* How to see SELinux denials late at shutdown
@ 2019-11-12 13:08 Christian Göttsche
2019-11-12 16:40 ` Stephen Smalley
0 siblings, 1 reply; 5+ messages in thread
From: Christian Göttsche @ 2019-11-12 13:08 UTC (permalink / raw)
To: selinux
While trying to confine systemd-shutdown, I am unable to see any
SELinux denials late at shutdown.
I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1.
The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64
root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux
console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`.
When running poweroff or reboot, systemd-shutdown stalls but no denial
is printed.
With a script like [1] dmesg does not print any information.
In permissive mode the system powers off/reboots, but no denials are printed.
Trying to stop auditd/systemd-journald beforehand does not help.
Does the kernel itself shuts down the ring buffer, or can systemd
interfere somehow?
[1]: https://freedesktop.org/wiki/Software/systemd/Debugging/#shutdowncompleteseventually
Shutdown log from serial console:
Debian GNU/Linux bullseye/sid debian-test ttyS0
debian-test login: [ 15.644442] audit: type=1305
audit(1573562456.536:57): audit_pid=0 old=394 auid=4294967295
ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
[ 15.649464] audit: type=1131 audit(1573562456.540:58): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
[ 15.656430] audit: type=1131 audit(1573562456.548:59): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-tmpfiles-setup comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[ 15.701848] audit: type=1131 audit(1573562456.592:60): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=ifup@enp0s3 comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
[ 15.712466] audit: type=1131 audit(1573562456.604:61): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
[ 15.720237] audit: type=1131 audit(1573562456.608:62): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-modules-load comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[ 15.726141] audit: type=1131 audit(1573562456.616:63): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-tmpfiles-setup-dev comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[ 15.731848] audit: type=1131 audit(1573562456.624:64): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-sysusers comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[ 15.737084] audit: type=1131 audit(1573562456.628:65): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-remount-fs comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[ 15.745161] audit: type=1130 audit(1573562456.632:66): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
msg='unit=systemd-poweroff comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
[ 15.866146] systemd-shutdown[1]: Syncing filesystems and block devices.
[ 15.948678] systemd-shutdown[1]: Sending SIGTERM to remaining processes...
[ 15.998582] systemd-journald[263]: Received SIGTERM from PID 1
(systemd-shutdow).
[ 16.103917] systemd-shutdown[1]: Sending SIGKILL to remaining processes...
[ 16.113594] systemd-shutdown[1]: Unmounting file systems.
[ 16.116468] [484]: Remounting '/' read-only in with options
'seclabel,errors=remount-ro'.
[ 16.119280] [484]: Failed to remount '/' read-only: Permission denied
[ 16.121390] systemd-shutdown[1]: Not all file systems unmounted, 1 left.
[ 16.122819] systemd-shutdown[1]: Deactivating swaps.
[ 16.124065] systemd-shutdown[1]: All swaps deactivated.
[ 16.125264] systemd-shutdown[1]: Detaching loop devices.
[ 16.126533] systemd-shutdown[1]: All loop devices detached.
[ 16.129193] systemd-shutdown[1]: Detaching DM devices.
[ 16.130386] systemd-shutdown[1]: All DM devices detached.
[ 16.131646] systemd-shutdown[1]: Unmounting file systems.
[ 16.133535] [485]: Remounting '/' read-only in with options
'seclabel,errors=remount-ro'.
[ 16.134932] [485]: Failed to remount '/' read-only: Permission denied
[ 16.136708] systemd-shutdown[1]: Not all file systems unmounted, 1 left.
[ 16.137917] systemd-shutdown[1]: Cannot finalize remaining file
systems, continuing.
[ 16.140467] systemd-shutdown[1]: Failed to finalize file systems, ignoring
[ 16.142078] systemd-shutdown[1]: Syncing filesystems and block devices.
[ 16.159309] systemd-shutdown[1]: Powering off.
[ 16.160685] systemd-shutdown[1]: Failed to invoke reboot():
Operation not permitted
[ 16.162408] systemd-shutdown[1]: Critical error while doing system
shutdown: Operation not permitted
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to see SELinux denials late at shutdown
2019-11-12 13:08 How to see SELinux denials late at shutdown Christian Göttsche
@ 2019-11-12 16:40 ` Stephen Smalley
2019-11-12 16:49 ` Stephen Smalley
0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2019-11-12 16:40 UTC (permalink / raw)
To: Christian Göttsche, selinux
On 11/12/19 8:08 AM, Christian Göttsche wrote:
> While trying to confine systemd-shutdown, I am unable to see any
> SELinux denials late at shutdown.
> I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1.
> The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64
> root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux
> console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`.
> When running poweroff or reboot, systemd-shutdown stalls but no denial
> is printed.
> With a script like [1] dmesg does not print any information.
> In permissive mode the system powers off/reboots, but no denials are printed.
> Trying to stop auditd/systemd-journald beforehand does not help.
>
> Does the kernel itself shuts down the ring buffer, or can systemd
> interfere somehow?
systemd could be setting the console loglevel
(SYSLOG_ACTION_CONSOLE_LEVEL) or disabling console logging altogether
(SYSLOG_ACTION_CONSOLE_OFF). Not sure why it would however.
Android had a nice facility for capturing kernel log messages after a
reboot, originally via /proc/last_kmsg and later via
/sys/fs/pstore/console-ramoops, but I don't think the Linux distros
provide any equivalent.
>
>
>
> [1]: https://freedesktop.org/wiki/Software/systemd/Debugging/#shutdowncompleteseventually
>
> Shutdown log from serial console:
>
> Debian GNU/Linux bullseye/sid debian-test ttyS0
>
> debian-test login: [ 15.644442] audit: type=1305
> audit(1573562456.536:57): audit_pid=0 old=394 auid=4294967295
> ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
> [ 15.649464] audit: type=1131 audit(1573562456.540:58): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=success'
> [ 15.656430] audit: type=1131 audit(1573562456.548:59): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-tmpfiles-setup comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [ 15.701848] audit: type=1131 audit(1573562456.592:60): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=ifup@enp0s3 comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=success'
> [ 15.712466] audit: type=1131 audit(1573562456.604:61): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd"
> hostname=? addr=? terminal=? res=success'
> [ 15.720237] audit: type=1131 audit(1573562456.608:62): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-modules-load comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [ 15.726141] audit: type=1131 audit(1573562456.616:63): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-tmpfiles-setup-dev comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [ 15.731848] audit: type=1131 audit(1573562456.624:64): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-sysusers comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [ 15.737084] audit: type=1131 audit(1573562456.628:65): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-remount-fs comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [ 15.745161] audit: type=1130 audit(1573562456.632:66): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
> msg='unit=systemd-poweroff comm="systemd"
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> res=success'
> [ 15.866146] systemd-shutdown[1]: Syncing filesystems and block devices.
> [ 15.948678] systemd-shutdown[1]: Sending SIGTERM to remaining processes...
> [ 15.998582] systemd-journald[263]: Received SIGTERM from PID 1
> (systemd-shutdow).
> [ 16.103917] systemd-shutdown[1]: Sending SIGKILL to remaining processes...
> [ 16.113594] systemd-shutdown[1]: Unmounting file systems.
> [ 16.116468] [484]: Remounting '/' read-only in with options
> 'seclabel,errors=remount-ro'.
> [ 16.119280] [484]: Failed to remount '/' read-only: Permission denied
> [ 16.121390] systemd-shutdown[1]: Not all file systems unmounted, 1 left.
> [ 16.122819] systemd-shutdown[1]: Deactivating swaps.
> [ 16.124065] systemd-shutdown[1]: All swaps deactivated.
> [ 16.125264] systemd-shutdown[1]: Detaching loop devices.
> [ 16.126533] systemd-shutdown[1]: All loop devices detached.
> [ 16.129193] systemd-shutdown[1]: Detaching DM devices.
> [ 16.130386] systemd-shutdown[1]: All DM devices detached.
> [ 16.131646] systemd-shutdown[1]: Unmounting file systems.
> [ 16.133535] [485]: Remounting '/' read-only in with options
> 'seclabel,errors=remount-ro'.
> [ 16.134932] [485]: Failed to remount '/' read-only: Permission denied
> [ 16.136708] systemd-shutdown[1]: Not all file systems unmounted, 1 left.
> [ 16.137917] systemd-shutdown[1]: Cannot finalize remaining file
> systems, continuing.
> [ 16.140467] systemd-shutdown[1]: Failed to finalize file systems, ignoring
> [ 16.142078] systemd-shutdown[1]: Syncing filesystems and block devices.
> [ 16.159309] systemd-shutdown[1]: Powering off.
> [ 16.160685] systemd-shutdown[1]: Failed to invoke reboot():
> Operation not permitted
> [ 16.162408] systemd-shutdown[1]: Critical error while doing system
> shutdown: Operation not permitted
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to see SELinux denials late at shutdown
2019-11-12 16:40 ` Stephen Smalley
@ 2019-11-12 16:49 ` Stephen Smalley
2019-11-12 23:14 ` Paul Moore
0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2019-11-12 16:49 UTC (permalink / raw)
To: Christian Göttsche, selinux
On 11/12/19 11:40 AM, Stephen Smalley wrote:
> On 11/12/19 8:08 AM, Christian Göttsche wrote:
>> While trying to confine systemd-shutdown, I am unable to see any
>> SELinux denials late at shutdown.
>> I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1.
>> The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64
>> root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux
>> console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`.
>> When running poweroff or reboot, systemd-shutdown stalls but no denial
>> is printed.
>> With a script like [1] dmesg does not print any information.
>> In permissive mode the system powers off/reboots, but no denials are
>> printed.
>> Trying to stop auditd/systemd-journald beforehand does not help.
>>
>> Does the kernel itself shuts down the ring buffer, or can systemd
>> interfere somehow?
>
> systemd could be setting the console loglevel
> (SYSLOG_ACTION_CONSOLE_LEVEL) or disabling console logging altogether
> (SYSLOG_ACTION_CONSOLE_OFF). Not sure why it would however.
>
> Android had a nice facility for capturing kernel log messages after a
> reboot, originally via /proc/last_kmsg and later via
> /sys/fs/pstore/console-ramoops, but I don't think the Linux distros
> provide any equivalent.
I've seen lossage of SELinux avc denials due to the printk or audit
ratelimits in the past, FWIW, but you are supposed to then get a notice
that there were lost records...
>
>>
>>
>>
>> [1]:
>> https://freedesktop.org/wiki/Software/systemd/Debugging/#shutdowncompleteseventually
>>
>>
>> Shutdown log from serial console:
>>
>> Debian GNU/Linux bullseye/sid debian-test ttyS0
>>
>> debian-test login: [ 15.644442] audit: type=1305
>> audit(1573562456.536:57): audit_pid=0 old=394 auid=4294967295
>> ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
>> [ 15.649464] audit: type=1131 audit(1573562456.540:58): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd"
>> hostname=? addr=? terminal=? res=success'
>> [ 15.656430] audit: type=1131 audit(1573562456.548:59): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-tmpfiles-setup comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [ 15.701848] audit: type=1131 audit(1573562456.592:60): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=ifup@enp0s3 comm="systemd" exe="/usr/lib/systemd/systemd"
>> hostname=? addr=? terminal=? res=success'
>> [ 15.712466] audit: type=1131 audit(1573562456.604:61): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd"
>> hostname=? addr=? terminal=? res=success'
>> [ 15.720237] audit: type=1131 audit(1573562456.608:62): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-modules-load comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [ 15.726141] audit: type=1131 audit(1573562456.616:63): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-tmpfiles-setup-dev comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [ 15.731848] audit: type=1131 audit(1573562456.624:64): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-sysusers comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [ 15.737084] audit: type=1131 audit(1573562456.628:65): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-remount-fs comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [ 15.745161] audit: type=1130 audit(1573562456.632:66): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0
>> msg='unit=systemd-poweroff comm="systemd"
>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>> res=success'
>> [ 15.866146] systemd-shutdown[1]: Syncing filesystems and block
>> devices.
>> [ 15.948678] systemd-shutdown[1]: Sending SIGTERM to remaining
>> processes...
>> [ 15.998582] systemd-journald[263]: Received SIGTERM from PID 1
>> (systemd-shutdow).
>> [ 16.103917] systemd-shutdown[1]: Sending SIGKILL to remaining
>> processes...
>> [ 16.113594] systemd-shutdown[1]: Unmounting file systems.
>> [ 16.116468] [484]: Remounting '/' read-only in with options
>> 'seclabel,errors=remount-ro'.
>> [ 16.119280] [484]: Failed to remount '/' read-only: Permission denied
>> [ 16.121390] systemd-shutdown[1]: Not all file systems unmounted, 1
>> left.
>> [ 16.122819] systemd-shutdown[1]: Deactivating swaps.
>> [ 16.124065] systemd-shutdown[1]: All swaps deactivated.
>> [ 16.125264] systemd-shutdown[1]: Detaching loop devices.
>> [ 16.126533] systemd-shutdown[1]: All loop devices detached.
>> [ 16.129193] systemd-shutdown[1]: Detaching DM devices.
>> [ 16.130386] systemd-shutdown[1]: All DM devices detached.
>> [ 16.131646] systemd-shutdown[1]: Unmounting file systems.
>> [ 16.133535] [485]: Remounting '/' read-only in with options
>> 'seclabel,errors=remount-ro'.
>> [ 16.134932] [485]: Failed to remount '/' read-only: Permission denied
>> [ 16.136708] systemd-shutdown[1]: Not all file systems unmounted, 1
>> left.
>> [ 16.137917] systemd-shutdown[1]: Cannot finalize remaining file
>> systems, continuing.
>> [ 16.140467] systemd-shutdown[1]: Failed to finalize file systems,
>> ignoring
>> [ 16.142078] systemd-shutdown[1]: Syncing filesystems and block
>> devices.
>> [ 16.159309] systemd-shutdown[1]: Powering off.
>> [ 16.160685] systemd-shutdown[1]: Failed to invoke reboot():
>> Operation not permitted
>> [ 16.162408] systemd-shutdown[1]: Critical error while doing system
>> shutdown: Operation not permitted
>>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to see SELinux denials late at shutdown
2019-11-12 16:49 ` Stephen Smalley
@ 2019-11-12 23:14 ` Paul Moore
2020-02-25 19:20 ` Christian Göttsche
0 siblings, 1 reply; 5+ messages in thread
From: Paul Moore @ 2019-11-12 23:14 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Christian Göttsche, selinux
On Tue, Nov 12, 2019 at 11:49 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On 11/12/19 11:40 AM, Stephen Smalley wrote:
> > On 11/12/19 8:08 AM, Christian Göttsche wrote:
> >> While trying to confine systemd-shutdown, I am unable to see any
> >> SELinux denials late at shutdown.
> >> I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1.
> >> The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64
> >> root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux
> >> console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`.
> >> When running poweroff or reboot, systemd-shutdown stalls but no denial
> >> is printed.
> >> With a script like [1] dmesg does not print any information.
> >> In permissive mode the system powers off/reboots, but no denials are
> >> printed.
> >> Trying to stop auditd/systemd-journald beforehand does not help.
> >>
> >> Does the kernel itself shuts down the ring buffer, or can systemd
> >> interfere somehow?
> >
> > systemd could be setting the console loglevel
> > (SYSLOG_ACTION_CONSOLE_LEVEL) or disabling console logging altogether
> > (SYSLOG_ACTION_CONSOLE_OFF). Not sure why it would however.
> >
> > Android had a nice facility for capturing kernel log messages after a
> > reboot, originally via /proc/last_kmsg and later via
> > /sys/fs/pstore/console-ramoops, but I don't think the Linux distros
> > provide any equivalent.
>
> I've seen lossage of SELinux avc denials due to the printk or audit
> ratelimits in the past, FWIW, but you are supposed to then get a notice
> that there were lost records...
In this particular case I suppose it is also possible that the audit
records are stuck in the kernel audit queue and aren't fully flushed
before the system halts/reboots.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to see SELinux denials late at shutdown
2019-11-12 23:14 ` Paul Moore
@ 2020-02-25 19:20 ` Christian Göttsche
0 siblings, 0 replies; 5+ messages in thread
From: Christian Göttsche @ 2020-02-25 19:20 UTC (permalink / raw)
To: selinux
> On 11/12/19 8:08 AM, Christian Göttsche wrote:
> While trying to confine systemd-shutdown, I am unable to see any
> SELinux denials late at shutdown.
> I tested on Debian sid with systemd 242/243 and Linux 4.19.67-2/5.3.9-1.
> The command line is: `BOOT_IMAGE=/boot/vmlinuz-5.3.0-2-amd64
> root=UUID=0a22bd66-a082-4b76-b96b-ca5cff3ffdf6 ro security=selinux
> console=ttyS0 console=tty0 log_buf_len=1M printk.devkmsg=on`.
> When running poweroff or reboot, systemd-shutdown stalls but no denial
> is printed.
> With a script like [1] dmesg does not print any information.
> In permissive mode the system powers off/reboots, but no denials are
> printed.
> Trying to stop auditd/systemd-journald beforehand does not help.
>
> Does the kernel itself shuts down the ring buffer, or can systemd
> interfere somehow?
For the record:
With a custom kernel I was able to retrieve the denials and confine
systemd-shutdown.
---
security/selinux/avc.c | 58 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index d18cb32a242a..26c440f022ce 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -751,6 +751,62 @@ static void avc_audit_post_callback(struct
audit_buffer *ab, void *a)
}
}
+static void dump_avc_to_console(const struct selinux_audit_data *sad)
+{
+ u32 av = sad->audited;
+ char perm_str[128];
+ const char **perms;
+ int i, perm;
+ char *scontext = NULL, *tcontext = NULL;
+ u32 context_len;
+
+ if (av == 0) {
+ snprintf(perm_str, sizeof(perm_str), " null");
+ } else {
+ perms = secclass_map[sad->tclass-1].perms;
+
+ snprintf(perm_str, sizeof(perm_str), " {");
+
+ i = 0;
+ perm = 1;
+
+ while (i < (sizeof(av) * 8)) {
+ if ((perm & av) && perms[i]) {
+ strncat(perm_str, " ",
+ sizeof(perm_str) - strlen(perm_str)
+ - 1);
+ strncat(perm_str, perms[i],
+ sizeof(perm_str) - strlen(perm_str)
+ - 1);
+ av &= ~perm;
+ }
+ i++;
+ perm <<= 1;
+ }
+
+ if (av)
+ strncat(perm_str, " UNKNOWN",
+ sizeof(perm_str) - strlen(perm_str) - 1);
+
+ strncat(perm_str, " }", sizeof(perm_str) - strlen(perm_str)
+ - 1);
+ }
+
+ security_sid_to_context(sad->state, sad->ssid, &scontext, &context_len);
+ security_sid_to_context(sad->state, sad->tsid, &tcontext, &context_len);
+
+ pr_warn("SELinux avc: %s %s for scontext=%s tcontext=%s tclass=%s
permissive=%d\n",
+ sad->denied ? "denied" : "granted",
+ perm_str,
+ scontext ? scontext : "KERNEL SID",
+ tcontext ? tcontext : "KERNEL SID",
+ secclass_map[sad->tclass-1].name,
+ sad->denied ? (sad->result ? 0 : 1) : -1);
+
+ kfree(scontext);
+ kfree(tcontext);
+}
+
/* This is the slow part of avc audit with big stack footprint */
noinline int slow_avc_audit(struct selinux_state *state,
u32 ssid, u32 tsid, u16 tclass,
@@ -779,6 +835,8 @@ noinline int slow_avc_audit(struct selinux_state *state,
a->selinux_audit_data = &sad;
+ dump_avc_to_console(&sad);
+
common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
return 0;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-02-25 19:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-12 13:08 How to see SELinux denials late at shutdown Christian Göttsche
2019-11-12 16:40 ` Stephen Smalley
2019-11-12 16:49 ` Stephen Smalley
2019-11-12 23:14 ` Paul Moore
2020-02-25 19:20 ` Christian Göttsche
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.