execmem denial after going from RHEL7.1 -> 7.2

[Magnus Johansson <magnus.johansson@xxxxxxxx>]

Hi,

We are seeing a problem in CentOS 7.2 that was not present in CentOS 7.1. We have program, suexec, that is pretty much a sudo replacement, and it's run in a confined domain. It can be configured to authenticate via SecurID, and does so by executing a separate binary, "securid". In 7.2 we get the following AVC when in enforcing mode:

type=AVC msg=audit(1452293979.299:489): avc:  denied  { execmem } for  pid=24801 comm="securid" scontext=unconfined_u:unconfined_r:boks_suexec_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:boks_suexec_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1452293979.299:489): arch=c000003e syscall=59 per=400000 success=no exit=-13 a0=11db130 a1=7ffd15db7000 a2=11da350 a3=7ffd15db8df0 items=0 ppid=24800 pid=24801 auid=0 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=23 comm="securid" exe="/opt/boksm/lib/securid" subj=unconfined_u:unconfined_r:boks_suexec_t:s0-s0:c0.c1023 key=(null)

This does not happen in 7.1 (or 7.0). There everything works just fine with exactly the same binaries (built on RHEL 7.0), and there are no AVCs.

In permissive mode we get more AVCs:

type=AVC msg=audit(1452294353.555:498): avc:  denied  { execmem } for  pid=24891 comm="securid" scontext=unconfined_u:unconfined_r:boks_suexec_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:boks_suexec_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1452294353.555:498): arch=c000003e syscall=59 per=400000 success=yes exit=0 a0=1114130 a1=7ffe8913bbe0 a2=1113350 a3=7ffe8913d9d0 items=0 ppid=24890 pid=24891 auid=0 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=23 comm="securid" exe="/opt/boksm/lib/securid" subj=unconfined_u:unconfined_r:boks_suexec_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1452294353.555:499): avc:  denied  { execute } for  pid=24891 comm="securid" path="/etc/ld.so.cache" dev="dm-0" ino=17727429 scontext=unconfined_u:unconfined_r:boks_suexec_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file
type=SYSCALL msg=audit(1452294353.555:499): arch=c000003e syscall=9 per=400000 success=yes exit=140205884448768 a0=0 a1=50ed a2=1 a3=2 items=0 ppid=24890 pid=24891 auid=0 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=23 comm="securid" exe="/opt/boksm/lib/securid" subj=unconfined_u:unconfined_r:boks_suexec_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1452294353.576:500): avc:  denied  { execute } for  pid=24891 comm="securid" path=2F535953563030303030303030202864656C6574656429 dev="tmpfs" ino=5570563 scontext=unconfined_u:unconfined_r:boks_suexec_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1452294353.576:500): arch=c000003e syscall=30 per=400000 success=yes exit=140205884469248 a0=550003 a1=0 a2=0 a3=7ffff48f38f0 items=0 ppid=24890 pid=24891 auid=0 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=23 comm="securid" exe="/opt/boksm/lib/securid" subj=unconfined_u:unconfined_r:boks_suexec_t:s0-s0:c0.c1023 key=(null)

What is happening here? I do not know what to make of this. Investigating this further reveals that not a single line from the securid binary is run. It seems the AVC occurs during dynamic linking. Why is it trying to execute ld.so.cache? Right now this strikes me as a regression going from RHEL 7.1 -> RHEL 7.2, but I fail to pinpoint the problem. This is all very strange to me, and I haven't seen similar AVCs before.

Any thoughts?

Thanks,
Magnus

--

Magnus Johansson

Awesome Programmer

www.foxt.com | magnus.johansson@xxxxxxxx | +46 73 363 00 60

Connect with me on Linkedin

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx