Bug 602159 - SELinux is preventing audisp-remote to halt system for network_failure_action
SELinux is preventing audisp-remote to halt system for network_failure_action
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Eduard Benes
:
Depends On:
Blocks: 602164 646801
  Show dependency treegraph
 
Reported: 2010-06-09 05:39 EDT by Eduard Benes
Modified: 2010-11-10 16:34 EST (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-25.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 646801 (view as bug list)
Environment:
Last Closed: 2010-11-10 16:34:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Logged AVCs in permissive mode (8.90 KB, text/plain)
2010-06-14 08:41 EDT, Eduard Benes
ebenes: review? (mgrepl)
Details
Logged AVCs (8.02 KB, application/octet-stream)
2010-06-14 11:13 EDT, Eduard Benes
no flags Details

  None (edit)
Description Eduard Benes 2010-06-09 05:39:23 EDT
SELinux prevents system halt when configured audit for remote logging and audisp-remote to halt system on network failure. Follows the first AVC denial. Trying to allow all consequent denials with local policy module resulted in set of allow rules listed at the bottom in section additional info.

Summary:

SELinux is preventing audisp-remote "execute" access on /sbin/init.
 ...
Additional Information:

Source Context                unconfined_u:system_r:audisp_remote_t:s0
Target Context                system_u:object_r:init_exec_t:s0
Target Objects                /sbin/init [ file ]
Source                        audisp-remote
Source Path                   audisp-remote
Port                          <Unknown>
Host                          hp-dl360-06.rhts.englab.brq.redhat.com
Source RPM Packages           
Target RPM Packages           upstart-0.6.5-5.el6
Policy RPM                    selinux-policy-3.7.19-15.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hp-dl360-06.rhts.englab.brq.redhat.com
Platform                      Linux hp-dl360-06.rhts.englab.brq.redhat.com
                              2.6.32-25.el6.i686 #1 SMP Mon May 10 17:25:50 EDT
                              2010 i686 i686
Alert Count                   19
First Seen                    Wed Jun  9 04:37:58 2010
Last Seen                     Wed Jun  9 04:39:46 2010
Local ID                      b28807d4-416b-4bf7-95da-e2f68a77f85e
Line Numbers                  

Raw Audit Messages            

node=hp-dl360-06.rhts.englab.brq.redhat.com type=AVC msg=audit(1276072786.456:41786): avc:  denied  { execute } for  pid=16610 comm="audisp-remote" name="init" dev=dm-0 ino=524968 scontext=unconfined_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file


How reproducible:
always

Steps to Reproduce:
1. Configure audisp-remote to halt on network failure using 
"network_failure_action = halt" in /etc/audisp/audisp-remote.conf
(see BZ #514090 for configration  instructions)
2. Simulate network failure or simply unplug network.
3. Observe log files.

Actual results:
The system does not halt, log files are spammed by selinux related messages as the audisp-remote continously tries to halt the system.
<var-log-messages>
Jun  9 04:39:52 hp-dl360-06 audisp-remote: remote logging halting system due to network failure
Jun  9 04:39:52 hp-dl360-06 audisp-remote: audisp-remote failed to exec /sbin/init
Jun  9 04:39:52 hp-dl360-06 setroubleshoot: SELinux is preventing audisp-remote "execute" access on /sbin/init. For complete SELinux messages. run sealert -l b28807d4-416b-4bf7-95da-e2f68a77f85e
</var-log-messages>

Expected results:
System halts.

Additional info:
# cat audispremote.te 

module audispremote 1.0;

require {
	type init_exec_t;
	type bin_t;
	type audisp_remote_t;
	type initrc_var_run_t;
	type init_t;
	class capability setuid;
	class unix_stream_socket connectto;
	class file { execute read execute_no_trans open };
}

#============= audisp_remote_t ==============
allow audisp_remote_t bin_t:file { read execute open execute_no_trans };
allow audisp_remote_t init_exec_t:file { read execute open execute_no_trans };
allow audisp_remote_t init_t:unix_stream_socket connectto;
allow audisp_remote_t initrc_var_run_t:file read;
allow audisp_remote_t self:capability setuid;
Comment 1 Daniel Walsh 2010-06-09 16:32:34 EDT
We need the raw audit log for this.

Miroslav,

I think init_telinit(audisp_remote_t)
 will make this work.
Comment 2 Daniel Walsh 2010-06-09 16:34:16 EDT
Not sure what these are

allow audisp_remote_t initrc_var_run_t:file read;
allow audisp_remote_t self:capability setuid;  

allow audisp_remote_t bin_t:file { read execute open execute_no_trans };
Comment 3 Miroslav Grepl 2010-06-09 16:52:46 EDT
(In reply to comment #2)
> Not sure what these are
> 
> allow audisp_remote_t initrc_var_run_t:file read;

Dan,
I would imagine it needs to read utmp.
Comment 4 Daniel Walsh 2010-06-10 09:14:32 EDT
Miroslav, work with Eduard on this one, since this is critical to accreditation.
Comment 5 Eduard Benes 2010-06-14 08:00:36 EDT
@Miroslav: Tested with selinux-policy-3.7.19-24.el6 and some rules are still missing.

Summary:

SELinux is preventing init "execute" access on /sbin/telinit.

Detailed Description:

SELinux denied access requested by init. It is not expected that this access is
required by init and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:audisp_remote_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /sbin/telinit [ file ]
Source                        init
Source Path                   init
Port                          <Unknown>
Host                          hp-dl360-06.rhts.englab.brq.redhat.com
Source RPM Packages           
Target RPM Packages           upstart-0.6.5-5.el6
Policy RPM                    selinux-policy-3.7.19-24.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hp-dl360-06.rhts.englab.brq.redhat.com
Platform                      Linux hp-dl360-06.rhts.englab.brq.redhat.com
                              2.6.32-25.el6.i686 #1 SMP Mon May 10 17:25:50 EDT
                              2010 i686 i686
Alert Count                   662
First Seen                    Mon Jun 14 06:47:02 2010
Last Seen                     Mon Jun 14 07:57:21 2010
Local ID                      8205b16c-9398-43d2-9bdd-2394797c6fd2
Line Numbers                  

Raw Audit Messages            

node=hp-dl360-06.rhts.englab.brq.redhat.com type=AVC msg=audit(1276516641.113:6531): avc:  denied  { execute } for  pid=18784 comm="init" name="telinit" dev=dm-0 ino=524712 scontext=unconfined_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
Comment 6 Miroslav Grepl 2010-06-14 08:22:01 EDT
Eduard, 
thanks for testing. Could you test it in permissive. I guess we will need these rules

corecmd_exec_bin(audisp_remote_t)
init_rw_utmp(audisp_remote_t)

and we will see how about

allow audisp_remote_t self:capability setuid;
Comment 7 Eduard Benes 2010-06-14 08:41:40 EDT
Created attachment 423816 [details]
Logged AVCs in permissive mode

Log file from permissive mode using selinux-policy-3.7.19-24.el6.noarch.
Comment 8 Eduard Benes 2010-06-14 11:13:06 EDT
Created attachment 423865 [details]
Logged AVCs

SELinux mode is permissive and using custom policy module and with audit write watch on /etc/shadow:

[root@hp-dl360-06 ~]# cat myaudisp.te 
policy_module(myaudisp, 1.0.0)

require{
 type audisp_remote_t;
}

allow audisp_remote_t self:capability setuid;
corecmd_exec_bin(audisp_remote_t)
init_rw_utmp(audisp_remote_t)

[root@hp-dl360-06 ~]# cat /etc/audit/audit.rules 
-D
-b 320
-w /etc/shadow -p w


[root@hp-dl360-06 ~]# ausearch -m avc -ts 10:20 | audit2allow


#============= audisp_remote_t ==============
allow audisp_remote_t self:capability setpcap;
allow audisp_remote_t self:netlink_audit_socket { nlmsg_relay write create read };
allow audisp_remote_t var_log_t:dir search;
#!!!! The source type 'audisp_remote_t' can write to a 'file' of the following types:
# initrc_tmp_t, initrc_var_run_t, mnt_t, tmp_t

allow audisp_remote_t wtmp_t:file { write lock open };
Comment 9 Daniel Walsh 2010-06-14 18:37:29 EDT
allow audisp_remote_t self:capability { setuid  setpcap };

allow audisp_remote_t var_log_t:dir search_dir_perms;


corecmd_exec_bin(auditd_remote_t)

init_read_utmp(audisp_remote_t)
init_dontaudit_write_utmp(audisp_remote_t)

logging_send_audit_msgs(audisp_remote_t)
Comment 10 Daniel Walsh 2010-06-14 18:40:48 EDT
corecmd_exec_bin($1)

Should be added to init_telinit
Comment 11 Eduard Benes 2010-06-15 07:49:36 EDT
Using following custom module we are almost there. System successfully halts in enforcing mode. One more rule and we should be good to go:

# cat finalmyaudisp.te 
policy_module(finalmyaudisp, 1.0)

require{
 type audisp_remote_t;
 type var_log_t;
 }

allow audisp_remote_t self:capability { setuid setpcap };
allow audisp_remote_t var_log_t:dir search_dir_perms;

corecmd_exec_bin(audisp_remote_t)

init_read_utmp(audisp_remote_t)
init_dontaudit_write_utmp(audisp_remote_t)
logging_send_audit_msgs(audisp_remote_t)

# ausearch -m avc -ts 07:18
----
time->Tue Jun 15 07:18:55 2010
type=PATH msg=audit(1276600735.269:920): item=0 name="/var/log/wtmp" inode=315712 dev=fd:00 mode=0100664 ouid=0 ogid=22 rdev=00:00 obj=system_u:object_r:wtmp_t:s0
type=CWD msg=audit(1276600735.269:920):  cwd="/"
type=SYSCALL msg=audit(1276600735.269:920): arch=40000003 syscall=5 success=no exit=-13 a0=80517be a1=8001 a2=38 a3=80517be items=1 ppid=3536 pid=3545 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="telinit" exe="/sbin/telinit" subj=unconfined_u:system_r:audisp_remote_t:s0 key=(null)
type=AVC msg=audit(1276600735.269:920): avc:  denied  { write } for  pid=3545 comm="telinit" name="wtmp" dev=dm-0 ino=315712 scontext=unconfined_u:system_r:audisp_remote_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file
[root@hp-dl360-06 ~]# ausearch -m avc -ts 07:18 | audit2allow


#============= audisp_remote_t ==============
allow audisp_remote_t wtmp_t:file write;
Comment 12 Miroslav Grepl 2010-06-15 08:09:01 EDT
Thanks Eduard. 


auth_dontaudit_write_login_records(audisp_remote_t)
Comment 13 Miroslav Grepl 2010-06-16 07:25:26 EDT
Fixed in selinux-policy-3.7.19-25.el6.noarch
Comment 17 releng-rhel@redhat.com 2010-11-10 16:34:36 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.