From: Daniel J Walsh <dwalsh@redhat.com>
To: SELinux <selinux@tycho.nsa.gov>
Subject: Monitoring the Openshift Logs each day for AVCs I am struct by how often we get AVC's for stuff that is blocked by DAC.
Date: Wed, 13 Feb 2013 08:42:07 -0500 [thread overview]
Message-ID: <511B982F.3050502@redhat.com> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This causes SELinux to have a bad name, and we really need to cleanup the
kernel to make sure MAC Checks happen after DAC Checks.
Here is an example, of a UID running a program that attempts to create a file
in a directory which would be denied by dac.
type=PATH msg=audit(02/12/13 05:53:32.462:691259) : item=0
name=/var/run/netreport/3243 inode=258591 dev=ca:42 mode=dir,775 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0
type=CWD msg=audit(02/12/13 05:53:32.462:691259) :
cwd=/var/lib/openshift/c323ad7c3b48426eaa8bb13f4234a5e1/diy-0.1/logs
type=SYSCALL msg=audit(02/12/13 05:53:32.462:691259) : arch=x86_64
syscall=open success=no exit=-13(Permission denied) a0=7fff294849b0 a1=202c1
a2=0 a3=d items=1 ppid=3243 pid=12586 auid=c323ad7c3b48426eaa8bb13f4234a5e1
uid=c323ad7c3b48426eaa8bb13f4234a5e1 gid=c323ad7c3b48426eaa8bb13f4234a5e1
euid=c323ad7c3b48426eaa8bb13f4234a5e1 suid=c323ad7c3b48426eaa8bb13f4234a5e1
fsuid=c323ad7c3b48426eaa8bb13f4234a5e1 egid=root sgid=root fsgid=root tty=pts4
ses=37928 comm=netreport exe=/sbin/netreport
subj=unconfined_u:system_r:openshift_t:s0:c5,c283 key=(null)
type=AVC msg=audit(02/12/13 05:53:32.462:691259) : avc: denied { write } for
pid=12586 comm=netreport name=netreport dev=xvde2 ino=258591
scontext=unconfined_u:system_r:openshift_t:s0:c5,c283
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
As a policy writer I either have to add a bogus dontaudit on this or have
customers,
I have seen regularly seen Capability checks, rawip_sockets, mmap_zero etc
that would be blocked by DAC, and yet we generate an ugly MAC AVC.
I realize in some cases we might want to know if users are trying to do evil
things, but almost all cases the user just is executing applications that
generate an AVC for something that without SELinux turned on would have been
blocked and the user would not be aggravated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlEbmCwACgkQrlYvE4MpobMWlQCfaF7D0FFKGjdOF1etM/sm4iSm
4gsAoJaxASgOxmdwnevzOzj5yUzTAhv4
=Geca
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2013-02-13 13:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-13 13:42 Daniel J Walsh [this message]
2013-02-13 15:55 ` Monitoring the Openshift Logs each day for AVCs I am struct by how often we get AVC's for stuff that is blocked by DAC Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=511B982F.3050502@redhat.com \
--to=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.