Re: How do I find the process triggering the SELinux alert?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Marius Ghita <ghita.v.marius@xxxxxxxxx> writes:

> I have the following audit message
>
> Raw Audit Messages
> type=AVC msg=audit(1687022594.74:347): avc:  denied  { mmap_zero } for
>  pid=3953 comm="check" scontext=system_u:system_r:spc_t:s0
> tcontext=system_u:system_r:spc_t:s0 tclass=memprotect permissive=0
>

spc_t is used for privileged root mode containers

> This warning gets triggered from time to time around system startup, and I
> cannot find the process involved. The name check is too generic to use the
> locate command and the process is no longer running by the time I would
> have the chance to peek at the PID.
>

auditd is configured to suppress audit event generation by default:

    # auditctl -l
    -a never,task

It means that you see only AVC type in audit log, e.g:

    # ausearch -m avc -ts recent
    ----
    time->Tue Jun 20 05:44:14 2023
    type=AVC msg=audit(1687254254.954:409): avc:  denied  { entrypoint } for  pid=1307 comm="runcon" path="/usr/bin/ls" dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0


In order to get more information related to AVC you need to drop
"never,task" rule:

    # auditctl -D

After that new audit events will contain more information:

    # ausearch -m avc -ts 05:48:02
    ----
    type=PROCTITLE msg=audit(06/20/2023 05:48:04.898:416) : proctitle=runcon -u system_u -r system_r -t httpd_t -- /bin/ls 
    type=SYSCALL msg=audit(06/20/2023 05:48:04.898:416) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffcc618b5df a1=0x7ffcc6189488 a2=0x7ffcc6189498 a3=0x60 items=0 ppid=1207 pid=1323 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
    type=AVC msg=audit(06/20/2023 05:48:04.898:416) : avc:  denied  { entrypoint } for  pid=1323 comm=runcon path=/usr/bin/ls dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0

You can also enable a full auditing and get even more information:

    # auditctl -w /etc/shadow -p w

    ...

    # ausearch -m avc -i -ts 05:52:02
    ----
    type=PROCTITLE msg=audit(06/20/2023 05:52:31.059:419) : proctitle=runcon -u system_u -r system_r -t httpd_t -- /bin/ls 
    type=PATH msg=audit(06/20/2023 05:52:31.059:419) : item=0 name=/bin/ls inode=151456 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
    type=CWD msg=audit(06/20/2023 05:52:31.059:419) : cwd=/root 
    type=SYSCALL msg=audit(06/20/2023 05:52:31.059:419) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffc5b8945df a1=0x7ffc5b893708 a2=0x7ffc5b893718 a3=0x60 items=1 ppid=1207 pid=1335 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
    type=AVC msg=audit(06/20/2023 05:52:31.059:419) : avc:  denied  { entrypoint } for  pid=1335 comm=runcon path=/usr/bin/ls dev="vda2" ino=151456 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 

If you need this changes to be persistent you need to edit
/etc/audit/rules.d/audit.rules
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux