Odd systemd source context for non pid 1 process

Christian Göttsche <cgzones@xxxxxxxxxxxxxx> · Tue, 5 Nov 2019 20:02:39 +0100

While trying out a custom SELinux policy for systemd, some denials
during system boot seem odd to me.
systemd pid 1 runs as systemd_t and has no execute_no_trans permissions.
The system runs in enforced mode, but systemd_t is currently a
permissive domain.
For debug purpose `auditallow systemd_t domain:process2 {
nnp_transition nosuid_transition };` is active.

<<<<<<<< log snippets

/var/log/messages

Nov  5 19:45:44 debian-test kernel: [    8.224135] audit: type=1400
audit(1572979544.695:7): avc:  denied  { create } for  pid=446
comm="(imesyncd)" name="timesync"
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1
Nov  5 19:45:44 debian-test kernel: [    8.225640] audit: type=1400
audit(1572979544.695:8): avc:  denied  { setattr } for  pid=446
comm="(imesyncd)" name="timesync" dev="tmpfs" ino=13506
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1
Nov  5 19:45:44 debian-test kernel: [    8.227405] audit: type=1400
audit(1572979544.695:9): avc:  denied  { read } for  pid=446
comm="(imesyncd)" name="timesync" dev="tmpfs" ino=13506
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1
Nov  5 19:45:44 debian-test kernel: [    8.229030] audit: type=1400
audit(1572979544.695:10): avc:  denied  { open } for  pid=446
comm="(imesyncd)" path="/run/systemd/timesync" dev="tmpfs" ino=13506
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1
Nov  5 19:45:44 debian-test kernel: [    8.229032] audit: type=1400
audit(1572979544.695:11): avc:  denied  { getattr } for  pid=446
comm="(imesyncd)" path="/run/systemd/timesync" dev="tmpfs" ino=13506
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1
Nov  5 19:45:44 debian-test kernel: [    8.235688] audit: type=1400
audit(1572979544.707:12): avc:  denied  { mounton } for  pid=446
comm="(imesyncd)" path="/run/systemd/unit-root/run/systemd/timesync"
dev="tmpfs" ino=13506 scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1

ausearch -m avc,user_avc,selinux_err -i

----
type=AVC msg=audit(11/05/19 19:45:44.887:22) : avc:  granted  {
nnp_transition } for  pid=446 comm=(imesyncd)
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:systemd_timesyncd_t:s0 tclass=process2
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.907:25) : proctitle=(crub_all)
type=SYSCALL msg=audit(11/05/19 19:45:44.907:25) : arch=x86_64
syscall=sched_setscheduler success=yes exit=0 a0=0x0 a1=SCHED_IDLE
a2=0x7ffd35f38f50 a3=0x7ffd35f38f38 items=0 ppid=1 pid=475 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=(crub_all)
exe=/usr/lib/systemd/systemd subj=system_u:system_r:systemd_t:s0
key=(null)
type=AVC msg=audit(11/05/19 19:45:44.907:25) : avc:  denied  {
setsched } for  pid=475 comm=(crub_all)
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:systemd_t:s0 tclass=process permissive=1
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.907:26) : proctitle=(crub_all)
type=SYSCALL msg=audit(11/05/19 19:45:44.907:26) : arch=x86_64
syscall=fcntl success=yes exit=0 a0=0x34 a1=F_SETLKW a2=0x7ffd35f38df0
a3=0x0 items=0 ppid=1 pid=475 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=(crub_all) exe=/usr/lib/systemd/systemd
subj=system_u:system_r:systemd_t:s0 key=(null)
type=AVC msg=audit(11/05/19 19:45:44.907:26) : avc:  denied  { lock }
for  pid=475 comm=(crub_all) path=socket:[13561] dev="sockfs"
ino=13561 scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:systemd_t:s0 tclass=unix_dgram_socket
permissive=1
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.911:27) : proctitle=(crub_all)
type=PATH msg=audit(11/05/19 19:45:44.911:27) : item=0
name=/proc/self/ns/net inode=4026532232 dev=00:04 mode=file,444
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=CWD msg=audit(11/05/19 19:45:44.911:27) : cwd=/
type=SYSCALL msg=audit(11/05/19 19:45:44.911:27) : arch=x86_64
syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x55e784768331
a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=475
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=(crub_all)
exe=/usr/lib/systemd/systemd subj=system_u:system_r:systemd_t:s0
key=(null)
type=AVC msg=audit(11/05/19 19:45:44.911:27) : avc:  denied  { open }
for  pid=475 comm=(crub_all) path=net:[4026532232] dev="nsfs"
ino=4026532232 scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(11/05/19 19:45:44.911:27) : avc:  denied  { read }
for  pid=475 comm=(crub_all) dev="nsfs" ino=4026532232
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.915:29) : proctitle=(crub_all)
type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=2
name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=1 name=/bin/bash
inode=263600 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=0
name=/sbin/e2scrub_all inode=263379 dev=08:01 mode=file,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:fsadm_exec_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=CWD msg=audit(11/05/19 19:45:44.915:29) : cwd=/
type=EXECVE msg=audit(11/05/19 19:45:44.915:29) : argc=4 a0=/bin/bash
a1=/sbin/e2scrub_all a2=-A a3=-r
type=SYSCALL msg=audit(11/05/19 19:45:44.915:29) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x55e784f70b40 a1=0x55e78504dde0
a2=0x55e78502a200 a3=0x55e784f71240 items=3 ppid=1 pid=475 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=e2scrub_all exe=/usr/bin/bash
subj=system_u:system_r:fsadm_t:s0 key=(null)
type=AVC msg=audit(11/05/19 19:45:44.915:29) : avc:  granted  {
nnp_transition } for  pid=475 comm=(crub_all)
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:fsadm_t:s0 tclass=process2
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.935:31) : proctitle=(d-logind)
type=PATH msg=audit(11/05/19 19:45:44.935:31) : item=1
name=/run/systemd/inhibit inode=14807 dev=00:15 mode=dir,755 ouid=root
ogid=root rdev=00:00
obj=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=PATH msg=audit(11/05/19 19:45:44.935:31) : item=0
name=/run/systemd/ inode=11588 dev=00:15 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:systemd_runtime_t:s0
nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=CWD msg=audit(11/05/19 19:45:44.935:31) : cwd=/
type=SYSCALL msg=audit(11/05/19 19:45:44.935:31) : arch=x86_64
syscall=mkdir success=yes exit=0 a0=0x55e784f6aeb0 a1=0755 a2=0x0
a3=0x7 items=2 ppid=1 pid=481 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=(d-logind) exe=/usr/lib/systemd/systemd
subj=system_u:system_r:systemd_t:s0 key=(null)
type=AVC msg=audit(11/05/19 19:45:44.935:31) : avc:  denied  { create
} for  pid=481 comm=(d-logind) name=inhibit
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
tclass=dir permissive=1
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.959:35) :
proctitle=/usr/sbin/vnstatd -n
type=PATH msg=audit(11/05/19 19:45:44.959:35) : item=1
name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=PATH msg=audit(11/05/19 19:45:44.959:35) : item=0
name=/usr/sbin/vnstatd inode=262216 dev=08:01 mode=file,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:vnstatd_exec_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=CWD msg=audit(11/05/19 19:45:44.959:35) : cwd=/
type=EXECVE msg=audit(11/05/19 19:45:44.959:35) : argc=2
a0=/usr/sbin/vnstatd a1=-n
type=SYSCALL msg=audit(11/05/19 19:45:44.959:35) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x55e784fe5500 a1=0x55e78500df40
a2=0x55e78501ae70 a3=0x55e784fe5580 items=2 ppid=1 pid=476 auid=unset
uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat
sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd
exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)
type=AVC msg=audit(11/05/19 19:45:44.959:35) : avc:  granted  {
nnp_transition } for  pid=476 comm=(vnstatd)
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:vnstatd_t:s0 tclass=process2
----
type=PROCTITLE msg=audit(11/05/19 19:45:45.099:37) : proctitle=(d-logind)
type=PATH msg=audit(11/05/19 19:45:45.099:37) : item=1
name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=PATH msg=audit(11/05/19 19:45:45.099:37) : item=0
name=/lib/systemd/systemd-logind inode=268205 dev=08:01 mode=file,755
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:systemd_logind_exec_t:s0 nametype=NORMAL
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/05/19 19:45:45.099:37) : cwd=/
type=EXECVE msg=audit(11/05/19 19:45:45.099:37) : argc=1
a0=/lib/systemd/systemd-logind
type=BPRM_FCAPS msg=audit(11/05/19 19:45:45.099:37) : fver=0 fp=none
fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
old_pi=none old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
old_pa=none pp=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
pi=none pe=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
pa=none frootid=0
type=SYSCALL msg=audit(11/05/19 19:45:45.099:37) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x55e784fb9a40 a1=0x55e785050a20
a2=0x55e78502e650 a3=0x55e784fb9840 items=2 ppid=1 pid=481 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=systemd-logind
exe=/usr/lib/systemd/systemd-logind
subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(11/05/19 19:45:45.099:37) : avc:  granted  {
nnp_transition } for  pid=481 comm=(d-logind)
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process2

>>>>>>>> log snippets

Somehow the source context is systemd_t, while the pid is not 1 (and
the proctitle is not systemd).
Is maybe the context transition in the `nnp_transition` case delayed?