Re: Cron /null fd:use use denials

Re: Cron /null fd:use use denials

[Stephen Smalley]

On Thu, 2005-03-31 at 14:00 -0500, Ivan Gyurdiev wrote:
> What's causing those?
> 
> audit(1112259892.387:9374931): avc:  denied  { use } for  pid=10993
> exe=/usr/sbin/sendmail.sendmail path=/null dev=selinuxfs ino=245
> scontext=system_u:system_r:system_mail_t
> tcontext=system_u:system_r:init_t tclass=fd
> 
> audit(1112259892.551:9376543): avc:  denied  { use } for  pid=10996
> exe=/usr/sbin/tmpwatch path=/null dev=selinuxfs ino=245
> scontext=system_u:system_r:tmpreaper_t tcontext=system_u:system_r:init_t
> tclass=fd
> 
> audit(1112259892.620:9377236): avc:  denied  { use } for  pid=10999
> exe=/usr/sbin/logrotate path=/null dev=selinuxfs ino=245
> scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:init_t
> tclass=fd

Looks like /sbin/init is leaking a descriptor to something, and then
SELinux is closing it and re-opening it to the null device node in
selinuxfs upon the domain transition to crond (which is then passed on
to its children).

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Cron /null fd:use use denials

[Ivan Gyurdiev]

What's causing those?

audit(1112259892.387:9374931): avc:  denied  { use } for  pid=10993
exe=/usr/sbin/sendmail.sendmail path=/null dev=selinuxfs ino=245
scontext=system_u:system_r:system_mail_t
tcontext=system_u:system_r:init_t tclass=fd

audit(1112259892.551:9376543): avc:  denied  { use } for  pid=10996
exe=/usr/sbin/tmpwatch path=/null dev=selinuxfs ino=245
scontext=system_u:system_r:tmpreaper_t tcontext=system_u:system_r:init_t
tclass=fd

audit(1112259892.620:9377236): avc:  denied  { use } for  pid=10999
exe=/usr/sbin/logrotate path=/null dev=selinuxfs ino=245
scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:init_t
tclass=fd

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Cron /null fd:use use denials

[Daniel J Walsh]

Ivan Gyurdiev wrote:

>What's causing those?
>
>audit(1112259892.387:9374931): avc:  denied  { use } for  pid=10993
>exe=/usr/sbin/sendmail.sendmail path=/null dev=selinuxfs ino=245
>scontext=system_u:system_r:system_mail_t
>tcontext=system_u:system_r:init_t tclass=fd
>
>audit(1112259892.551:9376543): avc:  denied  { use } for  pid=10996
>exe=/usr/sbin/tmpwatch path=/null dev=selinuxfs ino=245
>scontext=system_u:system_r:tmpreaper_t tcontext=system_u:system_r:init_t
>tclass=fd
>
>audit(1112259892.620:9377236): avc:  denied  { use } for  pid=10999
>exe=/usr/sbin/logrotate path=/null dev=selinuxfs ino=245
>scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:init_t
>tclass=fd
>
>  
>
I think we have found and fixed this problem.  Happens in the  initrd.  
Basically Sh script
was opening /init and leaving the file descriptor open, which would then 
get picked up
by init when init was execed.  Init would then load policy and hand the 
open file descriptor down ...

This should be fixed in the current rawhide.

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.