Re: Subgit SELinux issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/28/2015 05:48 PM, Matthew Saltzman wrote:
> On Wed, 2015-09-23 at 09:13 +0200, Miroslav Grepl wrote:
>> On 09/22/2015 08:37 PM, Matthew Saltzman wrote:
>>> On Tue, 2015-09-22 at 19:21 +0100, Trevor Hemsley wrote:
>>>> On 22/09/15 18:50, Matthew Saltzman wrote:
>>>>>     for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
>>>>
>>>> Probably not the best location for a pid file. I'd suspect that
>>>> write
>>>> access to anything under /var/www is disallowed. Can you not move
>>>> it
>>>> to
>>>> /var/run?
>>>
>>> *I* can't. It's hard-coded in a compiled executable. I could make
>>> that
>>> recommendation to the Subgit folks. I suspect they may do that
>>> because
>>> they know for sure where the directory they are executing from is,
>>> but
>>> they may not feel they have a guarantee that /var/run is available
>>> in
>>> every *nix distribution.
>>
>> We can label /var/www/svn/FlopC++/subgit for example if it is owned
>> by a
>> package.
>>
>> The main gole is we need to get AVCs. Try to re-test it and run
>>
>> #ausearch -m avc,user_avc -ts recent
>>
>>>
>>> On the other hand, the Subversion repositories themselves are in
>>> /var/www/svn and interacting with them works fine (including
>>> writes),
>>> modulo this issue.
>>
>>
>>>
>>>>
>>>> Trevor
>>
>>
> 
> OK Here's a list of AVCs. I tried to cull the ones that seemed
> obviously not related (because they referred to an unrelated file or
> command) but there may be some extraneous ones left. These are from two
> commits. Interestingly, even though SELInux is in permissive mode, the
> commits failed with the same timeout message.
> 
> Also, how do I turn the don't-audit rules back on?
> 
> # ausearch -m avc,user_avc -ts recent
> ----
> time->Mon Sep 28 11:20:25 2015
> type=SYSCALL msg=audit(1443453625.601:66129): arch=c000003e syscall=42
> success=no exit=-115 a0=31 a1=7ffe641dece0 a2=10 a3=bf items=0
> ppid=1622 pid=9033 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="/usr/sbin/httpd" exe="/usr/sbin/httpd"
> subj=system_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1443453625.601:66129): avc:  denied  { name_connect
> } for  pid=9033 comm="/usr/sbin/httpd" dest=9999
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket
> ----
> time->Mon Sep 28 11:22:55 2015
> type=SYSCALL msg=audit(1443453775.469:66135): arch=c000003e syscall=59
> success=yes exit=0 a0=7fe700a14de8 a1=7fe700a14e30 a2=7ffe641e0bd0
> a3=7ffe641e0930 items=0 ppid=9185 pid=9631 auid=4294967295 uid=48
> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295 comm="pre-commit" exe="/usr/bin/bash"
> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> type=AVC msg=audit(1443453775.469:66135): avc:  denied  { noatsecure }
> for  pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=AVC msg=audit(1443453775.469:66135): avc:  denied  { siginh } for 
>  pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=AVC msg=audit(1443453775.469:66135): avc:  denied  { rlimitinh }
> for  pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
> ----
> time->Mon Sep 28 11:22:57 2015
> type=SYSCALL msg=audit(1443453777.094:66136): arch=c000003e syscall=9
> success=yes exit=140281970163712 a0=7f95f1000000 a1=270000 a2=7 a3=32
> items=0 ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
> -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> type=AVC msg=audit(1443453777.094:66136): avc:  denied  { execmem } for
>   pid=9661 comm="java" scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
> ----
> time->Mon Sep 28 11:23:15 2015
> type=SYSCALL msg=audit(1443453795.817:66138): arch=c000003e syscall=2
> success=yes exit=13 a0=7f95ce143344 a1=0 a2=1b6 a3=0 items=0 ppid=1
> pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
> sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
> -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> type=AVC msg=audit(1443453795.817:66138): avc:  denied  { open } for 
>  pid=9661 comm="java" path="/proc/9658/net/if_inet6" dev="proc"
> ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> type=AVC msg=audit(1443453795.817:66138): avc:  denied  { read } for 
>  pid=9661 comm="java" name="if_inet6" dev="proc" ino=4026532220
> scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> ----
> time->Mon Sep 28 11:23:15 2015
> type=SYSCALL msg=audit(1443453795.817:66139): arch=c000003e syscall=5
> success=yes exit=0 a0=d a1=7f95fd98bc50 a2=7f95fd98bc50 a3=0 items=0
> ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
> -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> type=AVC msg=audit(1443453795.817:66139): avc:  denied  { getattr } for
>   pid=9661 comm="java" path="/proc/9658/net/if_inet6" dev="proc"
> ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> ----
> time->Mon Sep 28 11:23:19 2015
> type=SYSCALL msg=audit(1443453799.038:66141): arch=c000003e syscall=50
> success=yes exit=0 a0=f a1=32 a2=7ffffffe a3=7f95fd98e230 items=0
> ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
> -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> type=AVC msg=audit(1443453799.038:66141): avc:  denied  { listen } for 
>  pid=9661 comm="java" laddr=::ffff:127.0.0.1 lport=43865
> scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
> ----
> time->Mon Sep 28 11:25:17 2015
> type=SYSCALL msg=audit(1443453917.466:66160): arch=c000003e syscall=2
> success=yes exit=13 a0=7fbff9c58344 a1=0 a2=1b6 a3=0 items=0 ppid=1
> pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
> -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> type=AVC msg=audit(1443453917.466:66160): avc:  denied  { open } for 
>  pid=10084 comm="java" path="/proc/10083/net/if_inet6" dev="proc"
> ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> type=AVC msg=audit(1443453917.466:66160): avc:  denied  { read } for 
>  pid=10084 comm="java" name="if_inet6" dev="proc" ino=4026532220
> scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> ----
> time->Mon Sep 28 11:25:17 2015
> type=SYSCALL msg=audit(1443453917.466:66161): arch=c000003e syscall=5
> success=yes exit=0 a0=d a1=7fc025453c50 a2=7fc025453c50 a3=0 items=0
> ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
> -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> type=AVC msg=audit(1443453917.466:66161): avc:  denied  { getattr } for
>   pid=10084 comm="java" path="/proc/10083/net/if_inet6" dev="proc"
> ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> ----
> time->Mon Sep 28 11:25:19 2015
> type=SYSCALL msg=audit(1443453919.191:66162): arch=c000003e syscall=50
> success=yes exit=0 a0=f a1=32 a2=7ffffffe a3=7fc025456230 items=0
> ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
> -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> type=AVC msg=audit(1443453919.191:66162): avc:  denied  { listen } for 
>  pid=10084 comm="java" laddr=::ffff:127.0.0.1 lport=46017
> scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
> ----
> time->Mon Sep 28 11:25:44 2015
> type=SYSCALL msg=audit(1443453944.123:66165): arch=c000003e syscall=42
> success=no exit=-115 a0=3c a1=7ffe641dece0 a2=10 a3=bf items=0
> ppid=1622 pid=9990 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="/usr/sbin/httpd" exe="/usr/sbin/httpd"
> subj=system_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1443453944.123:66165): avc:  denied  { name_connect
> } for  pid=9990 comm="/usr/sbin/httpd" dest=9999
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket
> 
Ok some of these AVCs can be allowed by booleans.

httpd_use_execmem and httpd_can_network_connect.

You can check it using audit2allow on these AVCs.

For

> time->Mon Sep 28 11:25:17 2015
> type=SYSCALL msg=audit(1443453917.466:66161): arch=c000003e syscall=5
> success=yes exit=0 a0=d a1=7fc025453c50 a2=7fc025453c50 a3=0 items=0
> ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
> -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> type=AVC msg=audit(1443453917.466:66161): avc:  denied  { getattr } for
>   pid=10084 comm="java" path="/proc/10083/net/if_inet6" dev="proc"
> ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> ----
> time->Mon Sep 28 11:25:19 2015
> type=SYSCALL msg=audit(1443453919.191:66162): arch=c000003e syscall=50
> success=yes exit=0 a0=f a1=32 a2=7ffffffe a3=7fc025456230 items=0
> ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
> exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
> -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> type=AVC msg=audit(1443453919.191:66162): avc:  denied  { listen } for
>  pid=10084 comm="java" laddr=::ffff:127.0.0.1 lport=46017
> scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket

I would open a new bug against selinux-policy component. It looks like
something what we could allow by a boolean.

-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux