Bug 602159
Summary: | SELinux is preventing audisp-remote to halt system for network_failure_action | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Eduard Benes <ebenes> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Eduard Benes <ebenes> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 6.0 | CC: | dwalsh, mgrepl, mmalik, sgrubb, syeghiay | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | selinux-policy-3.7.19-25.el6 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 646801 (view as bug list) | Environment: | |||||||
Last Closed: | 2010-11-10 21:34:36 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 602164, 646801 | ||||||||
Attachments: |
|
Description
Eduard Benes
2010-06-09 09:39:23 UTC
We need the raw audit log for this. Miroslav, I think init_telinit(audisp_remote_t) will make this work. Not sure what these are allow audisp_remote_t initrc_var_run_t:file read; allow audisp_remote_t self:capability setuid; allow audisp_remote_t bin_t:file { read execute open execute_no_trans }; (In reply to comment #2) > Not sure what these are > > allow audisp_remote_t initrc_var_run_t:file read; Dan, I would imagine it needs to read utmp. Miroslav, work with Eduard on this one, since this is critical to accreditation. @Miroslav: Tested with selinux-policy-3.7.19-24.el6 and some rules are still missing. Summary: SELinux is preventing init "execute" access on /sbin/telinit. Detailed Description: SELinux denied access requested by init. It is not expected that this access is required by init and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:audisp_remote_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /sbin/telinit [ file ] Source init Source Path init Port <Unknown> Host hp-dl360-06.rhts.englab.brq.redhat.com Source RPM Packages Target RPM Packages upstart-0.6.5-5.el6 Policy RPM selinux-policy-3.7.19-24.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name hp-dl360-06.rhts.englab.brq.redhat.com Platform Linux hp-dl360-06.rhts.englab.brq.redhat.com 2.6.32-25.el6.i686 #1 SMP Mon May 10 17:25:50 EDT 2010 i686 i686 Alert Count 662 First Seen Mon Jun 14 06:47:02 2010 Last Seen Mon Jun 14 07:57:21 2010 Local ID 8205b16c-9398-43d2-9bdd-2394797c6fd2 Line Numbers Raw Audit Messages node=hp-dl360-06.rhts.englab.brq.redhat.com type=AVC msg=audit(1276516641.113:6531): avc: denied { execute } for pid=18784 comm="init" name="telinit" dev=dm-0 ino=524712 scontext=unconfined_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file Eduard, thanks for testing. Could you test it in permissive. I guess we will need these rules corecmd_exec_bin(audisp_remote_t) init_rw_utmp(audisp_remote_t) and we will see how about allow audisp_remote_t self:capability setuid; Created attachment 423816 [details]
Logged AVCs in permissive mode
Log file from permissive mode using selinux-policy-3.7.19-24.el6.noarch.
Created attachment 423865 [details]
Logged AVCs
SELinux mode is permissive and using custom policy module and with audit write watch on /etc/shadow:
[root@hp-dl360-06 ~]# cat myaudisp.te
policy_module(myaudisp, 1.0.0)
require{
type audisp_remote_t;
}
allow audisp_remote_t self:capability setuid;
corecmd_exec_bin(audisp_remote_t)
init_rw_utmp(audisp_remote_t)
[root@hp-dl360-06 ~]# cat /etc/audit/audit.rules
-D
-b 320
-w /etc/shadow -p w
[root@hp-dl360-06 ~]# ausearch -m avc -ts 10:20 | audit2allow
#============= audisp_remote_t ==============
allow audisp_remote_t self:capability setpcap;
allow audisp_remote_t self:netlink_audit_socket { nlmsg_relay write create read };
allow audisp_remote_t var_log_t:dir search;
#!!!! The source type 'audisp_remote_t' can write to a 'file' of the following types:
# initrc_tmp_t, initrc_var_run_t, mnt_t, tmp_t
allow audisp_remote_t wtmp_t:file { write lock open };
allow audisp_remote_t self:capability { setuid setpcap }; allow audisp_remote_t var_log_t:dir search_dir_perms; corecmd_exec_bin(auditd_remote_t) init_read_utmp(audisp_remote_t) init_dontaudit_write_utmp(audisp_remote_t) logging_send_audit_msgs(audisp_remote_t) corecmd_exec_bin($1) Should be added to init_telinit Using following custom module we are almost there. System successfully halts in enforcing mode. One more rule and we should be good to go: # cat finalmyaudisp.te policy_module(finalmyaudisp, 1.0) require{ type audisp_remote_t; type var_log_t; } allow audisp_remote_t self:capability { setuid setpcap }; allow audisp_remote_t var_log_t:dir search_dir_perms; corecmd_exec_bin(audisp_remote_t) init_read_utmp(audisp_remote_t) init_dontaudit_write_utmp(audisp_remote_t) logging_send_audit_msgs(audisp_remote_t) # ausearch -m avc -ts 07:18 ---- time->Tue Jun 15 07:18:55 2010 type=PATH msg=audit(1276600735.269:920): item=0 name="/var/log/wtmp" inode=315712 dev=fd:00 mode=0100664 ouid=0 ogid=22 rdev=00:00 obj=system_u:object_r:wtmp_t:s0 type=CWD msg=audit(1276600735.269:920): cwd="/" type=SYSCALL msg=audit(1276600735.269:920): arch=40000003 syscall=5 success=no exit=-13 a0=80517be a1=8001 a2=38 a3=80517be items=1 ppid=3536 pid=3545 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="telinit" exe="/sbin/telinit" subj=unconfined_u:system_r:audisp_remote_t:s0 key=(null) type=AVC msg=audit(1276600735.269:920): avc: denied { write } for pid=3545 comm="telinit" name="wtmp" dev=dm-0 ino=315712 scontext=unconfined_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file [root@hp-dl360-06 ~]# ausearch -m avc -ts 07:18 | audit2allow #============= audisp_remote_t ============== allow audisp_remote_t wtmp_t:file write; Thanks Eduard. auth_dontaudit_write_login_records(audisp_remote_t) Fixed in selinux-policy-3.7.19-25.el6.noarch Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |