[refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion (avc_running) failure upon running groupadd or useradd

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion (avc_running) failure upon running groupadd or useradd
Date: Fri, 11 Apr 2014 08:57:59 -0400	[thread overview]
Message-ID: <5347E6D7.3040805@tresys.com> (raw)
In-Reply-To: <20140409165238.GA24282@siphos.be>

On 04/09/2014 12:52 PM, Sven Vermeulen wrote:
> On Fri, Apr 04, 2014 at 04:07:25PM -0400, Christopher J. PeBenito wrote:
>> On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
>>> When trying to create a group, the following error occurs:
>>>
>>> ~# groupadd test
>>> groupadd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running'
>>> failed.
>>> zsh: abort      groupadd test
>>>
>>> In the denial logs, the following AVC denial is shown:
>>>
>>> Jan 23 13:57:17 maelstrom kernel: [11395.396588] type=1400
>>> audit(1390481837.876:989): avc:  denied  { create } for  pid=14296
>>> comm="groupadd" scontext=staff_u:sysadm_r:groupadd_t
>>> tcontext=staff_u:sysadm_r:groupadd_t tclass=netlink_selinux_socket
>>>
>>> In permissive mode, we notice that it both creates and binds to the
>>> netlink_selinux_socket.
>>>
>>> Same with useradd.
>>>
>>> Allowing the create/bind fixes the problem.
>>
>> I think we should start a new seutil interface which provides the necessary access for domains that have a userspace AVC.  However, since this seems to only initialize a userspace AVC to do context_to_sid_raw, I wonder if it makes sense to keep this explicit netlink_selinux_socket access.
> [...]
>>> +allow groupadd_t self:netlink_selinux_socket { bind create };
> 
> Hi Chris & refpolicy folks
> 
> I'm afraid I don't follow.
> 
> I understand that netlink_selinux_socket class is related to userspace
> SELinux support (netlink interface for interaction between userspace and
> kernel towards the SELinux subsystem) but you lost me at "to only initialize
> a userspace AVC to do context_to_sid_raw".

Well as far as I know, there aren't any reasons for groupadd to run a userspace AVC (it's not an object manager).  However, to do context_to_sid_raw, it needs to have one running (hence the assertion that failed above).  I'd like to start putting together an interface that domains that have a userspace AVC can use, which provides all the necessary access for the AVC to work.
 
> Do you mean that the permissions (bind + create) do not really mean that
> there is any communication otherwise (as there is no send_msg/recv_msg)? If

Yes, but due to no read/write perms.

> so, does this then mean that the application shouldn't be calling
> avc_context_to_sid_raw at all?

I'm not suggesting that, as I haven't looked at the code.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2014-04-11 12:57 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-25 20:30 [refpolicy] [PATCH 0/5] Upstreaming Gentoo policy updates Sven Vermeulen
2014-03-25 20:30 ` [refpolicy] [PATCH 1/5] Hide getattr denials upon sudo invocation Sven Vermeulen
2014-04-04 20:09   ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion (avc_running) failure upon running groupadd or useradd Sven Vermeulen
2014-04-04 20:07   ` Christopher J. PeBenito
2014-04-09 16:52     ` Sven Vermeulen
2014-04-11 12:57       ` Christopher J. PeBenito [this message]
2014-03-25 20:30 ` [refpolicy] [PATCH 3/5] Support /sys/devices/system/cpu/online Sven Vermeulen
2014-04-04 20:09   ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 4/5] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
2014-04-04 20:00   ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 5/5] Dontaudit access on security_t file system " Sven Vermeulen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5347E6D7.3040805@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.