Bug 602159
| Summary: | SELinux is preventing audisp-remote to halt system for network_failure_action | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Eduard Benes <ebenes> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Eduard Benes <ebenes> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 6.0 | CC: | dwalsh, mgrepl, mmalik, sgrubb, syeghiay | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.7.19-25.el6 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 646801 (view as bug list) | Environment: | |||||||
| Last Closed: | 2010-11-10 21:34:36 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 602164, 646801 | ||||||||
| Attachments: |
|
||||||||
We need the raw audit log for this. Miroslav, I think init_telinit(audisp_remote_t) will make this work. Not sure what these are
allow audisp_remote_t initrc_var_run_t:file read;
allow audisp_remote_t self:capability setuid;
allow audisp_remote_t bin_t:file { read execute open execute_no_trans };
(In reply to comment #2) > Not sure what these are > > allow audisp_remote_t initrc_var_run_t:file read; Dan, I would imagine it needs to read utmp. Miroslav, work with Eduard on this one, since this is critical to accreditation. @Miroslav: Tested with selinux-policy-3.7.19-24.el6 and some rules are still missing. Summary: SELinux is preventing init "execute" access on /sbin/telinit. Detailed Description: SELinux denied access requested by init. It is not expected that this access is required by init and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:audisp_remote_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /sbin/telinit [ file ] Source init Source Path init Port <Unknown> Host hp-dl360-06.rhts.englab.brq.redhat.com Source RPM Packages Target RPM Packages upstart-0.6.5-5.el6 Policy RPM selinux-policy-3.7.19-24.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name hp-dl360-06.rhts.englab.brq.redhat.com Platform Linux hp-dl360-06.rhts.englab.brq.redhat.com 2.6.32-25.el6.i686 #1 SMP Mon May 10 17:25:50 EDT 2010 i686 i686 Alert Count 662 First Seen Mon Jun 14 06:47:02 2010 Last Seen Mon Jun 14 07:57:21 2010 Local ID 8205b16c-9398-43d2-9bdd-2394797c6fd2 Line Numbers Raw Audit Messages node=hp-dl360-06.rhts.englab.brq.redhat.com type=AVC msg=audit(1276516641.113:6531): avc: denied { execute } for pid=18784 comm="init" name="telinit" dev=dm-0 ino=524712 scontext=unconfined_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file Eduard, thanks for testing. Could you test it in permissive. I guess we will need these rules corecmd_exec_bin(audisp_remote_t) init_rw_utmp(audisp_remote_t) and we will see how about allow audisp_remote_t self:capability setuid; Created attachment 423816 [details]
Logged AVCs in permissive mode
Log file from permissive mode using selinux-policy-3.7.19-24.el6.noarch.
Created attachment 423865 [details]
Logged AVCs
SELinux mode is permissive and using custom policy module and with audit write watch on /etc/shadow:
[root@hp-dl360-06 ~]# cat myaudisp.te
policy_module(myaudisp, 1.0.0)
require{
type audisp_remote_t;
}
allow audisp_remote_t self:capability setuid;
corecmd_exec_bin(audisp_remote_t)
init_rw_utmp(audisp_remote_t)
[root@hp-dl360-06 ~]# cat /etc/audit/audit.rules
-D
-b 320
-w /etc/shadow -p w
[root@hp-dl360-06 ~]# ausearch -m avc -ts 10:20 | audit2allow
#============= audisp_remote_t ==============
allow audisp_remote_t self:capability setpcap;
allow audisp_remote_t self:netlink_audit_socket { nlmsg_relay write create read };
allow audisp_remote_t var_log_t:dir search;
#!!!! The source type 'audisp_remote_t' can write to a 'file' of the following types:
# initrc_tmp_t, initrc_var_run_t, mnt_t, tmp_t
allow audisp_remote_t wtmp_t:file { write lock open };
allow audisp_remote_t self:capability { setuid setpcap };
allow audisp_remote_t var_log_t:dir search_dir_perms;
corecmd_exec_bin(auditd_remote_t)
init_read_utmp(audisp_remote_t)
init_dontaudit_write_utmp(audisp_remote_t)
logging_send_audit_msgs(audisp_remote_t)
corecmd_exec_bin($1) Should be added to init_telinit Using following custom module we are almost there. System successfully halts in enforcing mode. One more rule and we should be good to go:
# cat finalmyaudisp.te
policy_module(finalmyaudisp, 1.0)
require{
type audisp_remote_t;
type var_log_t;
}
allow audisp_remote_t self:capability { setuid setpcap };
allow audisp_remote_t var_log_t:dir search_dir_perms;
corecmd_exec_bin(audisp_remote_t)
init_read_utmp(audisp_remote_t)
init_dontaudit_write_utmp(audisp_remote_t)
logging_send_audit_msgs(audisp_remote_t)
# ausearch -m avc -ts 07:18
----
time->Tue Jun 15 07:18:55 2010
type=PATH msg=audit(1276600735.269:920): item=0 name="/var/log/wtmp" inode=315712 dev=fd:00 mode=0100664 ouid=0 ogid=22 rdev=00:00 obj=system_u:object_r:wtmp_t:s0
type=CWD msg=audit(1276600735.269:920): cwd="/"
type=SYSCALL msg=audit(1276600735.269:920): arch=40000003 syscall=5 success=no exit=-13 a0=80517be a1=8001 a2=38 a3=80517be items=1 ppid=3536 pid=3545 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="telinit" exe="/sbin/telinit" subj=unconfined_u:system_r:audisp_remote_t:s0 key=(null)
type=AVC msg=audit(1276600735.269:920): avc: denied { write } for pid=3545 comm="telinit" name="wtmp" dev=dm-0 ino=315712 scontext=unconfined_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file
[root@hp-dl360-06 ~]# ausearch -m avc -ts 07:18 | audit2allow
#============= audisp_remote_t ==============
allow audisp_remote_t wtmp_t:file write;
Thanks Eduard. auth_dontaudit_write_login_records(audisp_remote_t) Fixed in selinux-policy-3.7.19-25.el6.noarch Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |
SELinux prevents system halt when configured audit for remote logging and audisp-remote to halt system on network failure. Follows the first AVC denial. Trying to allow all consequent denials with local policy module resulted in set of allow rules listed at the bottom in section additional info. Summary: SELinux is preventing audisp-remote "execute" access on /sbin/init. ... Additional Information: Source Context unconfined_u:system_r:audisp_remote_t:s0 Target Context system_u:object_r:init_exec_t:s0 Target Objects /sbin/init [ file ] Source audisp-remote Source Path audisp-remote Port <Unknown> Host hp-dl360-06.rhts.englab.brq.redhat.com Source RPM Packages Target RPM Packages upstart-0.6.5-5.el6 Policy RPM selinux-policy-3.7.19-15.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name hp-dl360-06.rhts.englab.brq.redhat.com Platform Linux hp-dl360-06.rhts.englab.brq.redhat.com 2.6.32-25.el6.i686 #1 SMP Mon May 10 17:25:50 EDT 2010 i686 i686 Alert Count 19 First Seen Wed Jun 9 04:37:58 2010 Last Seen Wed Jun 9 04:39:46 2010 Local ID b28807d4-416b-4bf7-95da-e2f68a77f85e Line Numbers Raw Audit Messages node=hp-dl360-06.rhts.englab.brq.redhat.com type=AVC msg=audit(1276072786.456:41786): avc: denied { execute } for pid=16610 comm="audisp-remote" name="init" dev=dm-0 ino=524968 scontext=unconfined_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file How reproducible: always Steps to Reproduce: 1. Configure audisp-remote to halt on network failure using "network_failure_action = halt" in /etc/audisp/audisp-remote.conf (see BZ #514090 for configration instructions) 2. Simulate network failure or simply unplug network. 3. Observe log files. Actual results: The system does not halt, log files are spammed by selinux related messages as the audisp-remote continously tries to halt the system. <var-log-messages> Jun 9 04:39:52 hp-dl360-06 audisp-remote: remote logging halting system due to network failure Jun 9 04:39:52 hp-dl360-06 audisp-remote: audisp-remote failed to exec /sbin/init Jun 9 04:39:52 hp-dl360-06 setroubleshoot: SELinux is preventing audisp-remote "execute" access on /sbin/init. For complete SELinux messages. run sealert -l b28807d4-416b-4bf7-95da-e2f68a77f85e </var-log-messages> Expected results: System halts. Additional info: # cat audispremote.te module audispremote 1.0; require { type init_exec_t; type bin_t; type audisp_remote_t; type initrc_var_run_t; type init_t; class capability setuid; class unix_stream_socket connectto; class file { execute read execute_no_trans open }; } #============= audisp_remote_t ============== allow audisp_remote_t bin_t:file { read execute open execute_no_trans }; allow audisp_remote_t init_exec_t:file { read execute open execute_no_trans }; allow audisp_remote_t init_t:unix_stream_socket connectto; allow audisp_remote_t initrc_var_run_t:file read; allow audisp_remote_t self:capability setuid;