Kernel error: SELinux: Invalid class 0

Kernel error: SELinux: Invalid class 0

[Tim Shearer]

[-- Attachment #1: Type: text/plain, Size: 2492 bytes --]

Hi all,

Environment: CentOS 7, with either stock 3.10 kernel, or custom 3.19 kernel.

I'm getting a AVC denial message in the audit logs that corresponds to the opening of a TIPC socket (AF_TIPC). The denial is seems valid, and is triggered by a custom C++ application that hasn't yet been assigned an appropriate security context. The problem I'm having is that the AVC message is garbled (non-ASCII data in the denied and tclass fields), which makes it difficult to assemble a new policy:

----
type=AVC msg=audit(1434126658.487:34500): avc:  denied  { garbage_characters } for  pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=garbage_characters permissive=0
----

This corresponds to a kernel error that shows up in the debuglog:
SELinux:  Invalid class 0

setroubleshootd also has, er, trouble:

----
/var/lib/setroubleshoot/setroubleshoot_database.xml:51: parser error : PCDATA invalid Char value 15
      <tclass>D</tclass>
              ^
/var/lib/setroubleshoot/setroubleshoot_database.xml:51: parser error : PCDATA invalid Char value 31
      <tclass>D</tclass>
etc.
----

I'm new to SELinux, and this seems a little more obscure than your typical newbie problem. Any guidance would be appreciated!

Many thanks in advance,
Tim



This email and attachments may contain privileged or confidential information intended only for the addressee(s) indicated. The sender does not waive any of its rights, privileges or protections respecting this information. If you are not the named addressee, an employee, or agent responsible for sending this message to the named addressee (or this message was received by mistake), you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If received in error, please notify us immediately by e-mail, discard any paper copies and delete all electronic files of the email.

Computer viruses can be transmitted via email. The recipient should check this email and any attachments for viruses. Email transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender accepts no liability for any damage caused by any transmitted viruses or errors or omissions in the contents of this message.

Overture Networks, Inc. 637 Davis Drive, Morrisville, NC USA 27560 www.overturenetworks.com

[-- Attachment #2: Type: text/html, Size: 5913 bytes --]

Re: Kernel error: SELinux: Invalid class 0

[Stephen Smalley]

On 06/12/2015 01:48 PM, Tim Shearer wrote:
> Hi all,
> 
>  
> 
> Environment: CentOS 7, with either stock 3.10 kernel, or custom 3.19 kernel.
> 
>  
> 
> I’m getting a AVC denial message in the audit logs that corresponds to
> the opening of a TIPC socket (AF_TIPC). The denial is seems valid, and
> is triggered by a custom C++ application that hasn’t yet been assigned
> an appropriate security context. The problem I’m having is that the AVC
> message is garbled (non-ASCII data in the denied and tclass fields),
> which makes it difficult to assemble a new policy:
> 
>  
> 
> ----
> 
> type=AVC msg=audit(1434126658.487:34500): avc:  denied  {
> *garbage_characters* } for  pid=292 comm="kworker/u16:5"
> scontext=system_u:system_r:kernel_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=*garbage_characters*
> permissive=0
> 
> ----
> 
>  
> 
> This corresponds to a kernel error that shows up in the debuglog:
> 
> SELinux:  Invalid class 0

This suggests that the tipc kernel module is creating a socket in some
manner without initializing its security state.

Can you provide a reproducer program that triggers the error?

Re: Kernel error: SELinux: Invalid class 0

[Stephen Smalley]

On 06/15/2015 12:41 PM, Stephen Smalley wrote:
> On 06/12/2015 01:48 PM, Tim Shearer wrote:
>> Hi all,
>>
>>  
>>
>> Environment: CentOS 7, with either stock 3.10 kernel, or custom 3.19 kernel.
>>
>>  
>>
>> I’m getting a AVC denial message in the audit logs that corresponds to
>> the opening of a TIPC socket (AF_TIPC). The denial is seems valid, and
>> is triggered by a custom C++ application that hasn’t yet been assigned
>> an appropriate security context. The problem I’m having is that the AVC
>> message is garbled (non-ASCII data in the denied and tclass fields),
>> which makes it difficult to assemble a new policy:
>>
>>  
>>
>> ----
>>
>> type=AVC msg=audit(1434126658.487:34500): avc:  denied  {
>> *garbage_characters* } for  pid=292 comm="kworker/u16:5"
>> scontext=system_u:system_r:kernel_t:s0
>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=*garbage_characters*
>> permissive=0
>>
>> ----
>>
>>  
>>
>> This corresponds to a kernel error that shows up in the debuglog:
>>
>> SELinux:  Invalid class 0
> 
> This suggests that the tipc kernel module is creating a socket in some
> manner without initializing its security state.
> 
> Can you provide a reproducer program that triggers the error?

Looks to me as if tipc_accept() never calls sock_graft() or
security_sk_clone() so it will never initialize the security state of
the new sock.  Kernel bug.