Bug 1146987
Summary: | /bin/su returns segmentation fault for sysadm_r in SELinux policy MLS | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matus Marhefka <mmarhefk> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | degts, jjaburek, jreznik, lvrabec, mgrepl, mmalik, mvadkert, plautrba, pvrabec, rhbz, ssekidde, vmojzis |
Target Milestone: | beta | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libselinux-2.5-3.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 15:10:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1218420, 1296594, 1313485, 1377248 |
Description
Matus Marhefka
2014-09-26 13:57:51 UTC
Could you please provide AVCs in permissive mode? libselinux abort's itself as it's not able to create a netlink socket or similar problem with the libselinux initialization. (In reply to Petr Lautrbach from comment #5) > Could you please provide AVCs in permissive mode? libselinux abort's itself > as it's not able to create a netlink socket or similar problem with the > libselinux initialization. Yes, it looks like a policy issue. Probably two issues, one in policy, and the other one in libselinux/su which should abort instead of segfault. I see these events in audit log when doing '/bin/su -': ---- time->Tue Sep 27 15:36:08 2016 type=USER_AVC msg=audit(1474983368.352:2307): pid=10103 uid=0 auid=1000 ses=24 subj=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 msg='avc: can't open netlink socket: 13 (Permission denied) exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?' ---- time->Tue Sep 27 15:36:08 2016 type=SYSCALL msg=audit(1474983368.351:2306): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=7 a3=1 items=0 ppid=9996 pid=10103 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=24 comm="su" exe="/usr/bin/su" subj=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1474983368.351:2306): avc: denied { create } for pid=10103 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 tclass=netlink_selinux_socket ---- time->Tue Sep 27 15:36:08 2016 type=ANOM_ABEND msg=audit(1474983368.352:2308): auid=1000 uid=0 gid=0 ses=24 subj=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 pid=10103 comm="su" reason="memory violation" sig=6 Following rule is needed in both targeted and MLS policies: allow sysadm_su_t self:netlink_selinux_socket { bind create }; If the rule is not present, the scenario fails and triggers following SELinux denials: ---- type=PROCTITLE msg=audit(05/02/2017 03:49:40.696:313) : proctitle=su -c id type=SYSCALL msg=audit(05/02/2017 03:49:40.696:313) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=cbt a3=0x1 items=0 ppid=1515 pid=1521 auid=unknown(1000) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=4 comm=su exe=/usr/bin/su subj=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/02/2017 03:49:40.696:313) : avc: denied { create } for pid=1521 comm=su scontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket ---- type=PROCTITLE msg=audit(05/02/2017 03:55:37.090:374) : proctitle=su -c id type=SYSCALL msg=audit(05/02/2017 03:55:37.090:374) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffd8b77ed70 a2=0xc a3=0x1 items=0 ppid=1830 pid=1836 auid=unknown(1000) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=5 comm=su exe=/usr/bin/su subj=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/02/2017 03:55:37.090:374) : avc: denied { bind } for pid=1836 comm=su scontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket ---- The automated TC passes after loading of following local policy module: # cat mypolicy.cil ( allow sysadm_su_t sysadm_su_t ( netlink_selinux_socket ( create bind ))) # # rpm -qa selinux-policy\* selinux-policy-3.13.1-144.el7.noarch selinux-policy-targeted-3.13.1-144.el7.noarch selinux-policy-mls-3.13.1-144.el7.noarch # Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |