Bug 625114 - systemd enables automounting for /sys/kernel/debug and /sys/kernel/security. Is that right?
systemd enables automounting for /sys/kernel/debug and /sys/kernel/security. ...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-18 12:00 EDT by Tom London
Modified: 2010-09-01 02:02 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.8.8-20.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-01 02:02:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVC/sealert log for 'automounting /sys/kernel/debug' (3.42 KB, text/plain)
2010-08-18 12:00 EDT, Tom London
no flags Details
AVC/sealert log for 'automounting /sys/kernel/security' (2.30 KB, text/plain)
2010-08-18 12:00 EDT, Tom London
no flags Details

  None (edit)
Description Tom London 2010-08-18 12:00:17 EDT
Created attachment 439428 [details]
AVC/sealert log for 'automounting /sys/kernel/debug'

Description of problem:
My system is running systemd-7-3.fc14.x86_64.

It appears that by default, automount points are enabled for /sys/kernel/debug and /sys/kernel/security.

This causes unexpected behavior (and SELinux AVCs).  

Not sure if this was the default for upstart, and not sure its a bug, but it is certainly unexpected....

Running "cd /sys; find . -name \*mount\* -print" appears to trigger automounting of both /sys/kernel/debug and /sys/kernel/security, along with AVCs warning about rejected attempts to write by /bin/mount in both directories.

The attempted write to /sys/kernel/security triggers a "your system may be compromised" message from setroubleshootd.

I attach both sealert messages below....

Version-Release number of selected component (if applicable):
systemd-7-3.fc14.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. cd /sys; find . -name \*mount\* -print
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tom London 2010-08-18 12:00:49 EDT
Created attachment 439429 [details]
AVC/sealert log for 'automounting /sys/kernel/security'
Comment 2 Lennart Poettering 2010-08-18 15:14:27 EDT
systemd creates a couple of autofs mounts of optional API kernel virtual file systems. This allows us to support stuff like the  binfmt_misc fs without having to load the module: on first access the backing module would be automatically loaded and for the programs accessing the dir this would be invisible. 

This has a number of advantages: clients don't have to explicitly mount or modprobe things anymore, and can just rely that the mount point is there. On the other hand we don't have to load all modules backing these dirs right-away, thus doing less work on boot.
Comment 3 Tom London 2010-08-18 17:08:46 EDT
Well, this appears to allow quite common commands to generate the mounts and the AVCs.

For example,

[root@tlondon ~]# find / -inum 9310 -print
find: `/home/tbl/.gvfs': Permission denied
/sys/dev/char/4:40
[root@tlondon ~]# 

causes the same behavior as above: I get 2 AVCs complaining about attempted write access to /sys/kernel/debug and /sys/kernel/security, I get the "your systems has probably been compromised" message, and mount reports I have 2 new pseudo file systems mounted:

[root@tlondon ~]# mount
/dev/mapper/vg_tlondon-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")
/dev/sda1 on /boot type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
gvfs-fuse-daemon on /home/tbl/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=tbl)
/dev/sdb1 on /media/FlashCard type vfat (rw,nosuid,nodev,uhelper=udisks,uid=500,gid=500,shortname=mixed,dmask=0077,utf8=1,flush)
debugfs on /sys/kernel/debug type debugfs (rw)
securityfs on /sys/kernel/security type securityfs (rw)
[root@tlondon ~]# 

Ignoring the SELinux/AVC question for the moment, should a "find /" command cause these two mounts?  

I have no issue with automounting in general, but should these two mount points be enabled "all the time"?  Would it make sense to disable them by default?
Comment 4 Daniel Walsh 2010-08-23 13:30:20 EDT
The change to systemd is causing strange AVC's.  Why does the mount command need to write to the debugfs?
Comment 5 Eric Paris 2010-08-23 14:46:12 EDT
I'm not sure this is systemd related.  This is actually a call to access(2) from /sbin/mount. On F13 I see something like so when I mount:

27413 mount("/sys/kerne/debug", "/sys/kernel/debug/", "debugfs", MS_MGC_VAL, NULL) = 0
27413 readlink("/sys", 0x7fff78396cc0, 4096) = -1 EINVAL (Invalid argument)
27413 readlink("/sys/kerne", 0x7fff78396cc0, 4096) = -1 ENOENT (No such file or directory)
27413 readlink("/sys", 0x7fff78396cc0, 4096) = -1 EINVAL (Invalid argument)
27413 readlink("/sys/kernel", 0x7fff78396cc0, 4096) = -1 EINVAL (Invalid argument)
27413 readlink("/sys/kernel/debug", 0x7fff78396cc0, 4096) = -1 EINVAL (Invalid argument)

But on F14 I see this:

1470  mount("/sys/kernel/debug", "/sys/kernel/debug/", "debugfs", MS_MGC_VAL, NULL) = 0
1470  getuid()                          = 0
1470  geteuid()                         = 0
1470  access("/sys/kernel/debug/", W_OK) = 0
1470  readlink("/sys", 0x7fff2159cd60, 4096) = -1 EINVAL (Invalid argument)
1470  readlink("/sys/kernel", 0x7fff2159cd60, 4096) = -1 EINVAL (Invalid argument)
1470  readlink("/sys/kernel/debug", 0x7fff2159cd60, 4096) = -1 EINVAL (Invalid argument)
1470  readlink("/sys", 0x7fff2159cd60, 4096) = -1 EINVAL (Invalid argument)
1470  readlink("/sys/kernel", 0x7fff2159cd60, 4096) = -1 EINVAL (Invalid argument)
1470  readlink("/sys/kernel/debug", 0x7fff2159cd60, 4096) = -1 EINVAL (Invalid argument)

So between the actual mount syscall and the readlink() checks mount added a call to getuid, geuid, and access().

No idea why.
Comment 6 Daniel Walsh 2010-08-23 16:01:07 EDT
Which looks like the mount will cause the debufs file system to be automounted then?

mount must be doing access(DEBUGFS, W_OK)

Ordinarily it is not mounted so we don't see this AVC. but now that systemd is automounting we are getting the AVC.
Comment 7 Daniel Walsh 2010-08-23 16:03:53 EDT
Fixed in selinux-policy-3.8.8-18.fc14
Comment 8 Tom London 2010-08-23 18:28:08 EDT
Confirmed.  Fixed with selinux-policy-3.8.8-18.fc15.noarch

[tbl@tlondon ~]$ cd /sys
[tbl@tlondon sys]$ find . -name \*mount\* -print
./kernel/debug/tracing/events/syscalls/sys_enter_umount
./kernel/debug/tracing/events/syscalls/sys_exit_umount
./kernel/debug/tracing/events/syscalls/sys_enter_oldumount
./kernel/debug/tracing/events/syscalls/sys_exit_oldumount
./kernel/debug/tracing/events/syscalls/sys_enter_mount
./kernel/debug/tracing/events/syscalls/sys_exit_mount
[tbl@tlondon sys]$ 

and no AVCs.

Thanks!
Comment 9 Fedora Update System 2010-08-24 23:11:04 EDT
selinux-policy-3.8.8-20.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14
Comment 10 Fedora Update System 2010-08-25 09:30:49 EDT
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14
Comment 11 Fedora Update System 2010-08-26 14:37:09 EDT
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14
Comment 12 Fedora Update System 2010-09-01 02:01:20 EDT
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.