Bug 172496
Summary: | (selinux) AVCs with targeted policy on clean system (some pam_abl related) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | alex, dwalsh, extras-qa, redhat-bugzilla, sdsmall, sundaram, tmraz, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-12-13 15:06:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 150222 | ||
Attachments: |
Description
Nicolas Mailhot
2005-11-05 09:15:25 UTC
Created attachment 120753 [details]
selinux logs
selinux logs with pam_abl related messages
Can /var/lib/abl/ access be added to the pam auth security context ? (if such a thing exists) I had to add the following rules (I know, my way is a very dirty hack) to make it working for login/su, saslauthd and ftpd. allow sysadm_su_t var_lib_t:file { getattr read write }; dontaudit sysadm_su_t etc_runtime_t:file { getattr read }; allow saslauthd_t var_lib_t:file { getattr read write }; dontaudit saslauthd_t etc_runtime_t:file { getattr read }; allow saslauthd_t usr_t:lnk_file read; dontaudit saslauthd_t tmp_t:dir getattr; allow ftpd_t var_lib_t:file { getattr read write }; dontaudit ftpd_t etc_runtime_t:file { getattr read }; allow ftpd_t var_lib_t:dir search; I guess, a more clean solution would be a pam auth security context (if existing) or a own label/file context for /var/lib/abl(/.*)?. Maybe somebody from the SELinux team knows even a better solution?! Whatever the solution is, it needs to be packaged somewhat (either in the general policy or in pam_abl) Right now installing on Fedora with default settings results in pam_abl being silently disabled. So the package is very much crippleware at this stage (not really your fault, I know) Let's try to fix this before FC5 Fixed in selinux-policy-targeted-1.27.2-16 Add new type for this dirctory var_auth_t, and allow authentication programs rw access to files in the directory. Seems ok now but I'll test it a little bit more before closing Switching from non-root user to root using "su -", I get "Permission denied (13) while opening or creating database" anyway. This looks like the problem I had before. I ran a few minutes in non-enforcing mode, perhaps it created the db at this time Should probably nuke pam_abl files and check it can recreate them After more thorough testing it looks like you're right, the problem is not fixed at all After a fresh reboot /var/log/secure starts with Nov 13 11:20:54 rousalka pam_abl[8271]: Permission denied (13) while opening or creating database Nov 13 11:20:54 rousalka pam_abl[8271]: Permission denied (13) while opening or creating database And dovecot for example can not access the db Created attachment 120999 [details]
More audit logs that show the problem
Seems to be a bigger problem which needs more time to get solved. Personally, my server system is only running proftpd, saslauthd, "su" and imapd (uw-imap), where pam_abl problems are affected. The problems, I have, are occurred with a vanilla version of selinux-targeted- policy-1.27.2-19. For each program or daemon I where I get "Permission denied (13) while opening or creating database", the audit log is written below and my hack how it works for me. ProFTPD: > type=AVC msg=audit(1131736005.028:1735): avc: denied { search } for pid=7858 comm="proftpd" name="lib" dev=cciss/c0d0p2 ino=212993 scontext=root: system_r:ftpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir > type=SYSCALL msg=audit(1131736005.028:1735): arch=40000003 syscall=195 success=no exit=-13 a0=8313700 a1=bfe12cdc a2=335ff4 a3=64 items=1 pid=7858 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=99 fsgid=0 comm="proftpd" exe="/usr/sbin/proftpd" > type=CWD msg=audit(1131736005.028:1735): cwd="/" > type=PATH msg=audit(1131736005.028:1735): item=0 name="/var/lib/abl/hosts.db" flags=1 inode=212993 dev=68:02 mode=040755 ouid=0 ogid=0 rdev=00:00 -> allow ftpd_t var_lib_t:dir search; dontaudit ftpd_t etc_runtime_t:file { getattr read }; Saslauthd: > type=AVC msg=audit(1131735915.090:1731): avc: denied { read } for pid=23189 comm="saslauthd" name="mtab" dev=cciss/c0d0p2 ino=262767 scontext=root:system_r: saslauthd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file > type=SYSCALL msg=audit(1131735915.090:1731): arch=40000003 syscall=5 success=no exit=-13 a0=fde117 a1=0 a2=1b6 a3=851be68 items=1 pid=23189 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="saslauthd" exe="/usr/sbin/saslauthd" > type=CWD msg=audit(1131735915.090:1731): cwd="/var/run/saslauthd" > type=PATH msg=audit(1131735915.090:1731): item=0 name="/etc/mtab" flags=101 inode=262767 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1131735915.098:1732): avc: denied { getattr } for pid=23189 comm="saslauthd" name="tmp" dev=cciss/c0d0p2 ino=344065 scontext=root: system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=SYSCALL msg=audit(1131735915.098:1732): arch=40000003 syscall=195 success=no exit=-13 a0=8c007b a1=bfb3b61c a2=fe9ff4 a3=64 items=1 pid=23189 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="saslauthd" exe="/usr/sbin/saslauthd" > type=AVC_PATH msg=audit(1131735915.098:1732): path="/var/tmp" > type=CWD msg=audit(1131735915.098:1732): cwd="/var/run/saslauthd" > type=PATH msg=audit(1131735915.098:1732): item=0 name="/var/tmp" flags=1 inode=344065 dev=68:02 mode=041777 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1131735915.102:1733): avc: denied { read } for pid=23189 comm="saslauthd" name="tmp" dev=cciss/c0d0p2 ino=361329 scontext=root:system_r: saslauthd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file > type=SYSCALL msg=audit(1131735915.102:1733): arch=40000003 syscall=195 success=no exit=-13 a0=8c0084 a1=bfb3b61c a2=fe9ff4 a3=64 items=1 pid=23189 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="saslauthd" exe="/usr/sbin/saslauthd" > type=CWD msg=audit(1131735915.102:1733): cwd="/var/run/saslauthd" > type=PATH msg=audit(1131735915.102:1733): item=0 name="/usr/tmp" flags=1 inode=360449 dev=68:02 mode=040755 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1131735915.102:1734): avc: denied { getattr } for pid=23189 comm="saslauthd" name="tmp" dev=cciss/c0d0p2 ino=245761 scontext=root: system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1131735915.102:1734): arch=40000003 syscall=195 success=no exit=-13 a0=8c0097 a1=bfb3b61c a2=fe9ff4 a3=64 items=1 pid=23189 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="saslauthd" exe="/usr/sbin/saslauthd" > type=AVC_PATH msg=audit(1131735915.102:1734): path="/tmp" > type=CWD msg=audit(1131735915.102:1734): cwd="/var/run/saslauthd" > type=PATH msg=audit(1131735915.102:1734): item=0 name="/tmp" flags=1 inode=245761 dev=68:02 mode=041777 ouid=0 ogid=0 rdev=00:00 -> allow saslauthd_t usr_t:lnk_file read; dontaudit saslauthd_t etc_runtime_t: file { getattr read }; dontaudit saslauthd_t tmp_t:dir getattr; "su": > type=AVC msg=audit(1131736370.062:1736): avc: denied { read } for pid=8459 comm="su" name="mtab" dev=cciss/c0d0p2 ino=262767 scontext=user_u:system_r: sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file > type=SYSCALL msg=audit(1131736370.062:1736): arch=40000003 syscall=5 success=no exit=-13 a0=b03117 a1=0 a2=1b6 a3=9e945f0 items=1 pid=8459 auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" > type=CWD msg=audit(1131736370.062:1736): cwd="/home/robert" > type=PATH msg=audit(1131736370.062:1736): item=0 name="/etc/mtab" flags=101 inode=262767 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1131736370.062:1737): avc: denied { search } for pid=8459 comm="su" name="abl" dev=cciss/c0d0p2 ino=262697 scontext=user_u: system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir > type=SYSCALL msg=audit(1131736370.062:1737): arch=40000003 syscall=195 success=no exit=-13 a0=9e946a8 a1=bf97176c a2=b0eff4 a3=64 items=1 pid=8459 auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" > type=CWD msg=audit(1131736370.062:1737): cwd="/home/robert" > type=PATH msg=audit(1131736370.062:1737): item=0 name="/var/lib/abl/users.db" flags=1 inode=262697 dev=68:02 mode=040755 ouid=0 ogid=0 rdev=00:00 -> allow sysadm_su_t var_auth_t:file { getattr read write }; allow sysadm_su_t var_auth_t:dir search; dontaudit sysadm_su_t etc_runtime_t:file { getattr read }; Oh and my imapd (uw-imap) just works here with pam_abl without any problem, maybe it was a good reason for me to dislike dovecot ;-) I'll as soon as possible update the package to the latest upstream version, which should cover some dovecot issues, as the news file in the tarball states: "2005/10/12 0.2.3 Integrated patches from Gilles Detillieux (fixed NULL pointer dereference) and Steve Hsieh (dovecot support)." Problem still there on a clean system that uses selinux-policy-targeted-2.0.1-2 (ie the very latest one) pam_abl[3173]: Permission denied (13) while opening or creating database # audit2allow < /var/log/audit/audit.log allow dovecot_auth_t var_lib_t:dir search; allow system_chkpwd_t devpts_t:chr_file { read write }; allow spamd_t sbin_t:dir getattr; allow system_chkpwd_t shell_exec_t:file entrypoint; allow initrc_su_t bin_t:file execute; allow updfstab_t hald_t:unix_stream_socket connectto; allow dovecot_auth_t etc_runtime_t:file read; allow spamd_t port_t:udp_socket name_bind; with /var/log/audit/audit.log removed before reboot Ok I am adding some fixes for this to 2.0.3-1 But I could use the audit.log to see what is causing some of these avc messages. Also which app is using su? Could it use runuser instead? The su bit comes from this line in rc.local : /bin/su nim -c /usr/bin/fetchmail The rest is system stuff. Also selinux-policy-targeted-2.0.1-2 has some problems with rpm scriplets (kernel upgrade for example. Just point me to the policy version I should test, and I'm more than ready to dump a full audit log in your inbox :) Change /bin/su nim -c /usr/bin/fetchmail to /bin/runuser nim -c /usr/bin/fetchmail runuser == su except it does not use the pam libraries. I hope to update policy later today. (In reply to comment #14) > Ok I am adding some fixes for this to 2.0.3-1 But I could use the audit.log to > see what is causing some of these avc messages. Attaching full audit.log for ~ 5 min of system activity after a reboot on selinux-policy-targeted-2.0.3-1 (just fully relabeled). Some highlights (audit2allox) : 1. the infamous 'spamassassin can not resolve' bug is back (you know what I'm talking about, don't want to reopen it) allow spamd_t port_t:udp_socket name_bind; 2. so is "spamc can not talk to spamd in procmail context" (bu#172088) allow procmail_t spamd_port_t:tcp_socket name_connect; 3. some new hald stuff : allow updfstab_t hald_t:unix_stream_socket connectto; 4. and the rest is dovecot + pam_abl problems (this boog) allow dovecot_auth_t etc_runtime_t:file read; allow dovecot_auth_t var_lib_t:dir search; Created attachment 121369 [details]
audit.log for selinux-policy-targeted-2.0.3-1
Created attachment 121370 [details]
Relevant parts from audit.log
Okay here are another two cent for -targeted-2.0.3-1 (I didn't change any
booleans/tunables).
Fixes are in selinux-policy-targeted-2.0.6-2 Ok, here is my report for selinux-policy-targeted-2.0.6-1. Will report again when selinux-policy-targeted-2.0.6-2 hits rawhide : # audit2allow < /var/log/audit/audit.log | sort allow dovecot_auth_t etc_runtime_t:file read; allow dovecot_auth_t var_lib_t:dir search; allow procmail_t spamd_port_t:tcp_socket name_connect; allow saslauthd_t etc_runtime_t:file read; allow saslauthd_t self:capability setuid; allow saslauthd_t var_auth_t:dir search; allow spamd_t port_t:udp_socket name_bind; allow system_chkpwd_t devpts_t:chr_file { read write }; allow updfstab_t tmpfs_t:dir getattr; With selinux-policy-targeted-2.0.6-2 # audit2allow < /var/log/audit/audit.log | sort allow dovecot_auth_t var_auth_t:dir write; (on-the-fly pam_abl database creation failure, strangely works fine from ssh) allow saslauthd_t self:capability setuid; (should saslauthd be allowed setuid ?) allow saslauthd_t var_auth_t:dir search; (more pam_abl stuff) allow spamd_t port_t:udp_socket name_bind; Probably related to one of those : Nov 29 22:08:11 rousalka spamd[2382]: Error creating a DNS resolver socket: Permission non accordée at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm line 202, <GEN5> line 120. Nov 29 22:08:11 rousalka spamd[2382]: spamd: Error creating a DNS resolver socket: Permission non accordée at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm line 202, <GEN5> line 120. Nov 29 22:09:38 rousalka spamd[2382]: spamd: connection from localhost.localdomain [127.0.0.1] at port 50657 Nov 29 22:09:38 rousalka spamd[2382]: spamd: setuid to nim succeeded Nov 29 22:09:38 rousalka spamd[2382]: spamd: creating default_prefs: /home/nim/.spamassassin/user_prefs Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line 1467 Nov 29 22:09:38 rousalka spamd[2382]: config: cannot write to /home/nim/.spamassassin/user_prefs: Permission non accordée Nov 29 22:09:38 rousalka spamd[2382]: spamd: failed to create readable default_prefs: /home/nim/.spamassassin/user_prefs Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line 1467 Nov 29 22:09:38 rousalka spamd[2382]: spamd: checking message <1133298570.3426.4.camel.org> for nim:500 Nov 29 22:09:38 rousalka spamd[2382]: internal error Nov 29 22:09:38 rousalka spamd[2382]: pyzor: check failed: internal error Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line 1467 Nov 29 22:09:38 rousalka spamd[2382]: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2382 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée Nov 29 22:09:38 rousalka spamd[2382]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2382 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée Nov 29 22:09:38 rousalka spamd[2382]: Can't call method "finish" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/Plugin/AWL.pm line 397. Nov 29 22:09:38 rousalka spamd[2382]: bayes: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/bayes.lock.rousalka.dyndns.org.2382 for /home/nim/.spamassassin/bayes.lock: Permission non accordée allow system_chkpwd_t devpts_t:chr_file { read write }; (this one is pam-related - may be serious) allow updfstab_t tmpfs_t:dir getattr; (fstab-sync is blocked) (you'll see in the audit logs httpd was also blocked once - it seems one of the policy upgrades killed my /srv/dav custom chcon. You can ignore it) Created attachment 121612 [details]
audit.log for selinux-policy-targeted-2.0.6-2
Using selinux-policy-targeted-2.0.6-1, I added the following lines - they make it working for me correctly, independent whether my solution is sane or not! At least my changes are very similar to those one from comment #3 and a way to solve my comments #11 and #19. # su files_dontaudit_getattr_tmp_dir(sysadm_su_t) files_dontaudit_read_etc_runtime_files(sysadm_su_t) # saslauthd files_dontaudit_read_etc_runtime_files(saslauthd_t) files_dontaudit_getattr_tmp_dir(saslauthd_t) auth_use_nsswitch(saslauthd_t) # proftpd files_search_var_lib_dir(ftpd_t) auth_use_nsswitch(ftpd_t) auth_use_nsswitch() contains mostly the var_auth stuff, so I simply used it like in other policy files. If my use was incorrect, the pam_abl part maybe should be splitted of. pam_abl + selinux almost works now, but pam_able should be updated to get the dovecot fix Ok, I'm still seing pam_abl avcs but pam_abl seems to sort of work (using pam_abl 0.2.3) Since this boog sort of evolved in a generic selinux issue, changing its title and component. Most of the problems left are on the selinux side, not the pam_abl one Created attachment 121815 [details]
Clean audit.log for selinux-policy-targeted-2.0.8-1
# audit2allow < /var/log/audit/audit.log | sort
allow cupsd_config_t cupsd_log_t:file { read write };
allow dovecot_auth_t dovecot_var_run_t:dir search;
allow dovecot_auth_t tmp_t:dir getattr;
allow dovecot_auth_t usr_t:lnk_file read;
allow dovecot_t etc_runtime_t:file read;
allow saslauthd_t self:capability setuid;
allow saslauthd_t tmp_t:dir getattr;
allow saslauthd_t usr_t:lnk_file read;
allow spamd_t port_t:udp_socket name_bind;
allow sysadm_su_t etc_runtime_t:file read;
allow sysadm_su_t tmp_t:dir getattr;
allow sysadm_su_t usr_t:lnk_file read;
allow system_chkpwd_t devpts_t:chr_file { read write };
allow system_dbusd_t self:process setcap;
allow updfstab_t tmpfs_t:dir getattr;
The dovecot & saslauthd AVCs are probably pam_abls leftovers to fix
The spamd avc is the infamous can't create resolver socket problem
The rest are generic policy boogs
Using selinux-policy-targeted-2.1.2-1 the pam_abl related things seem to work for me - woho, thanks :) Yep - pam_abl is mostly done Ok closing, More fixes should have shown up in 2.1.4-1 Using 2.1.4-1 I get these pam_abl related AVCs while doing "su -"...like in comment #24: type=AVC msg=audit(1134557541.928:21447): avc: denied { read } for pid=12231 comm="su" name="mtab" dev=cciss/c0d0p2 ino=262191 scontext=user_u:system_r: sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1134557541.928:21447): arch=40000003 syscall=5 success=yes exit=3 a0=2d2741 a1=0 a2=1b6 a3=9a415b0 items=1 pid=12231 auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=CWD msg=audit(1134557541.928:21447): cwd="/home/robert" type=PATH msg=audit(1134557541.928:21447): item=0 name="/etc/mtab" flags=101 inode=262191 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1134557541.928:21448): avc: denied { getattr } for pid=12231 comm="su" name="mtab" dev=cciss/c0d0p2 ino=262191 scontext=user_u: system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1134557541.928:21448): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfdc443c a2=2deff4 a3=3 items=0 pid=12231 auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=AVC_PATH msg=audit(1134557541.928:21448): path="/etc/mtab" type=AVC msg=audit(1134557541.928:21449): avc: denied { getattr } for pid=12231 comm="su" name="tmp" dev=cciss/c0d0p2 ino=344065 scontext=user_u: system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1134557541.928:21449): arch=40000003 syscall=195 success=yes exit=0 a0=45917d a1=bfdc685c a2=2deff4 a3=64 items=1 pid=12231 auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=AVC_PATH msg=audit(1134557541.928:21449): path="/var/tmp" type=CWD msg=audit(1134557541.928:21449): cwd="/home/robert" type=PATH msg=audit(1134557541.928:21449): item=0 name="/var/tmp" flags=1 inode=344065 dev=68:02 mode=041777 ouid=0 ogid=0 rdev=00:00 |