_audit_socket { nlmsg_relay create };
>         class sock_file write;
>         class security compute_av;
> }
> 
> #============= bacula_t ==============
> allow bacula_t hostname_exec_t:file { execute execute_no_trans };
> allow bacula_t lastlog_t:file write;
> allow bacula_t security_t:security compute_av;
> allow bacula_t self:capability audit_write;
> allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
> allow bacula_t self:netlink_selinux_socket { bind create };
> allow bacula_t self:passwd passwd;
> allow bacula_t self:process setsched;
> allow bacula_t su_exec_t:file { execute execute_no_trans };
> allow bacula_t system_dbusd_t:dbus send_msg;
> allow bacula_t system_dbusd_t:unix_stream_socket connectto;
> allow bacula_t system_dbusd_var_run_t:sock_file write;
> allow bacula_t systemd_logind_t:dbus send_msg;
> 
> #============= systemd_logind_t ==============
> allow systemd_logind_t bacula_t:dbus send_msg;
> 
> And after loading this I get the following which was not present initially:
> 
> type=AVC msg=audit(1428539366.385:377): avc:  denied  { execute } for  pid=2809 comm="su" name="unix_chkpwd" dev="dm-0" ino=25441120 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
> type=AVC msg=audit(1428539366.386:378): avc:  denied  { write } for  pid=2808 comm="su" name="btmp" dev="dm-0" ino=9085718 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=file
> 
> So rebuilding from the new output yields:
> 
> require {
>         type system_dbusd_var_run_t;
>         type security_t;
>         type faillog_t;
>         type chkpwd_exec_t;
>         type systemd_logind_t;
>         type hostname_exec_t;
>         type bacula_t;
>         type su_exec_t;
>         type lastlog_t;
>         type system_dbusd_t;
>         class process setsched;
>         class unix_stream_socket connectto;
>         class dbus send_msg;
>         class capability audit_write;
>         class passwd passwd;
>         class netlink_selinux_socket { bind create };
>         class file { write execute execute_no_trans };
>         class netlink_audit_socket { nlmsg_relay create };
>         class sock_file write;
>         class security compute_av;
> }
> 
> #============= bacula_t ==============
> allow bacula_t chkpwd_exec_t:file execute;
> allow bacula_t faillog_t:file write;
> allow bacula_t hostname_exec_t:file { execute execute_no_trans };
> allow bacula_t lastlog_t:file write;
> allow bacula_t security_t:security compute_av;
> allow bacula_t self:capability audit_write;
> allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
> allow bacula_t self:netlink_selinux_socket { bind create };
> allow bacula_t self:passwd passwd;
> allow bacula_t self:process setsched;
> allow bacula_t su_exec_t:file { execute execute_no_trans };
> allow bacula_t system_dbusd_t:dbus send_msg;
> allow bacula_t system_dbusd_t:unix_stream_socket connectto;
> allow bacula_t system_dbusd_var_run_t:sock_file write;
> allow bacula_t systemd_logind_t:dbus send_msg;
> 
> #============= systemd_logind_t ==============
> allow systemd_logind_t bacula_t:dbus send_msg;
> 

Are there any scripts which you can defined? Or did you get it by
default? It looks bacula is an administrative tool which is going to be
unconfined domain.

> 
> Which adds:
> allow bacula_t chkpwd_exec_t:file execute;
> allow bacula_t faillog_t:file write;
> 
> However, after removing the old and loading this new policy I get another denial:
> 
> type=AVC msg=audit(1428540219.458:501): avc:  denied  { execute_no_trans } for  pid=4309 comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=25441120 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
> 
> Rerunning the backup yields this same avc, and audit2allow would suggest its permitted.
> 
> Thanks so much for assistance.
> jlc
> 

-- 
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux