Cron /null fd:use use denials

All of lore.kernel.org
 help / color / mirror / Atom feed

* Cron /null fd:use use denials
@ 2005-03-31 19:00 Ivan Gyurdiev
  2005-03-31 18:58 ` Stephen Smalley
  2005-04-01 20:19 ` Daniel J Walsh
  0 siblings, 2 replies; 3+ messages in thread
From: Ivan Gyurdiev @ 2005-03-31 19:00 UTC (permalink / raw)
  To: selinux

What's causing those?

audit(1112259892.387:9374931): avc:  denied  { use } for  pid=10993
exe=/usr/sbin/sendmail.sendmail path=/null dev=selinuxfs ino=245
scontext=system_u:system_r:system_mail_t
tcontext=system_u:system_r:init_t tclass=fd

audit(1112259892.551:9376543): avc:  denied  { use } for  pid=10996
exe=/usr/sbin/tmpwatch path=/null dev=selinuxfs ino=245
scontext=system_u:system_r:tmpreaper_t tcontext=system_u:system_r:init_t
tclass=fd

audit(1112259892.620:9377236): avc:  denied  { use } for  pid=10999
exe=/usr/sbin/logrotate path=/null dev=selinuxfs ino=245
scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:init_t
tclass=fd

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Cron /null fd:use use denials
  2005-03-31 19:00 Cron /null fd:use use denials Ivan Gyurdiev
@ 2005-03-31 18:58 ` Stephen Smalley
  2005-04-01 20:19 ` Daniel J Walsh
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2005-03-31 18:58 UTC (permalink / raw)
  To: Ivan Gyurdiev; +Cc: selinux

On Thu, 2005-03-31 at 14:00 -0500, Ivan Gyurdiev wrote:
> What's causing those?
> 
> audit(1112259892.387:9374931): avc:  denied  { use } for  pid=10993
> exe=/usr/sbin/sendmail.sendmail path=/null dev=selinuxfs ino=245
> scontext=system_u:system_r:system_mail_t
> tcontext=system_u:system_r:init_t tclass=fd
> 
> audit(1112259892.551:9376543): avc:  denied  { use } for  pid=10996
> exe=/usr/sbin/tmpwatch path=/null dev=selinuxfs ino=245
> scontext=system_u:system_r:tmpreaper_t tcontext=system_u:system_r:init_t
> tclass=fd
> 
> audit(1112259892.620:9377236): avc:  denied  { use } for  pid=10999
> exe=/usr/sbin/logrotate path=/null dev=selinuxfs ino=245
> scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:init_t
> tclass=fd

Looks like /sbin/init is leaking a descriptor to something, and then
SELinux is closing it and re-opening it to the null device node in
selinuxfs upon the domain transition to crond (which is then passed on
to its children).

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Cron /null fd:use use denials
  2005-03-31 19:00 Cron /null fd:use use denials Ivan Gyurdiev
  2005-03-31 18:58 ` Stephen Smalley
@ 2005-04-01 20:19 ` Daniel J Walsh
  1 sibling, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2005-04-01 20:19 UTC (permalink / raw)
  To: ivg2; +Cc: selinux

Ivan Gyurdiev wrote:

>What's causing those?
>
>audit(1112259892.387:9374931): avc:  denied  { use } for  pid=10993
>exe=/usr/sbin/sendmail.sendmail path=/null dev=selinuxfs ino=245
>scontext=system_u:system_r:system_mail_t
>tcontext=system_u:system_r:init_t tclass=fd
>
>audit(1112259892.551:9376543): avc:  denied  { use } for  pid=10996
>exe=/usr/sbin/tmpwatch path=/null dev=selinuxfs ino=245
>scontext=system_u:system_r:tmpreaper_t tcontext=system_u:system_r:init_t
>tclass=fd
>
>audit(1112259892.620:9377236): avc:  denied  { use } for  pid=10999
>exe=/usr/sbin/logrotate path=/null dev=selinuxfs ino=245
>scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:init_t
>tclass=fd
>
>  
>
I think we have found and fixed this problem.  Happens in the  initrd.  
Basically Sh script
was opening /init and leaving the file descriptor open, which would then 
get picked up
by init when init was execed.  Init would then load policy and hand the 
open file descriptor down ...

This should be fixed in the current rawhide.

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2005-04-01 20:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-31 19:00 Cron /null fd:use use denials Ivan Gyurdiev
2005-03-31 18:58 ` Stephen Smalley
2005-04-01 20:19 ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.