Bug 602159 - SELinux is preventing audisp-remote to halt system for network_failure_action
Summary: SELinux is preventing audisp-remote to halt system for network_failure_action
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Eduard Benes
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 602164 646801
TreeView+ depends on / blocked
 
Reported: 2010-06-09 09:39 UTC by Eduard Benes
Modified: 2010-11-10 21:34 UTC (History)
5 users (show)

(edit)
Clone Of:
: 646801 (view as bug list)
(edit)
Last Closed: 2010-11-10 21:34:36 UTC


Attachments (Terms of Use)
Logged AVCs in permissive mode (8.90 KB, text/plain)
2010-06-14 12:41 UTC, Eduard Benes
ebenes: review? (mgrepl)
Details
Logged AVCs (8.02 KB, application/octet-stream)
2010-06-14 15:13 UTC, Eduard Benes
no flags Details

Description Eduard Benes 2010-06-09 09:39:23 UTC
SELinux prevents system halt when configured audit for remote logging and audisp-remote to halt system on network failure. Follows the first AVC denial. Trying to allow all consequent denials with local policy module resulted in set of allow rules listed at the bottom in section additional info.

Summary:

SELinux is preventing audisp-remote "execute" access on /sbin/init.
 ...
Additional Information:

Source Context                unconfined_u:system_r:audisp_remote_t:s0
Target Context                system_u:object_r:init_exec_t:s0
Target Objects                /sbin/init [ file ]
Source                        audisp-remote
Source Path                   audisp-remote
Port                          <Unknown>
Host                          hp-dl360-06.rhts.englab.brq.redhat.com
Source RPM Packages           
Target RPM Packages           upstart-0.6.5-5.el6
Policy RPM                    selinux-policy-3.7.19-15.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hp-dl360-06.rhts.englab.brq.redhat.com
Platform                      Linux hp-dl360-06.rhts.englab.brq.redhat.com
                              2.6.32-25.el6.i686 #1 SMP Mon May 10 17:25:50 EDT
                              2010 i686 i686
Alert Count                   19
First Seen                    Wed Jun  9 04:37:58 2010
Last Seen                     Wed Jun  9 04:39:46 2010
Local ID                      b28807d4-416b-4bf7-95da-e2f68a77f85e
Line Numbers                  

Raw Audit Messages            

node=hp-dl360-06.rhts.englab.brq.redhat.com type=AVC msg=audit(1276072786.456:41786): avc:  denied  { execute } for  pid=16610 comm="audisp-remote" name="init" dev=dm-0 ino=524968 scontext=unconfined_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file


How reproducible:
always

Steps to Reproduce:
1. Configure audisp-remote to halt on network failure using 
"network_failure_action = halt" in /etc/audisp/audisp-remote.conf
(see BZ #514090 for configration  instructions)
2. Simulate network failure or simply unplug network.
3. Observe log files.

Actual results:
The system does not halt, log files are spammed by selinux related messages as the audisp-remote continously tries to halt the system.
<var-log-messages>
Jun  9 04:39:52 hp-dl360-06 audisp-remote: remote logging halting system due to network failure
Jun  9 04:39:52 hp-dl360-06 audisp-remote: audisp-remote failed to exec /sbin/init
Jun  9 04:39:52 hp-dl360-06 setroubleshoot: SELinux is preventing audisp-remote "execute" access on /sbin/init. For complete SELinux messages. run sealert -l b28807d4-416b-4bf7-95da-e2f68a77f85e
</var-log-messages>

Expected results:
System halts.

Additional info:
# cat audispremote.te 

module audispremote 1.0;

require {
	type init_exec_t;
	type bin_t;
	type audisp_remote_t;
	type initrc_var_run_t;
	type init_t;
	class capability setuid;
	class unix_stream_socket connectto;
	class file { execute read execute_no_trans open };
}

#============= audisp_remote_t ==============
allow audisp_remote_t bin_t:file { read execute open execute_no_trans };
allow audisp_remote_t init_exec_t:file { read execute open execute_no_trans };
allow audisp_remote_t init_t:unix_stream_socket connectto;
allow audisp_remote_t initrc_var_run_t:file read;
allow audisp_remote_t self:capability setuid;

Comment 1 Daniel Walsh 2010-06-09 20:32:34 UTC
We need the raw audit log for this.

Miroslav,

I think init_telinit(audisp_remote_t)
 will make this work.

Comment 2 Daniel Walsh 2010-06-09 20:34:16 UTC
Not sure what these are

allow audisp_remote_t initrc_var_run_t:file read;
allow audisp_remote_t self:capability setuid;  

allow audisp_remote_t bin_t:file { read execute open execute_no_trans };

Comment 3 Miroslav Grepl 2010-06-09 20:52:46 UTC
(In reply to comment #2)
> Not sure what these are
> 
> allow audisp_remote_t initrc_var_run_t:file read;

Dan,
I would imagine it needs to read utmp.

Comment 4 Daniel Walsh 2010-06-10 13:14:32 UTC
Miroslav, work with Eduard on this one, since this is critical to accreditation.

Comment 5 Eduard Benes 2010-06-14 12:00:36 UTC
@Miroslav: Tested with selinux-policy-3.7.19-24.el6 and some rules are still missing.

Summary:

SELinux is preventing init "execute" access on /sbin/telinit.

Detailed Description:

SELinux denied access requested by init. It is not expected that this access is
required by init and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:audisp_remote_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /sbin/telinit [ file ]
Source                        init
Source Path                   init
Port                          <Unknown>
Host                          hp-dl360-06.rhts.englab.brq.redhat.com
Source RPM Packages           
Target RPM Packages           upstart-0.6.5-5.el6
Policy RPM                    selinux-policy-3.7.19-24.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hp-dl360-06.rhts.englab.brq.redhat.com
Platform                      Linux hp-dl360-06.rhts.englab.brq.redhat.com
                              2.6.32-25.el6.i686 #1 SMP Mon May 10 17:25:50 EDT
                              2010 i686 i686
Alert Count                   662
First Seen                    Mon Jun 14 06:47:02 2010
Last Seen                     Mon Jun 14 07:57:21 2010
Local ID                      8205b16c-9398-43d2-9bdd-2394797c6fd2
Line Numbers                  

Raw Audit Messages            

node=hp-dl360-06.rhts.englab.brq.redhat.com type=AVC msg=audit(1276516641.113:6531): avc:  denied  { execute } for  pid=18784 comm="init" name="telinit" dev=dm-0 ino=524712 scontext=unconfined_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file

Comment 6 Miroslav Grepl 2010-06-14 12:22:01 UTC
Eduard, 
thanks for testing. Could you test it in permissive. I guess we will need these rules

corecmd_exec_bin(audisp_remote_t)
init_rw_utmp(audisp_remote_t)

and we will see how about

allow audisp_remote_t self:capability setuid;

Comment 7 Eduard Benes 2010-06-14 12:41:40 UTC
Created attachment 423816 [details]
Logged AVCs in permissive mode

Log file from permissive mode using selinux-policy-3.7.19-24.el6.noarch.

Comment 8 Eduard Benes 2010-06-14 15:13:06 UTC
Created attachment 423865 [details]
Logged AVCs

SELinux mode is permissive and using custom policy module and with audit write watch on /etc/shadow:

[root@hp-dl360-06 ~]# cat myaudisp.te 
policy_module(myaudisp, 1.0.0)

require{
 type audisp_remote_t;
}

allow audisp_remote_t self:capability setuid;
corecmd_exec_bin(audisp_remote_t)
init_rw_utmp(audisp_remote_t)

[root@hp-dl360-06 ~]# cat /etc/audit/audit.rules 
-D
-b 320
-w /etc/shadow -p w


[root@hp-dl360-06 ~]# ausearch -m avc -ts 10:20 | audit2allow


#============= audisp_remote_t ==============
allow audisp_remote_t self:capability setpcap;
allow audisp_remote_t self:netlink_audit_socket { nlmsg_relay write create read };
allow audisp_remote_t var_log_t:dir search;
#!!!! The source type 'audisp_remote_t' can write to a 'file' of the following types:
# initrc_tmp_t, initrc_var_run_t, mnt_t, tmp_t

allow audisp_remote_t wtmp_t:file { write lock open };

Comment 9 Daniel Walsh 2010-06-14 22:37:29 UTC
allow audisp_remote_t self:capability { setuid  setpcap };

allow audisp_remote_t var_log_t:dir search_dir_perms;


corecmd_exec_bin(auditd_remote_t)

init_read_utmp(audisp_remote_t)
init_dontaudit_write_utmp(audisp_remote_t)

logging_send_audit_msgs(audisp_remote_t)

Comment 10 Daniel Walsh 2010-06-14 22:40:48 UTC
corecmd_exec_bin($1)

Should be added to init_telinit

Comment 11 Eduard Benes 2010-06-15 11:49:36 UTC
Using following custom module we are almost there. System successfully halts in enforcing mode. One more rule and we should be good to go:

# cat finalmyaudisp.te 
policy_module(finalmyaudisp, 1.0)

require{
 type audisp_remote_t;
 type var_log_t;
 }

allow audisp_remote_t self:capability { setuid setpcap };
allow audisp_remote_t var_log_t:dir search_dir_perms;

corecmd_exec_bin(audisp_remote_t)

init_read_utmp(audisp_remote_t)
init_dontaudit_write_utmp(audisp_remote_t)
logging_send_audit_msgs(audisp_remote_t)

# ausearch -m avc -ts 07:18
----
time->Tue Jun 15 07:18:55 2010
type=PATH msg=audit(1276600735.269:920): item=0 name="/var/log/wtmp" inode=315712 dev=fd:00 mode=0100664 ouid=0 ogid=22 rdev=00:00 obj=system_u:object_r:wtmp_t:s0
type=CWD msg=audit(1276600735.269:920):  cwd="/"
type=SYSCALL msg=audit(1276600735.269:920): arch=40000003 syscall=5 success=no exit=-13 a0=80517be a1=8001 a2=38 a3=80517be items=1 ppid=3536 pid=3545 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="telinit" exe="/sbin/telinit" subj=unconfined_u:system_r:audisp_remote_t:s0 key=(null)
type=AVC msg=audit(1276600735.269:920): avc:  denied  { write } for  pid=3545 comm="telinit" name="wtmp" dev=dm-0 ino=315712 scontext=unconfined_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file
[root@hp-dl360-06 ~]# ausearch -m avc -ts 07:18 | audit2allow


#============= audisp_remote_t ==============
allow audisp_remote_t wtmp_t:file write;

Comment 12 Miroslav Grepl 2010-06-15 12:09:01 UTC
Thanks Eduard. 


auth_dontaudit_write_login_records(audisp_remote_t)

Comment 13 Miroslav Grepl 2010-06-16 11:25:26 UTC
Fixed in selinux-policy-3.7.19-25.el6.noarch

Comment 17 releng-rhel@redhat.com 2010-11-10 21:34:36 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.