What is /selinux/null?

What is /selinux/null?

[Martin Orr]

Can anyone explain the following AVC denial?  What is the purpose of  
/selinux/null and why would ifconfig open it instead of /dev/null?

type=1400 audit(1311107387.404:18): avc:  denied  { use } for   
pid=2211 comm="wpa_supplicant" path="/null" dev=selinuxfs ino=22  
scontext=system_u:system_r:NetworkManager_t:s0  
tcontext=system_u:system_r:ifconfig_t:s0 tclass=fd

-- 
Martin Orr


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: What is /selinux/null?

[Eric Paris]

On Tue, Jul 19, 2011 at 5:46 PM, Martin Orr <martin@martinorr.name> wrote:
> Can anyone explain the following AVC denial?  What is the purpose of
> /selinux/null and why would ifconfig open it instead of /dev/null?
>
> type=1400 audit(1311107387.404:18): avc:  denied  { use } for  pid=2211
> comm="wpa_supplicant" path="/null" dev=selinuxfs ino=22
> scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:system_r:ifconfig_t:s0 tclass=fd

That is neat!  so /selinux/null is the same thing as /dev/null.  When
a task exec's a new task and the child does not have permission to an
open fd the kernel will close the fd and open /selinux/null in it's
place.  In this case it's not the label on the actual inode that is a
problem but it is instead the label on the fd.  at some point
ifconfig_t was passed an fd it couldn't use and the kernel replaced it
with /selinux/null.  ifconfig then leaked that fd onto wpa_supplicant.

My guess is that the real bug is whatever tried to pass ifconfig an fd
which it was not allowed to use.  Then we work from there.....

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: What is /selinux/null?

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2011 09:31 PM, Eric Paris wrote:
> On Tue, Jul 19, 2011 at 5:46 PM, Martin Orr <martin@martinorr.name>
> wrote:
>> Can anyone explain the following AVC denial?  What is the purpose
>> of /selinux/null and why would ifconfig open it instead of
>> /dev/null?
>> 
>> type=1400 audit(1311107387.404:18): avc:  denied  { use } for
>> pid=2211 comm="wpa_supplicant" path="/null" dev=selinuxfs ino=22 
>> scontext=system_u:system_r:NetworkManager_t:s0 
>> tcontext=system_u:system_r:ifconfig_t:s0 tclass=fd
> 
> That is neat!  so /selinux/null is the same thing as /dev/null.
> When a task exec's a new task and the child does not have permission
> to an open fd the kernel will close the fd and open /selinux/null in
> it's place.  In this case it's not the label on the actual inode that
> is a problem but it is instead the label on the fd.  at some point 
> ifconfig_t was passed an fd it couldn't use and the kernel replaced
> it with /selinux/null.  ifconfig then leaked that fd onto
> wpa_supplicant.
> 
> My guess is that the real bug is whatever tried to pass ifconfig an
> fd which it was not allowed to use.  Then we work from there.....
> 
> -Eric
> 
> 
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without
> quotes as the message.
> 
> 
These are the ones to me that look backwards.

I have a hard time seeing how for ifconfig_t could leak a descriptor to
NetworkManager_t.

Searching through transition rules, I guess the following is possible.

ifconfig_t -> insmod_t -> initrc_t -> NetworkManager_t?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4m0OgACgkQrlYvE4MpobODPQCgzRGr88y8uyHATsLrpyUxxZx9
0H4An1oylKILkp/2qcnlqQObYFYgDVQW
=mYL2
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: What is /selinux/null?

[Martin Orr]

On Wed 20 Jul 02:31:29 2011, Eric Paris wrote:

> On Tue, Jul 19, 2011 at 5:46 PM, Martin Orr <martin@martinorr.name> wrote:
>> Can anyone explain the following AVC denial?  What is the purpose of
>> /selinux/null and why would ifconfig open it instead of /dev/null?
>>
>> type=1400 audit(1311107387.404:18): avc:  denied  { use } for  pid=2211
>> comm="wpa_supplicant" path="/null" dev=selinuxfs ino=22
>> scontext=system_u:system_r:NetworkManager_t:s0
>> tcontext=system_u:system_r:ifconfig_t:s0 tclass=fd
>
> That is neat!  so /selinux/null is the same thing as /dev/null.  When
> a task exec's a new task and the child does not have permission to an
> open fd the kernel will close the fd and open /selinux/null in it's
> place.  In this case it's not the label on the actual inode that is a
> problem but it is instead the label on the fd.  at some point
> ifconfig_t was passed an fd it couldn't use and the kernel replaced it
> with /selinux/null.  ifconfig then leaked that fd onto wpa_supplicant.

I decided to track this down, and it is a little more complex than that:
When the kernel reopens an fd as /selinux/null, this happens before  
the context change, so the fd gets the label of the old task.

So in this instance, the fd was leaked from ifconfig to a script  
running as wpa_cli_t.  The fd turned out to be /dev/console, coming  
from init;  wpa_cli_t has init_use_fds but only  
term_dontaudit_use_console, so the fd was silently changed to  
/selinux/null at this point.

(As Dan pointed out, the transitions ifconfig_t -> wpa_cli_t ->  
NetworkManager_t are not in refpolicy but they are in my policy.)

Best wishes,
Martin



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.