| Summary: | SELinux is preventing /bin/systemd-tty-ask-password-agent from 'open' accesses on the chr_file tty8. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Thomas Meyer <thomas.mey> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | bugzilla, dwalsh, kparal, Lcstyle, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:37492ff5e8bedc29a73b16d2c5e603d8db56e662beb0f65f780bf40686c04a40 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-07 13:47:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Thomas, so you are seeing these issues allow systemd_passwd_agent_t tty_device_t:chr_file open; allow systemd_passwd_agent_t user_tty_device_t:chr_file open; allow systemd_passwd_agent_t self:capability dac_override; allow systemd_passwd_agent_t self:capability sys_tty_config; Could you try to do these steps # yum reinstall selinux-policy # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules # service auditd restart # restorecon -R -v /dev/log # reboot and see if you still get these issues? Also do you have encrypted partition? I tried your steps, and after reboot I get 17 new SELinux entries in SeAlert:
- Two entries because of wrong labeld /dev/log file
- One entry because of operation "search" on /dev/input/event5 from hal-setup-keymap
- 14 entries because of "write" on socket file "(null).
Just check again. Now I'm up to 20 alerts in SeAlert. The three new ones are:
- systemd-tmpfiles wants to write on socket file (null)
- systemd-tmpfiles wants to read /proc/net/unix
- systemd-tmpfiles wants to getattr on /proc/<pid>/unix
Yes, i have to encrypted disk:
- /home -> /dev/mapper/luksHome
- swapfs /dev/mapper/luksSwap
Currently I'm running in permissive mode to get a login screen (gdm).
Do I need to run in enforcing mode to let auditd catch the access on /etc/shadow?
I guess because of the mislabeled /dev/log SeAlert fails to catch these alerts in the dmesg?!
$ dmesg | grep avc | xclip
[ 16.280789] type=1400 audit(1299518723.213:3): avc: denied { read write } for pid=404 comm="loadkeys" name="tty" dev=tmpfs ino=5955 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[ 16.280807] type=1400 audit(1299518723.213:4): avc: denied { open } for pid=404 comm="loadkeys" name="tty" dev=tmpfs ino=5955 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[ 16.280837] type=1400 audit(1299518723.213:5): avc: denied { ioctl } for pid=404 comm="loadkeys" path="/dev/tty0" dev=tmpfs ino=5958 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[ 16.639022] type=1400 audit(1299518723.569:6): avc: denied { add_name } for pid=392 comm="mount" name=".mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 16.639048] type=1400 audit(1299518723.569:7): avc: denied { create } for pid=392 comm="mount" name=".mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
[ 16.639174] type=1400 audit(1299518723.569:8): avc: denied { create } for pid=392 comm="mount" name="utab" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
[ 18.650856] type=1400 audit(1299515125.581:9): avc: denied { mmap_zero } for pid=441 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect
[ 21.133780] type=1400 audit(1299515128.064:10): avc: denied { write } for pid=688 comm="systemd-tty-ask" name="sck.9851750355031607354" dev=tmpfs ino=11194 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file
[ 21.135111] type=1400 audit(1299515128.064:11): avc: denied { connectto } for pid=688 comm="systemd-tty-ask" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket
[ 22.583092] type=1400 audit(1299515129.511:15): avc: denied { write } for pid=730 comm="systemd-tmpfile" name="log" dev=tmpfs ino=7683 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file
[ 23.094973] type=1400 audit(1299515130.024:16): avc: denied { read } for pid=730 comm="systemd-tmpfile" name="rpm" dev=sda2 ino=175 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
[ 23.108239] type=1400 audit(1299515130.041:17): avc: denied { write } for pid=730 comm="systemd-tmpfile" name="rpm" dev=sda2 ino=175 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
[ 23.108256] type=1400 audit(1299515130.041:18): avc: denied { remove_name } for pid=730 comm="systemd-tmpfile" name="__db.004" dev=sda2 ino=2344 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
[ 23.108300] type=1400 audit(1299515130.041:19): avc: denied { unlink } for pid=730 comm="systemd-tmpfile" name="__db.004" dev=sda2 ino=2344 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
[ 23.411663] type=1400 audit(1299515130.341:20): avc: denied { write } for pid=754 comm="rtkit-daemon" name="log" dev=tmpfs ino=7683 scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file
[ 24.819773] type=1400 audit(1299515131.748:21): avc: denied { setrlimit } for pid=777 comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=process
[ 25.024744] type=1400 audit(1299515131.954:22): avc: denied { write } for pid=824 comm="auditd" name="log" dev=tmpfs ino=7683 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file
[ 25.703484] nscd[900]: Can't send to audit system: USER_AVC avc: netlink poll: error 4
[ 25.703559] nscd[900]: Can't send to audit system: USER_AVC avc: netlink recvfrom: error 1
[ 25.703634] nscd[900]: Can't send to audit system: USER_AVC avc: netlink thread: errors encountered, terminating
Full message from "systemd-tmpfiles wants to write on socket file (null)"
SELinux is preventing /bin/systemd-tmpfiles from write access on the sock_file (null).
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that systemd-tmpfiles should be allowed write access on the (null) sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Quellkontext system_u:system_r:systemd_tmpfiles_t:s0
Zielkontext system_u:object_r:tmpfs_t:s0
Zielobjekte (null) [ sock_file ]
Quelle systemd-tmpfile
Quellpfad /bin/systemd-tmpfiles
Port <Unbekannt>
Host localhost.localdomain
RPM-Pakete der Quelle systemd-units-19-1.fc15
RPM-Pakete des Ziels
Richtlinien-RPM selinux-policy-3.9.15-2.fc15
SELinux aktiviert True
Richtlinientyp targeted
Enforcing-Modus Permissive
Rechnername localhost.localdomain
Plattform Linux localhost.localdomain
2.6.38-rc7-00142-g212e349 #268 Sun Mar 6 14:17:47
CET 2011 i686 i686
Anzahl der Alarme 1
Zuerst gesehen Mo 07 Mär 2011 17:40:06 CET
Zuletzt gesehen Mo 07 Mär 2011 17:40:06 CET
Lokale ID 4f11e08a-8344-49a5-9712-c8775c90653e
Raw-Audit-Meldungen
type=AVC msg=audit(1299516006.943:118): avc: denied { write } for pid=2038 comm="systemd-tmpfile" name="log" dev=tmpfs ino=14510 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1299516006.943:118): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bfa6c010 a2=80535b0 a3=bfa6c03e items=1 ppid=1 pid=2038 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tmpfile exe=/bin/systemd-tmpfiles subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)
type=PATH msg=audit(1299516006.943:118): item=0 name=(null) inode=14510 dev=00:10 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0
Hash: systemd-tmpfile,systemd_tmpfiles_t,tmpfs_t,sock_file,write
audit2allow
#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t tmpfs_t:sock_file write;
audit2allow -R
#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t tmpfs_t:sock_file write;
Thomas, please could you install the latest F15 policy which will remove some issues http://koji.fedoraproject.org/koji/buildinfo?buildID=231533 The following command echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules give us the full path in an error message. I just installed the new version and rebooted.
Do I need to rebuild my initramfs? I didn't do that.
After reboot I found 16 alerts in my SeAlert.
the /dev/ and /dev/log are still misslabeled:
Example 1 - Mislabeled /dev/
-----------------------------
SELinux is preventing /sbin/rsyslogd from write access on the directory /dev/.
***** Plugin restorecon (99.5 confidence) suggests *************************
If you want to fix the label.
/dev/ default label should be device_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /dev/
***** Plugin catchall (1.49 confidence) suggests ***************************
If you believe that rsyslogd should be allowed write access on the directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rsyslogd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Quellkontext system_u:system_r:syslogd_t:s0
Zielkontext system_u:object_r:tmpfs_t:s0
Zielobjekte /dev/ [ dir ]
Quelle rsyslogd
Quellpfad /sbin/rsyslogd
Port <Unbekannt>
Host localhost.localdomain
RPM-Pakete der Quelle rsyslog-5.6.2-2.fc15
RPM-Pakete des Ziels
Richtlinien-RPM selinux-policy-3.9.15-6.fc15
SELinux aktiviert True
Richtlinientyp targeted
Enforcing-Modus Permissive
Rechnername localhost.localdomain
Plattform Linux localhost.localdomain
2.6.38-rc7-00142-g212e349 #268 Sun Mar 6 14:17:47
CET 2011 i686 i686
Anzahl der Alarme 1
Zuerst gesehen Mo 07 Mär 2011 23:13:07 CET
Zuletzt gesehen Mo 07 Mär 2011 23:13:07 CET
Lokale ID 486e4bb8-241c-4e11-9d42-effa12c6fc62
Raw-Audit-Meldungen
type=AVC msg=audit(1299535987.389:29): avc: denied { write } for pid=886 comm="rsyslogd" name="/" dev=tmpfs ino=5796 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1299535987.389:29): avc: denied { remove_name } for pid=886 comm="rsyslogd" name="log" dev=tmpfs ino=7677 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1299535987.389:29): avc: denied { unlink } for pid=886 comm="rsyslogd" name="log" dev=tmpfs ino=7677 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1299535987.389:29): arch=i386 syscall=unlink success=yes exit=0 a0=b76a3e6d a1=b9653278 a2=b76a5f74 a3=0 items=2 ppid=863 pid=886 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rsyslogd exe=/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null)
type=CWD msg=audit(1299535987.389:29): cwd=/
type=PATH msg=audit(1299535987.389:29): item=0 name=/dev/ inode=5796 dev=00:10 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0
type=PATH msg=audit(1299535987.389:29): item=1 name=/dev/log inode=7677 dev=00:10 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0
Hash: rsyslogd,syslogd_t,tmpfs_t,dir,write
audit2allow
#============= syslogd_t ==============
#!!!! The source type 'syslogd_t' can write to a 'dir' of the following types:
# plymouthd_var_log_t, var_run_t, var_log_t, syslogd_tmp_t, tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, root_t
allow syslogd_t tmpfs_t:dir { write remove_name };
allow syslogd_t tmpfs_t:sock_file unlink;
audit2allow -R
#============= syslogd_t ==============
#!!!! The source type 'syslogd_t' can write to a 'dir' of the following types:
# plymouthd_var_log_t, var_run_t, var_log_t, syslogd_tmp_t, tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, root_t
allow syslogd_t tmpfs_t:dir { write remove_name };
allow syslogd_t tmpfs_t:sock_file unlink;
Example 2 - Mislabeled /dev/log
-------------------------------
SELinux is preventing /sbin/rsyslogd from setattr access on the sock_file /dev/log.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that rsyslogd should be allowed setattr access on the log sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rsyslogd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Quellkontext system_u:system_r:syslogd_t:s0
Zielkontext system_u:object_r:tmpfs_t:s0
Zielobjekte /dev/log [ sock_file ]
Quelle rsyslogd
Quellpfad /sbin/rsyslogd
Port <Unbekannt>
Host localhost.localdomain
RPM-Pakete der Quelle rsyslog-5.6.2-2.fc15
RPM-Pakete des Ziels
Richtlinien-RPM selinux-policy-3.9.15-6.fc15
SELinux aktiviert True
Richtlinientyp targeted
Enforcing-Modus Permissive
Rechnername localhost.localdomain
Plattform Linux localhost.localdomain
2.6.38-rc7-00142-g212e349 #268 Sun Mar 6 14:17:47
CET 2011 i686 i686
Anzahl der Alarme 1
Zuerst gesehen Mo 07 Mär 2011 23:13:07 CET
Zuletzt gesehen Mo 07 Mär 2011 23:13:07 CET
Lokale ID b82f2fa5-f96c-4b10-93d1-c7e6bba72399
Raw-Audit-Meldungen
type=AVC msg=audit(1299535987.392:31): avc: denied { setattr } for pid=886 comm="rsyslogd" name="log" dev=tmpfs ino=14281 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1299535987.392:31): arch=i386 syscall=chmod success=yes exit=0 a0=b76a3e6d a1=1b6 a2=b76a5f74 a3=0 items=1 ppid=863 pid=886 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rsyslogd exe=/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null)
type=CWD msg=audit(1299535987.392:31): cwd=/
type=PATH msg=audit(1299535987.392:31): item=0 name=/dev/log inode=14281 dev=00:10 mode=0140700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0
Hash: rsyslogd,syslogd_t,tmpfs_t,sock_file,setattr
audit2allow
#============= syslogd_t ==============
allow syslogd_t tmpfs_t:sock_file setattr;
audit2allow -R
#============= syslogd_t ==============
allow syslogd_t tmpfs_t:sock_file setattr;
*** Bug 681661 has been marked as a duplicate of this bug. *** Looks like udev is broken in the latest release or systemd? Still the socket file /dev/log is mislabeled: Look what happens in this command sequence: $ ll -Z /dev/log srw-rw-rw-. root root system_u:object_r:tmpfs_t:s0 /dev/log $ sudo restorecon -v /dev/log restorecon reset /dev/log context system_u:object_r:tmpfs_t:s0->system_u:object_r:devlog_t:s0 $ ll -Z /dev/log srw-rw-rw-. root root system_u:object_r:devlog_t:s0 /dev/log $ sudo service rsyslog restart Restarting rsyslog (via systemctl): [ OK ] $ ll -Z /dev/log srw-rw-rw-. root root system_u:object_r:tmpfs_t:s0 /dev/log How can that be? The /dev is mislabeled. Try restorecon -R -v /dev THen your service rsyslog restart should work. okay, thanks. My system seems to be somewhat special, because the /dev filesystem is mislabeled after every reboot! But I don't know why. I seem to be the only person to hit that error?! Is udev running? yes, it is: $ pidof udevd 1650 1428 364 $ dmesg |grep udev [ 2.430496] udev[111]: starting version 166 [ 37.213748] systemd[1]: Walked on cycle path to udev-retry.service/start [ 37.213770] systemd[1]: Breaking ordering cycle by deleting job udev-retry.service/start [ 38.643163] udevd[364]: specified group 'pcscd' unknown [ 38.941342] udev[364]: starting version 166 maybe some timing issue? I still run into this problem. Currently I boot into the systemd emergency target and relabel (I can attach the output of these runs here if you like) the tmpfs /dev and /run. After that I can boot into the system with "systemctl default". Can we please change the title of this bug to "SELinux: tmpfs /dev is mislabeld for systemd" or something like that? current versions: dracut.noarch 009-5.fc15 udev.i686 167-2.fc15 systemd.i686 21-2.fc15 selinux-policy.noarch 3.9.16-10.fc15 selinux-policy-targeted.noarch 3.9.16-10.fc15 Their is supposed to be a version of systemd being released tonight that fixes the labels 23-1 *** Bug 692429 has been marked as a duplicate of this bug. *** Good news, everyone! This version combination seems to fix this bug already: dracut.noarch 009-5.fc15 systemd.i686 22-1.fc15 selinux-policy.noarch 3.9.16-11.fc15 selinux-policy-targeted.noarch 3.9.16-11.fc15 |
SELinux is preventing /bin/systemd-tty-ask-password-agent from 'open' accesses on the chr_file tty8. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow all daemons the ability to read/write terminals Then you must tell SELinux about this by enabling the 'allow_daemons_use_tty' boolean. Do setsebool -P allow_daemons_use_tty 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that systemd-tty-ask-password-agent should be allowed open access on the tty8 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tty-ask /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_passwd_agent_t:s0 Target Context system_u:object_r:tty_device_t:s0 Target Objects tty8 [ chr_file ] Source systemd-tty-ask Source Path /bin/systemd-tty-ask-password-agent Port <Unbekannt> Host (removed) Source RPM Packages systemd-19-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.15-2.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38-rc7-00142-g212e349 #267 Sat Mar 5 21:22:31 CET 2011 i686 i686 Alert Count 4 First Seen So 06 Mär 2011 12:30:09 CET Last Seen So 06 Mär 2011 13:35:02 CET Local ID dec1b3a1-fd2f-45ec-a2ab-01de211dc0ae Raw Audit Messages type=AVC msg=audit(1299414902.499:560): avc: denied { open } for pid=870 comm="systemd-tty-ask" name="tty8" dev=tmpfs ino=6208 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1299414902.499:560): arch=i386 syscall=open success=yes exit=ENOEXEC a0=8cd9338 a1=80901 a2=80518c4 a3=0 items=0 ppid=1 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=system_u:system_r:systemd_passwd_agent_t:s0 key=(null) Hash: systemd-tty-ask,systemd_passwd_agent_t,tty_device_t,chr_file,open audit2allow #============= systemd_passwd_agent_t ============== #!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty' allow systemd_passwd_agent_t tty_device_t:chr_file open; audit2allow -R #============= systemd_passwd_agent_t ============== #!!!! This avc can be allowed using the boolean 'allow_daemons_use_tty' allow systemd_passwd_agent_t tty_device_t:chr_file open;