Selinux going crazy in 2.6.34-rc0

Selinux going crazy in 2.6.34-rc0

[Dmitry Torokhov]

Hi,

Selinux generates insane amounts of denial messages like the following
over and over again:

type=SYSCALL msg=audit(1267870752.587:23084): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267870752.587:23085): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1267870752.587:23085): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267870752.587:23086): avc:  denied  { read } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1267870752.587:23086): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267870752.587:23087): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1267870752.587:23087): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)

This is on updated Fedora 12, commit 64096c17417380d8a472d096645f4cbc9406c987.
2.6.33-rc8-ish works fine.

-- 
Dmitry

Re: Selinux going crazy in 2.6.34-rc0

[Al Viro]

On Sat, Mar 06, 2010 at 02:29:19AM -0800, Dmitry Torokhov wrote:
> Hi,
> 
> Selinux generates insane amounts of denial messages like the following
> over and over again:
 
> type=SYSCALL msg=audit(1267870752.587:23084): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1267870752.587:23085): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> type=SYSCALL msg=audit(1267870752.587:23085): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1267870752.587:23086): avc:  denied  { read } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> type=SYSCALL msg=audit(1267870752.587:23086): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1267870752.587:23087): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> type=SYSCALL msg=audit(1267870752.587:23087): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
 
Interesting...  That smells like a selinux policy that needed recognition
of inotify file descriptors and got b0rken by
commit c44dcc56d2b5c79ba3063d20f76e5347e2e418f6
that switched inotify to use of anon_inodes.  Could you check if that's the
trigger?

Re: Selinux going crazy in 2.6.34-rc0

[Dmitry Torokhov]

On Sat, Mar 06, 2010 at 10:49:46AM +0000, Al Viro wrote:
> On Sat, Mar 06, 2010 at 02:29:19AM -0800, Dmitry Torokhov wrote:
> > Hi,
> > 
> > Selinux generates insane amounts of denial messages like the following
> > over and over again:
>  
> > type=SYSCALL msg=audit(1267870752.587:23084): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1267870752.587:23085): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> > type=SYSCALL msg=audit(1267870752.587:23085): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1267870752.587:23086): avc:  denied  { read } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> > type=SYSCALL msg=audit(1267870752.587:23086): arch=c000003e syscall=0 success=no exit=-13 a0=5 a1=2049af0 a2=400 a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1267870752.587:23087): avc:  denied  { ioctl } for pid=1807 comm="polkitd" path="anon_inode:inotify" dev=anon_inodefs ino=839 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
> > type=SYSCALL msg=audit(1267870752.587:23087): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=541b a2=7fff7b494bec a3=0 items=0 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
>  
> Interesting...  That smells like a selinux policy that needed recognition
> of inotify file descriptors and got b0rken by
> commit c44dcc56d2b5c79ba3063d20f76e5347e2e418f6
> that switched inotify to use of anon_inodes.  Could you check if that's the
> trigger?

Yep, that was it. With this commit reverted selinux stays quiet.
Well, almost, it is never completely quiet ;).

Thank you Al.

-- 
Dmitry

Re: Selinux going crazy in 2.6.34-rc0

[Al Viro]

On Sat, Mar 06, 2010 at 09:27:27AM -0800, Dmitry Torokhov wrote:

> > Interesting...  That smells like a selinux policy that needed recognition
> > of inotify file descriptors and got b0rken by
> > commit c44dcc56d2b5c79ba3063d20f76e5347e2e418f6
> > that switched inotify to use of anon_inodes.  Could you check if that's the
> > trigger?
> 
> Yep, that was it. With this commit reverted selinux stays quiet.
> Well, almost, it is never completely quiet ;).
> 
> Thank you Al.

Hrm...  Folks, does anybody have suggestions on what to do about that one?
I can revert that thing, of course, but I wonder what's really going on
in the policy that triggers that spew...

Re: Selinux going crazy in 2.6.34-rc0

[Eric Paris]

On Sat, Mar 6, 2010 at 12:41 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Sat, Mar 06, 2010 at 09:27:27AM -0800, Dmitry Torokhov wrote:
>
>> > Interesting...  That smells like a selinux policy that needed recognition
>> > of inotify file descriptors and got b0rken by
>> > commit c44dcc56d2b5c79ba3063d20f76e5347e2e418f6
>> > that switched inotify to use of anon_inodes.  Could you check if that's the
>> > trigger?
>>
>> Yep, that was it. With this commit reverted selinux stays quiet.
>> Well, almost, it is never completely quiet ;).
>>
>> Thank you Al.
>
> Hrm...  Folks, does anybody have suggestions on what to do about that one?
> I can revert that thing, of course, but I wonder what's really going on
> in the policy that triggers that spew...

That is certainly an interesting little thing I never thought about
and I'm both an SELinux and inotify maintainer so no surprise noone
else thought about it either!  SELinux defines rules which label
different filesystem types with different default labels such as an
nfs filesystem would be nfs_t and an tmpfs would be tmpfs_t.  Inotify
was using it's own filesystem an applications which used inotify got
rules like so:

   allow policykit_t inotifyfs_t : dir { ioctl read getattr lock
search open } ;

Now that we switch inotify to use generic anon inode code rather than
duplicate creating it's own filesystem type for a single inode we
screwed up those rule types.  I'm trying to thing of a good solution
and the only two things come to mind:

a) revert the change and any others that switches things to anon
inodes from their own private fs (were there others?)
b) allow multiple anonymous inodes with differing security contexts,
possibly one inode per anon inodefs "class" would be sufficient to
allow for fine grained security controls over anon inode subsystems?
I haven't looked closely, but that seems like a reasonable trade off
between fine grained security and memory usage....

-Eric