* RHEL5, selinux-policy-2.4.6.30-el5, and pidof AVC issue
@ 2011-08-17 14:18 rarob
2011-08-17 14:45 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: rarob @ 2011-08-17 14:18 UTC (permalink / raw)
To: selinux
I've been banging my head against this since yesterday. I have a confined
root process that is trying to run the /sbin/pidof and getting an AVC
denials (raw AVC messages lower down). The output from 'audit2allow -a
-l' suggests adding the following:
allow myDomain_t crond_t:process ptrace;
allow myDomain_t cupsd_t:process ptrace;
allow myDomain_t setrans_t:process ptrace;
allow myDomain_t src_t:dir { getattr search };
allow myDomain_t udev_t:process ptrace;
allow myDomain_t unconfined_t:process ptrace;
allow myDomain_t xdm_t:process ptrace;
I've explicitly verified that these are present, both by adding them to my
policy and using sesearch to show that they are in fact present.
Audit2why indicates the problem may be a constraint, but if so I'm having
a hard time understanding how to track down what attribute I need to add
to satisfy the constraint. I have pulled the source for the policy down
and have tried diving through it. I did load the enableaudit.pp to see if
that gave me any additional info, and I did not see any, so I've reloaded
base.pp.
At this point upgrading to a more recent policy is not an option. Our
customer base isn't always able to upgrade.
Below I've focused on the AVCs related to cupsd_t just for brevity. Any
help would be greatly appreciated.
Output from setroubleshoot below:
Summary
SELinux is preventing /sbin/killall5 (myDomain_t) "ptrace" to
<Unknown> (cupsd_t).
Detailed Description
SELinux denied access requested by /sbin/killall5. It is not expected
that
this access is required by /sbin/killall5 and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context user_u:system_r:myDomain_t
Target Context system_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Objects None [ process ]
Affected RPM Packages SysVinit-2.86-14 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall
Host Name rh50-32-selinux
Platform Linux rh50-32-selinux 2.6.18-8.el5 #1 SMP
Fri Jan
26 14:15:21 EST 2007 i686 i686
Alert Count 12
Line Numbers
Raw Audit Messages
avc: denied { ptrace } for comm="pidof" egid=0 euid=0 exe="/sbin/killall5"
exit=15 fsgid=0 fsuid=0 gid=0 items=0 pid=21880
scontext=user_u:system_r:myDomain_t:s0 sgid=0
subj=user_u:system_r:myDomain_t:s0 suid=0 tclass=process
tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tty=pts0 uid=0
audit2allow -a -l |grep myDomain_t :
allow myDomain_t cupsd_t:process ptrace;
sesearch -A -s myDomain_t -t cupsd_t
Found 1 av rules:
allow myDomain_t cupsd_t : process ptrace ;
audit2why (filtered for the cupsd_t denial):
type=AVC msg=audit(1313588704.514:732): avc: denied { ptrace } for
pid=23237 comm="pidof" scontext=user_u:system_r:securityblanket_cfg_t:s0
tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process
Was caused by:
Constraint violation.
Check policy/constraints.
Typically, you just need to add a type attribute to the
domain to satisfy the constraint.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: RHEL5, selinux-policy-2.4.6.30-el5, and pidof AVC issue
2011-08-17 14:18 RHEL5, selinux-policy-2.4.6.30-el5, and pidof AVC issue rarob
@ 2011-08-17 14:45 ` Stephen Smalley
2011-08-17 15:27 ` rarob
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2011-08-17 14:45 UTC (permalink / raw)
To: rarob; +Cc: selinux
On Wed, 2011-08-17 at 10:18 -0400, rarob@travelinglightfarm.net wrote:
> I've been banging my head against this since yesterday. I have a confined
> root process that is trying to run the /sbin/pidof and getting an AVC
> denials (raw AVC messages lower down). The output from 'audit2allow -a
> -l' suggests adding the following:
>
> allow myDomain_t crond_t:process ptrace;
> allow myDomain_t cupsd_t:process ptrace;
> allow myDomain_t setrans_t:process ptrace;
> allow myDomain_t src_t:dir { getattr search };
> allow myDomain_t udev_t:process ptrace;
> allow myDomain_t unconfined_t:process ptrace;
> allow myDomain_t xdm_t:process ptrace;
>
> I've explicitly verified that these are present, both by adding them to my
> policy and using sesearch to show that they are in fact present.
> Audit2why indicates the problem may be a constraint, but if so I'm having
> a hard time understanding how to track down what attribute I need to add
> to satisfy the constraint.
What exactly do you want myDomain_t to be able to do, and to what target
processes? I doubt you want to allow this for all of these domains.
Which target processes do you want myDomain_t to be able to look up /
kill?
The relevant constraint here would be in policy/mcs, as your process is
running with a MCS level of s0 aka SystemLow but the target is running
s0-s0:c0.c1023 aka SystemHigh. Type attribute is mcsptraceall,
refpolicy interface is mcs_ptrace_all(). Alternatively you could run
your process fully ranged to SystemHigh and avoid the need to add this
attribute.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: RHEL5, selinux-policy-2.4.6.30-el5, and pidof AVC issue
2011-08-17 14:45 ` Stephen Smalley
@ 2011-08-17 15:27 ` rarob
2011-08-17 15:40 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: rarob @ 2011-08-17 15:27 UTC (permalink / raw)
To: selinux
> What exactly do you want myDomain_t to be able to do, and to what target
> processes? I doubt you want to allow this for all of these domains.
> Which target processes do you want myDomain_t to be able to look up /
> kill?
>
> The relevant constraint here would be in policy/mcs, as your process is
> running with a MCS level of s0 aka SystemLow but the target is running
> s0-s0:c0.c1023 aka SystemHigh. Type attribute is mcsptraceall,
> refpolicy interface is mcs_ptrace_all(). Alternatively you could run
> your process fully ranged to SystemHigh and avoid the need to add this
> attribute.
>
> --
> Stephen Smalley
> National Security Agency
Stephen,
Basically I need to be able to run the equivalent of '/sbin/service *
status' for any service, and eventually start/stop as well. I *think* I
may have cracked a good chunk of it (the status portion) by adding
'domain_dontaudit_ptrace_all_domains()' and 'allow myDomain_t pidfile:
{read getattr ioctl}'.
I guess my understanding of SELinux is missing how the levels apply to a
basic targeted policy. I had thought they didn't apply. Eventually we
do want our policy to support MLC/MCS and ultimately the LSPP. If we're
not running MCS/MLS does the SystemLow/SystemHigh ranges actually apply?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: RHEL5, selinux-policy-2.4.6.30-el5, and pidof AVC issue
2011-08-17 15:27 ` rarob
@ 2011-08-17 15:40 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2011-08-17 15:40 UTC (permalink / raw)
To: rarob; +Cc: selinux
On Wed, 2011-08-17 at 11:27 -0400, rarob@travelinglightfarm.net wrote:
> Stephen,
> Basically I need to be able to run the equivalent of '/sbin/service *
> status' for any service, and eventually start/stop as well. I *think* I
> may have cracked a good chunk of it (the status portion) by adding
> 'domain_dontaudit_ptrace_all_domains()' and 'allow myDomain_t pidfile:
> {read getattr ioctl}'.
> I guess my understanding of SELinux is missing how the levels apply to a
> basic targeted policy. I had thought they didn't apply. Eventually we
> do want our policy to support MLC/MCS and ultimately the LSPP. If we're
> not running MCS/MLS does the SystemLow/SystemHigh ranges actually apply?
As of RHEL5 and later, the targeted policy includes MCS.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-08-17 15:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-17 14:18 RHEL5, selinux-policy-2.4.6.30-el5, and pidof AVC issue rarob
2011-08-17 14:45 ` Stephen Smalley
2011-08-17 15:27 ` rarob
2011-08-17 15:40 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.