Re-testing the original bug but in a MLS policy type revealed a regression caused by the current fix for bug 500395. Setroubleshoot daemon does not produce anything because of bug MLS in enforcing mode (something seems to be don't audited): <snip> [root@dhcp-lab-232 /]# ifup ipsec1 Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Missing config file ifcfg-ifcfg-ipsec1. [root@dhcp-lab-232 /]# ausearch -m avc -ts 13:30 <no matches> </snip> MLS in permissive mode: <snip> [root@dhcp-lab-232 /]# ifup ipsec1 [root@dhcp-lab-232 /]# ausearch -m avc -ts recent ---- time->Wed Aug 5 13:41:44 2009 type=SYSCALL msg=audit(1249472504.892:354617): arch=40000003 syscall=11 success=yes exit=0 a0=bf84bca9 a1=bf84bb18 a2=9af7858 a3=5 items=0 ppid=9548 pid=9553 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=23 comm="auditd" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1249472504.892:354617): avc: denied { execute_no_trans } for pid=9553 comm="env" path="/etc/rc.d/init.d/auditd" dev=dm-0 ino=426463 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:auditd_script_exec_t:s0 tclass=file ---- time->Wed Aug 5 13:47:21 2009 type=SYSCALL msg=audit(1249472841.638:354619): arch=40000003 syscall=11 success=yes exit=0 a0=9ddccc0 a1=9db6660 a2=9db6238 a3=0 items=0 ppid=9566 pid=9584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=23 comm="setkey" exe="/sbin/setkey" subj=root:sysadm_r:setkey_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1249472841.638:354619): avc: denied { read } for pid=9584 comm="setkey" path=2F746D702F73682D7468642D31323439343535303636202864656C6574656429 dev=dm-0 ino=229380 scontext=root:sysadm_r:setkey_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_tmp_t:s0 tclass=file ---- time->Wed Aug 5 13:47:21 2009 type=SYSCALL msg=audit(1249472841.463:354618): arch=40000003 syscall=11 success=yes exit=0 a0=9336ce8 a1=9338d38 a2=93378f0 a3=9338d38 items=0 ppid=8872 pid=9566 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=23 comm="ifup-ipsec" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1249472841.463:354618): avc: denied { execute_no_trans } for pid=9566 comm="ifup" path="/etc/sysconfig/network-scripts/ifup-ipsec" dev=dm-0 ino=426629 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file ---- time->Wed Aug 5 13:47:22 2009 type=SYSCALL msg=audit(1249472842.116:354620): arch=40000003 syscall=197 success=yes exit=0 a0=0 a1=bfe053f8 a2=c55ff4 a3=c56420 items=0 ppid=9566 pid=9584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=23 comm="setkey" exe="/sbin/setkey" subj=root:sysadm_r:setkey_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1249472842.116:354620): avc: denied { getattr } for pid=9584 comm="setkey" path=2F746D702F73682D7468642D31323439343535303636202864656C6574656429 dev=dm-0 ino=229380 scontext=root:sysadm_r:setkey_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_tmp_t:s0 tclass=file [root@dhcp-lab-232 /]# ausearch -m avc -ts recent | audit2allow #============= setkey_t ============== allow setkey_t sysadm_tmp_t:file { read getattr }; #============= sysadm_t ============== allow sysadm_t auditd_script_exec_t:file execute_no_trans; allow sysadm_t initrc_exec_t:file execute_no_trans; </snip>
In an MLS machine sysadm_t is not allowed to deal with auditd, You need to be auditadm_t. Also restarting init scripts has to be done with run_init run_init system auditd restart Since the code did not transition you end up with setkey trying to read temporary data created via sysadm_t which causes the problem.
Here are results from testing in *strict* mode, with turned off don't audit rules using 'semodule -DB'. And going to retest the same way in MLS. $ ssh -l root dhcp-lab-232 root@dhcp-lab-232's password: Last login: Thu Aug 6 16:55:06 2009 -bash: /root/.bash_profile: Permission denied -bash-3.2# newrole -r sysadm_r Password: [root@dhcp-lab-232 ~]# id -Z root:sysadm_r:sysadm_t:SystemLow-SystemHigh [root@dhcp-lab-232 ~]# semodule -B [root@dhcp-lab-232 ~]# date Thu Aug 6 17:07:07 CEST 2009 [root@dhcp-lab-232 ~]# ifup ipsec1 Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Missing config file ifcfg-ifcfg-ipsec1. [root@dhcp-lab-232 ~]# getenforce Enforcing [root@dhcp-lab-232 ~]# grep TYPE /etc/selinux/config SELINUXTYPE=strict [root@dhcp-lab-232 ~]# ausearch -m avc -ts 17:07:07 -sv no ---- time->Thu Aug 6 17:07:14 2009 type=SYSCALL msg=audit(1249571234.496:198): arch=40000003 syscall=33 success=no exit=-13 a0=9bca8c0 a1=1 a2=c55ff4 a3=0 items=0 ppid=2786 pid=2862 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ifup" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1249571234.496:198): avc: denied { execute } for pid=2862 comm="ifup" name="ifup-ipsec" dev=dm-0 ino=426629 scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file ---- time->Thu Aug 6 17:07:14 2009 type=SYSCALL msg=audit(1249571234.742:208): arch=40000003 syscall=5 success=no exit=-13 a0=d09bb0 a1=8000 a2=1b6 a3=8cec008 items=0 ppid=2905 pid=2906 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ifconfig" exe="/sbin/ifconfig" subj=root:sysadm_r:ifconfig_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1249571234.742:208): avc: denied { search } for pid=2906 comm="ifconfig" name="selinux" dev=dm-0 ino=426428 scontext=root:sysadm_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir ---- time->Thu Aug 6 17:07:14 2009 type=SYSCALL msg=audit(1249571234.744:209): arch=40000003 syscall=5 success=no exit=-13 a0=bfe54674 a1=8000 a2=0 a3=8000 items=0 ppid=2905 pid=2906 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ifconfig" exe="/sbin/ifconfig" subj=root:sysadm_r:ifconfig_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1249571234.744:209): avc: denied { search } for pid=2906 comm="ifconfig" name="/" dev=selinuxfs ino=336 scontext=root:sysadm_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir [root@dhcp-lab-232 ~]# ausearch -m avc -ts 17:07:07 -sv no | audit2allow #============= ifconfig_t ============== allow ifconfig_t security_t:dir search; allow ifconfig_t selinux_config_t:dir search; #============= sysadm_t ============== allow sysadm_t initrc_exec_t:file execute
The issue is with the context of ifup-ipsec script after changes to fix the original bug. Here is the AVC cought with disabled don't audit rules (semodule -DB). If enabled, all following AVC are surpressed. #============= sysadm_t ============== allow sysadm_t initrc_exec_t:file execute <snip> time->Thu Aug 6 17:07:14 2009 type=SYSCALL msg=audit(1249571234.496:198): arch=40000003 syscall=33 success=no exit=-13 a0=9bca8c0 a1=1 a2=c55ff4 a3=0 items=0 ppid=2786 pid=2862 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ifup" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1249571234.496:198): avc: denied { execute } for pid=2862 comm="ifup" name="ifup-ipsec" dev=dm-0 ino=426629 scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file </snip> If I change the context of ifup-ipsec script back to bin_t it works as before. Therefore it is a regression.
> How about if you execute > run_init ifup-ipsec No, it does not work. > If you just add > allow sysadm_t initrc_exec_t:file execute > to policy via audit2allow -M mypol > Does that solve the problem? Adding following custom module allows the "ifup ipsec1" to run, but still prevents it from killing already running instance. Also had to add execute_no_trans rule to the custom policy. time->Fri Aug 7 14:01:12 2009 type=SYSCALL msg=audit(1249646472.553:5737): arch=40000003 syscall=195 success=no exit=-13 a0=9062080 a1=bfed1c54 a2=c55ff4 a3=bfed0fcc items=0 ppid=3503 pid=3553 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="killall" exe="/usr/bin/killall" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1249646472.553:5737): avc: denied { ptrace } for pid=3553 comm="killall" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:racoon_t:s0-s15:c0.c1023 tclass=process # cat mypol.te policy_module(mypol,1.0.0) require{ type sysadm_t; type initrc_exec_t; } allow sysadm_t initrc_exec_t : file { execute_no_trans execute } ;
Fixed in selinux-policy-2.4.6-256.el5
Following denial still blocks the expected functionality, and is shown only after rebuild with "semodule -DB": #============= setkey_t ============== allow setkey_t sysadm_tmp_t:file { read getattr }; After adding custom policy module as follows make it work again: # cat my.te policy_module(mypol,1.0.0) require{ type setkey_t; type sysadm_tmp_t; } allow setkey_t sysadm_tmp_t:file { read getattr }; # make -f /usr/share/selinux/devel/Makefile
Does the script create a file in /tmp which is then read by setkey? Even in F12 we don't allow setkey to read tmp files. Is this just a test avc or is it real.
Miroslav, I think adding userdom_read_unpriv_users_tmp_files(setkey_t) Will solve this problem.
(In reply to comment #13) > Does the script create a file in /tmp which is then read by setkey? > > Even in F12 we don't allow setkey to read tmp files. > > Is this just a test avc or is it real. I think Tomas Mraz is propably the right person to answer the question about setkey creating file in /tmp. This is an AVC denial recorded in Permissive MLS with don't audit rules disabled. And it seemt o prevent 'ifup ipsec1' from running correctly. The setup is really simple and follows instructions in Deployment Guide as instructed in comment #0.
Seems plausible, probably has something to do with redirection in the shell setkey << __EOF blah blah __EOF could cause it.
(In reply to comment #14) > Miroslav, I think adding > > userdom_read_unpriv_users_tmp_files(setkey_t) > > Will solve this problem. Unfortunately this does not work either if I put it in a local policy package. The same AVC denial as in comment #12 is present.
Everything seems to work if I use this: # cat my.if my.te -n 1 interface(`userdom_read_sysadm_tmp_files',` 2 gen_require(` 3 type sysadm_tmp_t; 4 ') 5 allow $1 sysadm_tmp_t:file { read getattr }; 6 ') 7 8 policy_module(mysetkey,1.0.0) 9 10 gen_require(` 11 type setkey_t; 12 ') 13 14 userdom_read_sysadm_tmp_files(setkey_t);
Fixed in selinux-policy-2.4.6-267.el5.noarch
(In reply to comment #6) > Adding following custom module allows the "ifup ipsec1" to run, but > still prevents it from killing already running instance. Also had to add > execute_no_trans rule to the custom policy. The problem has been filed as a separated bug ( https://bugzilla.redhat.com/show_bug.cgi?id=567295 ), because it has more to do with killall and /proc than with ipsec.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html