With the policy updates that came with centos 7.1 update, I am trying to update a few local policies we have but with `setenforce 0` I do not get an avc at all when running my app, however enabling it and rerunning it generates one, but without seeing them all that approach would be like wack-a-mole.
The avc I am getting after setenforce 1 is run is:
type=AVC msg=audit(1428109185.330:570): avc: denied { execute_no_trans } for pid=3953 comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=25468477 scontext=system_u:system_r:bacula_t:s0 tcontext=sytype=SYSCAL
Why does this not trigger a denial in permissive mode?
Thanks, jlc
On 04/04/2015 03:05 AM, Joseph L. Casale wrote:
With the policy updates that came with centos 7.1 update, I am trying to update a few local policies we have but with `setenforce 0` I do not get an avc at all when running my app, however enabling it and rerunning it generates one, but without seeing them all that approach would be like wack-a-mole.
The avc I am getting after setenforce 1 is run is:
type=AVC msg=audit(1428109185.330:570): avc: denied { execute_no_trans } for pid=3953 comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=25468477 scontext=system_u:system_r:bacula_t:s0 tcontext=sytype=SYSCAL
Why does this not trigger a denial in permissive mode?
Thanks, jlc -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What does if you switch the SELinux mode (which resets AVC cache)
# setenforce 1; setenforce 0
and then re-test it?
Could you also post full raw AVC?
What does if you switch the SELinux mode (which resets AVC cache)
# setenforce 1; setenforce 0
and then re-test it?
Could you also post full raw AVC?
Hi Miroslav, Thanks for the pointer about resetting the cache, that helped.
After running the backup in permissive mode, I get the following:
type=AVC msg=audit(1428538766.224:2373): avc: denied { execute } for pid=32056 comm="bacula-fd" name="su" dev="dm-0" ino=18110620 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file type=AVC msg=audit(1428538766.224:2373): avc: denied { execute_no_trans } for pid=32056 comm="bacula-fd" path="/usr/bin/su" dev="dm-0" ino=18110620 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file type=AVC msg=audit(1428538766.343:2374): avc: denied { create } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket type=AVC msg=audit(1428538766.343:2375): avc: denied { bind } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket type=AVC msg=audit(1428538766.343:2376): avc: denied { compute_av } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security type=AVC msg=audit(1428538766.344:2377): avc: denied { create } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1428538766.344:2378): avc: denied { nlmsg_relay } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1428538766.344:2378): avc: denied { audit_write } for pid=32056 comm="su" capability=29 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=capability type=USER_AVC msg=audit(1428538766.344:2379): pid=32056 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:bacula_t:s0 msg='avc: denied { passwd } for scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1428538766.345:2383): avc: denied { setsched } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=process type=AVC msg=audit(1428538766.345:2384): avc: denied { write } for pid=32056 comm="su" name="system_bus_socket" dev="tmpfs" ino=14052 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1428538766.345:2384): avc: denied { connectto } for pid=32056 comm="su" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=USER_AVC msg=audit(1428538766.370:2385): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=32056 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1428538766.374:2386): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=32056 tpid=693 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1428538766.393:2391): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1688 spid=693 tpid=32056 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1428538766.393:2392): avc: denied { write } for pid=32056 comm="su" name="lastlog" dev="dm-0" ino=8572341 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file type=AVC msg=audit(1428538766.424:2394): avc: denied { execute } for pid=32063 comm="bash" name="hostname" dev="dm-0" ino=16887470 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file type=AVC msg=audit(1428538766.424:2394): avc: denied { execute_no_trans } for pid=32063 comm="bash" path="/usr/bin/hostname" dev="dm-0" ino=16887470 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file type=AVC msg=audit(1428538773.500:2395): avc: denied { write } for pid=32056 comm="su" name="system_bus_socket" dev="tmpfs" ino=14052 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
which generates the following policy:
require { type su_exec_t; type system_dbusd_var_run_t; type security_t; type system_dbusd_t; type systemd_logind_t; type lastlog_t; type hostname_exec_t; type bacula_t; class process setsched; class unix_stream_socket connectto; class dbus send_msg; class capability audit_write; class passwd passwd; class netlink_selinux_socket { bind create }; class file { write execute execute_no_trans }; class netlink_audit_socket { nlmsg_relay create }; class sock_file write; class security compute_av; }
#============= bacula_t ============== allow bacula_t hostname_exec_t:file { execute execute_no_trans }; allow bacula_t lastlog_t:file write; allow bacula_t security_t:security compute_av; allow bacula_t self:capability audit_write; allow bacula_t self:netlink_audit_socket { nlmsg_relay create }; allow bacula_t self:netlink_selinux_socket { bind create }; allow bacula_t self:passwd passwd; allow bacula_t self:process setsched; allow bacula_t su_exec_t:file { execute execute_no_trans }; allow bacula_t system_dbusd_t:dbus send_msg; allow bacula_t system_dbusd_t:unix_stream_socket connectto; allow bacula_t system_dbusd_var_run_t:sock_file write; allow bacula_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ============== allow systemd_logind_t bacula_t:dbus send_msg;
And after loading this I get the following which was not present initially:
type=AVC msg=audit(1428539366.385:377): avc: denied { execute } for pid=2809 comm="su" name="unix_chkpwd" dev="dm-0" ino=25441120 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file type=AVC msg=audit(1428539366.386:378): avc: denied { write } for pid=2808 comm="su" name="btmp" dev="dm-0" ino=9085718 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=file
So rebuilding from the new output yields:
require { type system_dbusd_var_run_t; type security_t; type faillog_t; type chkpwd_exec_t; type systemd_logind_t; type hostname_exec_t; type bacula_t; type su_exec_t; type lastlog_t; type system_dbusd_t; class process setsched; class unix_stream_socket connectto; class dbus send_msg; class capability audit_write; class passwd passwd; class netlink_selinux_socket { bind create }; class file { write execute execute_no_trans }; class netlink_audit_socket { nlmsg_relay create }; class sock_file write; class security compute_av; }
#============= bacula_t ============== allow bacula_t chkpwd_exec_t:file execute; allow bacula_t faillog_t:file write; allow bacula_t hostname_exec_t:file { execute execute_no_trans }; allow bacula_t lastlog_t:file write; allow bacula_t security_t:security compute_av; allow bacula_t self:capability audit_write; allow bacula_t self:netlink_audit_socket { nlmsg_relay create }; allow bacula_t self:netlink_selinux_socket { bind create }; allow bacula_t self:passwd passwd; allow bacula_t self:process setsched; allow bacula_t su_exec_t:file { execute execute_no_trans }; allow bacula_t system_dbusd_t:dbus send_msg; allow bacula_t system_dbusd_t:unix_stream_socket connectto; allow bacula_t system_dbusd_var_run_t:sock_file write; allow bacula_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ============== allow systemd_logind_t bacula_t:dbus send_msg;
Which adds: allow bacula_t chkpwd_exec_t:file execute; allow bacula_t faillog_t:file write;
However, after removing the old and loading this new policy I get another denial:
type=AVC msg=audit(1428540219.458:501): avc: denied { execute_no_trans } for pid=4309 comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=25441120 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
Rerunning the backup yields this same avc, and audit2allow would suggest its permitted.
Thanks so much for assistance. jlc
On 04/09/2015 02:55 AM, Joseph L. Casale wrote:
What does if you switch the SELinux mode (which resets AVC cache)
# setenforce 1; setenforce 0
and then re-test it?
Could you also post full raw AVC?
Hi Miroslav, Thanks for the pointer about resetting the cache, that helped.
After running the backup in permissive mode, I get the following:
type=AVC msg=audit(1428538766.224:2373): avc: denied { execute } for pid=32056 comm="bacula-fd" name="su" dev="dm-0" ino=18110620 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file type=AVC msg=audit(1428538766.224:2373): avc: denied { execute_no_trans } for pid=32056 comm="bacula-fd" path="/usr/bin/su" dev="dm-0" ino=18110620 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file type=AVC msg=audit(1428538766.343:2374): avc: denied { create } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket type=AVC msg=audit(1428538766.343:2375): avc: denied { bind } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket type=AVC msg=audit(1428538766.343:2376): avc: denied { compute_av } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security type=AVC msg=audit(1428538766.344:2377): avc: denied { create } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1428538766.344:2378): avc: denied { nlmsg_relay } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1428538766.344:2378): avc: denied { audit_write } for pid=32056 comm="su" capability=29 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=capability type=USER_AVC msg=audit(1428538766.344:2379): pid=32056 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:bacula_t:s0 msg='avc: denied { passwd } for scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1428538766.345:2383): avc: denied { setsched } for pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=process type=AVC msg=audit(1428538766.345:2384): avc: denied { write } for pid=32056 comm="su" name="system_bus_socket" dev="tmpfs" ino=14052 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1428538766.345:2384): avc: denied { connectto } for pid=32056 comm="su" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=USER_AVC msg=audit(1428538766.370:2385): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=32056 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1428538766.374:2386): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=32056 tpid=693 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1428538766.393:2391): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1688 spid=693 tpid=32056 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1428538766.393:2392): avc: denied { write } for pid=32056 comm="su" name="lastlog" dev="dm-0" ino=8572341 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file type=AVC msg=audit(1428538766.424:2394): avc: denied { execute } for pid=32063 comm="bash" name="hostname" dev="dm-0" ino=16887470 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file type=AVC msg=audit(1428538766.424:2394): avc: denied { execute_no_trans } for pid=32063 comm="bash" path="/usr/bin/hostname" dev="dm-0" ino=16887470 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file type=AVC msg=audit(1428538773.500:2395): avc: denied { write } for pid=32056 comm="su" name="system_bus_socket" dev="tmpfs" ino=14052 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
which generates the following policy:
require { type su_exec_t; type system_dbusd_var_run_t; type security_t; type system_dbusd_t; type systemd_logind_t; type lastlog_t; type hostname_exec_t; type bacula_t; class process setsched; class unix_stream_socket connectto; class dbus send_msg; class capability audit_write; class passwd passwd; class netlink_selinux_socket { bind create }; class file { write execute execute_no_trans }; class netlink_audit_socket { nlmsg_relay create }; class sock_file write; class security compute_av; }
#============= bacula_t ============== allow bacula_t hostname_exec_t:file { execute execute_no_trans }; allow bacula_t lastlog_t:file write; allow bacula_t security_t:security compute_av; allow bacula_t self:capability audit_write; allow bacula_t self:netlink_audit_socket { nlmsg_relay create }; allow bacula_t self:netlink_selinux_socket { bind create }; allow bacula_t self:passwd passwd; allow bacula_t self:process setsched; allow bacula_t su_exec_t:file { execute execute_no_trans }; allow bacula_t system_dbusd_t:dbus send_msg; allow bacula_t system_dbusd_t:unix_stream_socket connectto; allow bacula_t system_dbusd_var_run_t:sock_file write; allow bacula_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ============== allow systemd_logind_t bacula_t:dbus send_msg;
And after loading this I get the following which was not present initially:
type=AVC msg=audit(1428539366.385:377): avc: denied { execute } for pid=2809 comm="su" name="unix_chkpwd" dev="dm-0" ino=25441120 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file type=AVC msg=audit(1428539366.386:378): avc: denied { write } for pid=2808 comm="su" name="btmp" dev="dm-0" ino=9085718 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=file
So rebuilding from the new output yields:
require { type system_dbusd_var_run_t; type security_t; type faillog_t; type chkpwd_exec_t; type systemd_logind_t; type hostname_exec_t; type bacula_t; type su_exec_t; type lastlog_t; type system_dbusd_t; class process setsched; class unix_stream_socket connectto; class dbus send_msg; class capability audit_write; class passwd passwd; class netlink_selinux_socket { bind create }; class file { write execute execute_no_trans }; class netlink_audit_socket { nlmsg_relay create }; class sock_file write; class security compute_av; }
#============= bacula_t ============== allow bacula_t chkpwd_exec_t:file execute; allow bacula_t faillog_t:file write; allow bacula_t hostname_exec_t:file { execute execute_no_trans }; allow bacula_t lastlog_t:file write; allow bacula_t security_t:security compute_av; allow bacula_t self:capability audit_write; allow bacula_t self:netlink_audit_socket { nlmsg_relay create }; allow bacula_t self:netlink_selinux_socket { bind create }; allow bacula_t self:passwd passwd; allow bacula_t self:process setsched; allow bacula_t su_exec_t:file { execute execute_no_trans }; allow bacula_t system_dbusd_t:dbus send_msg; allow bacula_t system_dbusd_t:unix_stream_socket connectto; allow bacula_t system_dbusd_var_run_t:sock_file write; allow bacula_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ============== allow systemd_logind_t bacula_t:dbus send_msg;
Are there any scripts which you can defined? Or did you get it by default? It looks bacula is an administrative tool which is going to be unconfined domain.
Which adds: allow bacula_t chkpwd_exec_t:file execute; allow bacula_t faillog_t:file write;
However, after removing the old and loading this new policy I get another denial:
type=AVC msg=audit(1428540219.458:501): avc: denied { execute_no_trans } for pid=4309 comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=25441120 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
Rerunning the backup yields this same avc, and audit2allow would suggest its permitted.
Thanks so much for assistance. jlc
Are there any scripts which you can defined? Or did you get it by default? It looks bacula is an administrative tool which is going to be unconfined domain.
Hi Miroslav, The backup daemon has commands in its configuration that invokes without a shell for example in this case:
su -c '/usr/bin/pg_dumpall -U postgres -f /tmp/pg_dumpall_output.sql' - postgres
Do suggest that moving this into a script that is labeled explicitly might help?
Thanks, jlc
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 04/10/2015 01:51 PM, Joseph L. Casale wrote:
Are there any scripts which you can defined? Or did you get it by default? It looks bacula is an administrative tool which is going to be unconfined domain.
Hi Miroslav, The backup daemon has commands in its configuration that invokes without a shell for example in this case:
su -c '/usr/bin/pg_dumpall -U postgres -f /tmp/pg_dumpall_output.sql' - postgres
Do suggest that moving this into a script that is labeled explicitly might help?
Thanks, jlc
Yes, it would be fine to have it as default in bacula. For example to have them in
/usr/libexec/bacula
You can open a new policy bug where we can discuss it and ask bacula folks.
- -- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.
Yes, it would be fine to have it as default in bacula. For example to have them in
/usr/libexec/bacula
You can open a new policy bug where we can discuss it and ask bacula folks.
Hi Miroslav, I posted a question on the Bacula list without response, I suspect most of the guys simply disable selinux which is not an option for me obviously. I only fear this approach detracts from server side managed configuration, into one now having client side dependencies.
Before I go down this road, do you think there is any other approach that would facilitate allowing the daemon to invoke the calls?
Thanks, jlc
selinux@lists.fedoraproject.org