[refpolicy] dac_override question

[refpolicy] dac_override question

[cgzones]

Hi,
I am encountering a problem regarding the dac_override capability.

I am running monit (a process monitoring tool), which needs to monitor
exim4 read its pidfile: /run/exim4/exim.pid.
The directory /run/exim4 is owned by Debian-exim:Debian-exim with mode
0750 and due to monit running as root I granted: allow monit_t
self:capability dac_read_search;
But I am still getting dac_override denials, why?
I do not want to dontaudit dac_override, cause maybe in the future
monit might really need the capability and I would miss it.

type=PROCTITLE msg=audit(12/29/16 12:26:00.849:42386) :
proctitle=/usr/bin/monit -c /etc/monit/monitrc
type=PATH msg=audit(12/29/16 12:26:00.849:42386) : item=0
name=/run/exim4/exim.pid inode=68815 dev=00:13 mode=file,644 ouid=root
ogid=Debian-exim rdev=00:00 obj=system_u:object_r:exim_run_t:s0
nametype=NORMAL
type=CWD msg=audit(12/29/16 12:26:00.849:42386) : cwd=/
type=SYSCALL msg=audit(12/29/16 12:26:00.849:42386) : arch=armeb
syscall=stat64 per=PER_LINUX_32BIT success=yes exit=0 a0=0x207bcf8
a1=0x7ef258e0 a2=0x7ef25950 a3=0x3 items=1 ppid=1 pid=393 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=monit exe=/usr/bin/monit
subj=system_u:system_r:monit_t:s0 key=(null)
type=AVC msg=audit(12/29/16 12:26:00.849:42386) : avc:  denied  {
dac_override } for  pid=393 comm=monit capability=dac_override
scontext=system_u:system_r:monit_t:s0
tcontext=system_u:system_r:monit_t:s0 tclass=capability permissive=0

Kernel version:
Linux raspberrypi 4.9.0-v7+ #1 SMP Thu Dec 15 17:58:19 CET 2016 armv7l GNU/Linux
https://github.com/raspberrypi/linux/tree/rpi-4.9.y

Kindly Regards,
     Christian G?ttsche

[refpolicy] dac_override question

[Dominick Grift]

On 12/29/2016 12:49 PM, cgzones via refpolicy wrote:
> Hi,
> I am encountering a problem regarding the dac_override capability.

To quote:

"
It checks CAP_DAC_OVERRIDE first.  If that passes, it returns 0
(success).  If it fails and the mask did not request MAY_WRITE (i.e.
only read/search/execute access), then it checks CAP_DAC_READ_SEARCH.
If that passes, then it returns 0 (success).
"

This means that even though the dac_read_search is enough, you will
still see the dac_override because dac_override overlaps dac_read_search
and is checked first

In other words, the dac_override can be dontaudited on
read/search/execute, but is dac_override is required on write

hth


> 
> I am running monit (a process monitoring tool), which needs to monitor
> exim4 read its pidfile: /run/exim4/exim.pid.
> The directory /run/exim4 is owned by Debian-exim:Debian-exim with mode
> 0750 and due to monit running as root I granted: allow monit_t
> self:capability dac_read_search;
> But I am still getting dac_override denials, why?
> I do not want to dontaudit dac_override, cause maybe in the future
> monit might really need the capability and I would miss it.
> 
> type=PROCTITLE msg=audit(12/29/16 12:26:00.849:42386) :
> proctitle=/usr/bin/monit -c /etc/monit/monitrc
> type=PATH msg=audit(12/29/16 12:26:00.849:42386) : item=0
> name=/run/exim4/exim.pid inode=68815 dev=00:13 mode=file,644 ouid=root
> ogid=Debian-exim rdev=00:00 obj=system_u:object_r:exim_run_t:s0
> nametype=NORMAL
> type=CWD msg=audit(12/29/16 12:26:00.849:42386) : cwd=/
> type=SYSCALL msg=audit(12/29/16 12:26:00.849:42386) : arch=armeb
> syscall=stat64 per=PER_LINUX_32BIT success=yes exit=0 a0=0x207bcf8
> a1=0x7ef258e0 a2=0x7ef25950 a3=0x3 items=1 ppid=1 pid=393 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=monit exe=/usr/bin/monit
> subj=system_u:system_r:monit_t:s0 key=(null)
> type=AVC msg=audit(12/29/16 12:26:00.849:42386) : avc:  denied  {
> dac_override } for  pid=393 comm=monit capability=dac_override
> scontext=system_u:system_r:monit_t:s0
> tcontext=system_u:system_r:monit_t:s0 tclass=capability permissive=0
> 
> Kernel version:
> Linux raspberrypi 4.9.0-v7+ #1 SMP Thu Dec 15 17:58:19 CET 2016 armv7l GNU/Linux
> https://github.com/raspberrypi/linux/tree/rpi-4.9.y
> 
> Kindly Regards,
>      Christian G?ttsche
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161229/29ea8cdf/attachment.bin 

[refpolicy] dac_override question

[cgzones]

Seems to be a known kernel bug:
https://github.com/SELinuxProject/selinux-kernel/issues/6

2016-12-29 12:55 GMT+01:00 Dominick Grift via refpolicy
<refpolicy@oss.tresys.com>:
> On 12/29/2016 12:49 PM, cgzones via refpolicy wrote:
>> Hi,
>> I am encountering a problem regarding the dac_override capability.
>
> To quote:
>
> "
> It checks CAP_DAC_OVERRIDE first.  If that passes, it returns 0
> (success).  If it fails and the mask did not request MAY_WRITE (i.e.
> only read/search/execute access), then it checks CAP_DAC_READ_SEARCH.
> If that passes, then it returns 0 (success).
> "
>
> This means that even though the dac_read_search is enough, you will
> still see the dac_override because dac_override overlaps dac_read_search
> and is checked first
>
> In other words, the dac_override can be dontaudited on
> read/search/execute, but is dac_override is required on write
>
> hth
>
>
>>
>> I am running monit (a process monitoring tool), which needs to monitor
>> exim4 read its pidfile: /run/exim4/exim.pid.
>> The directory /run/exim4 is owned by Debian-exim:Debian-exim with mode
>> 0750 and due to monit running as root I granted: allow monit_t
>> self:capability dac_read_search;
>> But I am still getting dac_override denials, why?
>> I do not want to dontaudit dac_override, cause maybe in the future
>> monit might really need the capability and I would miss it.
>>
>> type=PROCTITLE msg=audit(12/29/16 12:26:00.849:42386) :
>> proctitle=/usr/bin/monit -c /etc/monit/monitrc
>> type=PATH msg=audit(12/29/16 12:26:00.849:42386) : item=0
>> name=/run/exim4/exim.pid inode=68815 dev=00:13 mode=file,644 ouid=root
>> ogid=Debian-exim rdev=00:00 obj=system_u:object_r:exim_run_t:s0
>> nametype=NORMAL
>> type=CWD msg=audit(12/29/16 12:26:00.849:42386) : cwd=/
>> type=SYSCALL msg=audit(12/29/16 12:26:00.849:42386) : arch=armeb
>> syscall=stat64 per=PER_LINUX_32BIT success=yes exit=0 a0=0x207bcf8
>> a1=0x7ef258e0 a2=0x7ef25950 a3=0x3 items=1 ppid=1 pid=393 auid=unset
>> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
>> fsgid=root tty=(none) ses=unset comm=monit exe=/usr/bin/monit
>> subj=system_u:system_r:monit_t:s0 key=(null)
>> type=AVC msg=audit(12/29/16 12:26:00.849:42386) : avc:  denied  {
>> dac_override } for  pid=393 comm=monit capability=dac_override
>> scontext=system_u:system_r:monit_t:s0
>> tcontext=system_u:system_r:monit_t:s0 tclass=capability permissive=0
>>
>> Kernel version:
>> Linux raspberrypi 4.9.0-v7+ #1 SMP Thu Dec 15 17:58:19 CET 2016 armv7l GNU/Linux
>> https://github.com/raspberrypi/linux/tree/rpi-4.9.y
>>
>> Kindly Regards,
>>      Christian G?ttsche
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>