* Wrong processes in AVC denials
@ 2020-05-15 11:11 Topi Miettinen
2020-05-15 11:50 ` Christian Göttsche
2020-05-15 12:13 ` Stephen Smalley
0 siblings, 2 replies; 4+ messages in thread
From: Topi Miettinen @ 2020-05-15 11:11 UTC (permalink / raw)
To: selinux
Hi,
After sending the previous message with 'git send-email', I noticed
strange AVC denials in the logs. The first entry is correct, but the
next have PID 0 and 16:
time->Fri May 15 13:49:30 2020
type=PROCTITLE msg=audit(1589539770.992:1614):
proctitle=2F7573722F62696E2F7065726C002F7573722F6C69622F6769742D636F72652F6769742D73656E642D656D61696C002D2D736D74702D6465627567002D2D616E6E6F74617465002D2D746F0073656C696E757840766765722E6B65726E656C2E6F726700642F706F6C696379636F72657574696C732E6769742F303030312D73
type=SOCKADDR msg=audit(1589539770.992:1614):
saddr=020000197F0000010000000000000000
type=SYSCALL msg=audit(1589539770.992:1614): arch=c000003e syscall=42
success=no exit=-115 a0=7 a1=5a00209eba80 a2=10 a3=fffffffffffffa8b
items=0 ppid=10011 pid=10012 auid=1000 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1
comm="git-send-email" exe="/usr/bin/perl" subj=user_u:user_r:user_t:s0
key=(null)
type=AVC msg=audit(1589539770.992:1614): avc: denied { recv } for
pid=10012 comm="git-send-email" saddr=127.0.0.1 src=25 daddr=127.0.0.1
dest=45482 netif=lo scontext=user_u:user_r:user_t:s0
tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
permissive=0
----
time->Fri May 15 13:49:32 2020
type=AVC msg=audit(1589539772.016:1615): avc: denied { recv } for
pid=16 comm="ksoftirqd/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1
dest=45482 netif=lo scontext=user_u:user_r:user_t:s0
tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
permissive=0
----
time->Fri May 15 13:49:38 2020
type=AVC msg=audit(1589539778.096:1617): avc: denied { recv } for
pid=0 comm="swapper/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=45482
netif=lo scontext=user_u:user_r:user_t:s0
tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
permissive=0
----
Could it be a bug in kernel somewhere (AVC generated from wrong context)
or should this be expected? The version of kernel is 5.3.7 and Netfilter
NFT rules label all packets with SECMARK.
-Topi
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Wrong processes in AVC denials
2020-05-15 11:11 Wrong processes in AVC denials Topi Miettinen
@ 2020-05-15 11:50 ` Christian Göttsche
2020-05-15 12:47 ` Topi Miettinen
2020-05-15 12:13 ` Stephen Smalley
1 sibling, 1 reply; 4+ messages in thread
From: Christian Göttsche @ 2020-05-15 11:50 UTC (permalink / raw)
To: Topi Miettinen; +Cc: SElinux list
Hi,
for loopback labeling I use special rules, sot that the packet going
into and coming out of the loopback device have different labels.
iif lo meta secmark set tcp dport map @secmapping_in
iif lo meta secmark set udp dport map @secmapping_in
iif lo meta secmark set tcp sport map @secmapping_out
iif lo meta secmark set udp sport map @secmapping_out
oif lo meta secmark set tcp dport map @secmapping_out
oif lo meta secmark set udp dport map @secmapping_out
oif lo meta secmark set tcp sport map @secmapping_in
oif lo meta secmark set udp sport map @secmapping_in
The pid values in these audit messages are garbage values (and so the
derived command).
Am Fr., 15. Mai 2020 um 13:11 Uhr schrieb Topi Miettinen <toiwoton@gmail.com>:
>
> Hi,
>
> After sending the previous message with 'git send-email', I noticed
> strange AVC denials in the logs. The first entry is correct, but the
> next have PID 0 and 16:
>
> time->Fri May 15 13:49:30 2020
> type=PROCTITLE msg=audit(1589539770.992:1614):
> proctitle=2F7573722F62696E2F7065726C002F7573722F6C69622F6769742D636F72652F6769742D73656E642D656D61696C002D2D736D74702D6465627567002D2D616E6E6F74617465002D2D746F0073656C696E757840766765722E6B65726E656C2E6F726700642F706F6C696379636F72657574696C732E6769742F303030312D73
> type=SOCKADDR msg=audit(1589539770.992:1614):
> saddr=020000197F0000010000000000000000
> type=SYSCALL msg=audit(1589539770.992:1614): arch=c000003e syscall=42
> success=no exit=-115 a0=7 a1=5a00209eba80 a2=10 a3=fffffffffffffa8b
> items=0 ppid=10011 pid=10012 auid=1000 uid=1000 gid=1000 euid=1000
> suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1
> comm="git-send-email" exe="/usr/bin/perl" subj=user_u:user_r:user_t:s0
> key=(null)
> type=AVC msg=audit(1589539770.992:1614): avc: denied { recv } for
> pid=10012 comm="git-send-email" saddr=127.0.0.1 src=25 daddr=127.0.0.1
> dest=45482 netif=lo scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
> permissive=0
> ----
> time->Fri May 15 13:49:32 2020
> type=AVC msg=audit(1589539772.016:1615): avc: denied { recv } for
> pid=16 comm="ksoftirqd/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1
> dest=45482 netif=lo scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
> permissive=0
> ----
> time->Fri May 15 13:49:38 2020
> type=AVC msg=audit(1589539778.096:1617): avc: denied { recv } for
> pid=0 comm="swapper/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=45482
> netif=lo scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
> permissive=0
> ----
>
> Could it be a bug in kernel somewhere (AVC generated from wrong context)
> or should this be expected? The version of kernel is 5.3.7 and Netfilter
> NFT rules label all packets with SECMARK.
>
> -Topi
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Wrong processes in AVC denials
2020-05-15 11:11 Wrong processes in AVC denials Topi Miettinen
2020-05-15 11:50 ` Christian Göttsche
@ 2020-05-15 12:13 ` Stephen Smalley
1 sibling, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2020-05-15 12:13 UTC (permalink / raw)
To: Topi Miettinen; +Cc: SElinux list
On Fri, May 15, 2020 at 7:14 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> Hi,
>
> After sending the previous message with 'git send-email', I noticed
> strange AVC denials in the logs. The first entry is correct, but the
> next have PID 0 and 16:
>
> time->Fri May 15 13:49:30 2020
> type=PROCTITLE msg=audit(1589539770.992:1614):
> proctitle=2F7573722F62696E2F7065726C002F7573722F6C69622F6769742D636F72652F6769742D73656E642D656D61696C002D2D736D74702D6465627567002D2D616E6E6F74617465002D2D746F0073656C696E757840766765722E6B65726E656C2E6F726700642F706F6C696379636F72657574696C732E6769742F303030312D73
> type=SOCKADDR msg=audit(1589539770.992:1614):
> saddr=020000197F0000010000000000000000
> type=SYSCALL msg=audit(1589539770.992:1614): arch=c000003e syscall=42
> success=no exit=-115 a0=7 a1=5a00209eba80 a2=10 a3=fffffffffffffa8b
> items=0 ppid=10011 pid=10012 auid=1000 uid=1000 gid=1000 euid=1000
> suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1
> comm="git-send-email" exe="/usr/bin/perl" subj=user_u:user_r:user_t:s0
> key=(null)
> type=AVC msg=audit(1589539770.992:1614): avc: denied { recv } for
> pid=10012 comm="git-send-email" saddr=127.0.0.1 src=25 daddr=127.0.0.1
> dest=45482 netif=lo scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
> permissive=0
> ----
> time->Fri May 15 13:49:32 2020
> type=AVC msg=audit(1589539772.016:1615): avc: denied { recv } for
> pid=16 comm="ksoftirqd/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1
> dest=45482 netif=lo scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
> permissive=0
> ----
> time->Fri May 15 13:49:38 2020
> type=AVC msg=audit(1589539778.096:1617): avc: denied { recv } for
> pid=0 comm="swapper/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=45482
> netif=lo scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
> permissive=0
> ----
>
> Could it be a bug in kernel somewhere (AVC generated from wrong context)
> or should this be expected? The version of kernel is 5.3.7 and Netfilter
> NFT rules label all packets with SECMARK.
Certain permission checks (like network input processing) can occur
outside of process context, e.g. softirq or hardirq,
and therefore the pid/comm information can be seemingly random and
unrelated to the security contexts. The security contexts however are
correct.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Wrong processes in AVC denials
2020-05-15 11:50 ` Christian Göttsche
@ 2020-05-15 12:47 ` Topi Miettinen
0 siblings, 0 replies; 4+ messages in thread
From: Topi Miettinen @ 2020-05-15 12:47 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On 15.5.2020 14.50, Christian Göttsche wrote:
> Hi,
>
> for loopback labeling I use special rules, sot that the packet going
> into and coming out of the loopback device have different labels.
I'm relying on INPUT chain for labeling incoming packets and vice versa.
Doesn't that work for loopback?
>
> iif lo meta secmark set tcp dport map @secmapping_in
I think there's some limit for the size of NFT maps, so I was not able
to use them for labeling all packet types known by the policy.
-Topi
> iif lo meta secmark set udp dport map @secmapping_in
> iif lo meta secmark set tcp sport map @secmapping_out
> iif lo meta secmark set udp sport map @secmapping_out
>
> oif lo meta secmark set tcp dport map @secmapping_out
> oif lo meta secmark set udp dport map @secmapping_out
> oif lo meta secmark set tcp sport map @secmapping_in
> oif lo meta secmark set udp sport map @secmapping_in
>
> The pid values in these audit messages are garbage values (and so the
> derived command).
>
> Am Fr., 15. Mai 2020 um 13:11 Uhr schrieb Topi Miettinen <toiwoton@gmail.com>:
>>
>> Hi,
>>
>> After sending the previous message with 'git send-email', I noticed
>> strange AVC denials in the logs. The first entry is correct, but the
>> next have PID 0 and 16:
>>
>> time->Fri May 15 13:49:30 2020
>> type=PROCTITLE msg=audit(1589539770.992:1614):
>> proctitle=2F7573722F62696E2F7065726C002F7573722F6C69622F6769742D636F72652F6769742D73656E642D656D61696C002D2D736D74702D6465627567002D2D616E6E6F74617465002D2D746F0073656C696E757840766765722E6B65726E656C2E6F726700642F706F6C696379636F72657574696C732E6769742F303030312D73
>> type=SOCKADDR msg=audit(1589539770.992:1614):
>> saddr=020000197F0000010000000000000000
>> type=SYSCALL msg=audit(1589539770.992:1614): arch=c000003e syscall=42
>> success=no exit=-115 a0=7 a1=5a00209eba80 a2=10 a3=fffffffffffffa8b
>> items=0 ppid=10011 pid=10012 auid=1000 uid=1000 gid=1000 euid=1000
>> suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1
>> comm="git-send-email" exe="/usr/bin/perl" subj=user_u:user_r:user_t:s0
>> key=(null)
>> type=AVC msg=audit(1589539770.992:1614): avc: denied { recv } for
>> pid=10012 comm="git-send-email" saddr=127.0.0.1 src=25 daddr=127.0.0.1
>> dest=45482 netif=lo scontext=user_u:user_r:user_t:s0
>> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
>> permissive=0
>> ----
>> time->Fri May 15 13:49:32 2020
>> type=AVC msg=audit(1589539772.016:1615): avc: denied { recv } for
>> pid=16 comm="ksoftirqd/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1
>> dest=45482 netif=lo scontext=user_u:user_r:user_t:s0
>> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
>> permissive=0
>> ----
>> time->Fri May 15 13:49:38 2020
>> type=AVC msg=audit(1589539778.096:1617): avc: denied { recv } for
>> pid=0 comm="swapper/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=45482
>> netif=lo scontext=user_u:user_r:user_t:s0
>> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
>> permissive=0
>> ----
>>
>> Could it be a bug in kernel somewhere (AVC generated from wrong context)
>> or should this be expected? The version of kernel is 5.3.7 and Netfilter
>> NFT rules label all packets with SECMARK.
>>
>> -Topi
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-05-15 12:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-15 11:11 Wrong processes in AVC denials Topi Miettinen
2020-05-15 11:50 ` Christian Göttsche
2020-05-15 12:47 ` Topi Miettinen
2020-05-15 12:13 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.