Bug 1146987
| Summary: | /bin/su returns segmentation fault for sysadm_r in SELinux policy MLS | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matus Marhefka <mmarhefk> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | degts, dustin, jjaburek, jreznik, lvrabec, mgrepl, mmalik, mvadkert, plautrba, pvrabec, ssekidde, vmojzis |
| Target Milestone: | beta | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libselinux-2.5-3.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 15:10:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1218420, 1296594, 1313485, 1377248 | ||
|
Description
Matus Marhefka
2014-09-26 13:57:51 UTC
Could you please provide AVCs in permissive mode? libselinux abort's itself as it's not able to create a netlink socket or similar problem with the libselinux initialization. (In reply to Petr Lautrbach from comment #5) > Could you please provide AVCs in permissive mode? libselinux abort's itself > as it's not able to create a netlink socket or similar problem with the > libselinux initialization. Yes, it looks like a policy issue. Probably two issues, one in policy, and the other one in libselinux/su which should abort instead of segfault. I see these events in audit log when doing '/bin/su -':
----
time->Tue Sep 27 15:36:08 2016
type=USER_AVC msg=audit(1474983368.352:2307): pid=10103 uid=0 auid=1000 ses=24 subj=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 msg='avc: can't open netlink socket: 13 (Permission denied) exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
---- time->Tue Sep 27 15:36:08 2016
type=SYSCALL msg=audit(1474983368.351:2306): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=7 a3=1 items=0 ppid=9996 pid=10103 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=24 comm="su" exe="/usr/bin/su" subj=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1474983368.351:2306): avc: denied { create } for pid=10103 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 tclass=netlink_selinux_socket
----
time->Tue Sep 27 15:36:08 2016
type=ANOM_ABEND msg=audit(1474983368.352:2308): auid=1000 uid=0 gid=0 ses=24 subj=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 pid=10103 comm="su" reason="memory violation" sig=6
Following rule is needed in both targeted and MLS policies:
allow sysadm_su_t self:netlink_selinux_socket { bind create };
If the rule is not present, the scenario fails and triggers following SELinux denials:
----
type=PROCTITLE msg=audit(05/02/2017 03:49:40.696:313) : proctitle=su -c id
type=SYSCALL msg=audit(05/02/2017 03:49:40.696:313) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=cbt a3=0x1 items=0 ppid=1515 pid=1521 auid=unknown(1000) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=4 comm=su exe=/usr/bin/su subj=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/02/2017 03:49:40.696:313) : avc: denied { create } for pid=1521 comm=su scontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket
----
type=PROCTITLE msg=audit(05/02/2017 03:55:37.090:374) : proctitle=su -c id
type=SYSCALL msg=audit(05/02/2017 03:55:37.090:374) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffd8b77ed70 a2=0xc a3=0x1 items=0 ppid=1830 pid=1836 auid=unknown(1000) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=5 comm=su exe=/usr/bin/su subj=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/02/2017 03:55:37.090:374) : avc: denied { bind } for pid=1836 comm=su scontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket
----
The automated TC passes after loading of following local policy module:
# cat mypolicy.cil
( allow sysadm_su_t sysadm_su_t ( netlink_selinux_socket ( create bind )))
#
# rpm -qa selinux-policy\*
selinux-policy-3.13.1-144.el7.noarch
selinux-policy-targeted-3.13.1-144.el7.noarch
selinux-policy-mls-3.13.1-144.el7.noarch
#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |