* newrole: pam_systemd fails after dbus message rejection
@ 2017-04-05 13:11 cgzones
2017-04-05 15:11 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: cgzones @ 2017-04-05 13:11 UTC (permalink / raw)
To: selinux
Hi list,
when switching context with `newrole` I am getting the following error
message, although the session is succesffully created and works fine:
Apr 05 14:59:25 debianserver dbus[357]: [system] Rejected send
message, 2 matched rules; type="method_call", sender=":1.7" (uid=1000
pid=2428 comm="newrole -r sysadm_r ")
interface="org.freedesktop.login1.Manager" member="CreateSession"
Apr 05 14:59:25 debianserver newrole[2428]:
pam_systemd(newrole:session): Failed to create session: Access denied
Is this a dbus or pam_systemd problem?
The issue is present with and without the dbus-send_policynote patch[1].
Best regards,
Christian Göttsche
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857660
Verbose output without dontaudit rules active:
Apr 05 14:59:21 debianserver audit[2424]: AVC avc: denied {
rlimitinh } for pid=2424 comm="newrole"
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:21 debianserver audit[2424]: AVC avc: denied { siginh }
for pid=2424 comm="newrole"
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:21 debianserver audit[2424]: SYSCALL arch=c000003e
syscall=59 success=yes exit=0 a0=92c1a8 a1=91d108 a2=a01008 a3=59a
items=2 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1000
Apr 05 14:59:21 debianserver audit: BPRM_FCAPS fver=2
fp=000000002020010f fi=0000000000000000 fe=1 old_pp=0000000000000000
old_pi=0000000000000000 old_pe=0000000000000000
new_pp=000000002020010f new_pi=0000000000000000 new_pe=00000000202
Apr 05 14:59:21 debianserver audit: EXECVE argc=3 a0="newrole" a1="-r"
a2="sysadm_r"
Apr 05 14:59:21 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:21 debianserver audit: PATH item=0
name="/usr/bin/newrole" inode=155812 dev=08:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:newrole_exec_t:s0
nametype=NORMAL cap_fp=000000002020010f cap_fe=1 cap_fver=2
Apr 05 14:59:21 debianserver audit: PATH item=1
name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL
Apr 05 14:59:21 debianserver audit: PROCTITLE
proctitle=6E6577726F6C65002D720073797361646D5F72
Apr 05 14:59:21 debianserver audit[2424]: AVC avc: denied { read }
for pid=2424 comm="newrole" name="shadow" dev="sda1" ino=152257
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file pe
Apr 05 14:59:21 debianserver audit[2424]: SYSCALL arch=c000003e
syscall=2 success=no exit=-13 a0=7f9037b667f1 a1=80000 a2=1b6 a3=80000
items=1 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1
Apr 05 14:59:21 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:21 debianserver audit: PATH item=0 name="/etc/shadow"
inode=152257 dev=08:01 mode=0100640 ouid=0 ogid=42 rdev=00:00
obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
Apr 05 14:59:21 debianserver audit: PROCTITLE
proctitle=6E6577726F6C65002D720073797361646D5F72
Apr 05 14:59:21 debianserver audit[2425]: AVC avc: denied {
rlimitinh } for pid=2425 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:21 debianserver audit[2425]: AVC avc: denied { siginh }
for pid=2425 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:21 debianserver audit[2425]: SYSCALL arch=c000003e
syscall=59 success=yes exit=0 a0=7f903731ac0d a1=7ffffabf2000
a2=7f90375223c0 a3=7f903941bfc0 items=2 ppid=2424 pid=2425 auid=1000
uid=1000 gid=1000 euid=1000 suid=1000 fsui
Apr 05 14:59:21 debianserver audit: EXECVE argc=3
a0="/sbin/unix_chkpwd" a1="debianuser" a2="nullok"
Apr 05 14:59:21 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:21 debianserver audit: PATH item=0
name="/sbin/unix_chkpwd" inode=627 dev=08:01 mode=0102755 ouid=0
ogid=42 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t:s0
nametype=NORMAL
Apr 05 14:59:21 debianserver audit: PATH item=1
name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL
Apr 05 14:59:21 debianserver audit: PROCTITLE
proctitle=2F7362696E2F756E69785F63686B7077640064656269616E75736572006E756C6C6F6B
Apr 05 14:59:25 debianserver audit[2424]: AVC avc: denied { read }
for pid=2424 comm="newrole" name="shadow" dev="sda1" ino=152257
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file pe
Apr 05 14:59:25 debianserver audit[2424]: SYSCALL arch=c000003e
syscall=2 success=no exit=-13 a0=7f9037b667f1 a1=80000 a2=1b6 a3=80000
items=1 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1
Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:25 debianserver audit: PATH item=0 name="/etc/shadow"
inode=152257 dev=08:01 mode=0100640 ouid=0 ogid=42 rdev=00:00
obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PROCTITLE
proctitle=6E6577726F6C65002D720073797361646D5F72
Apr 05 14:59:25 debianserver audit[2426]: AVC avc: denied {
rlimitinh } for pid=2426 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2426]: AVC avc: denied { siginh }
for pid=2426 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2426]: SYSCALL arch=c000003e
syscall=59 success=yes exit=0 a0=7f903731ac0d a1=7ffffabf1fc0
a2=7f90375223c0 a3=7f903941bfc0 items=2 ppid=2424 pid=2426 auid=1000
uid=1000 gid=1000 euid=1000 suid=1000 fsui
Apr 05 14:59:25 debianserver audit: EXECVE argc=3
a0="/sbin/unix_chkpwd" a1="debianuser" a2="nullok"
Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:25 debianserver audit: PATH item=0
name="/sbin/unix_chkpwd" inode=627 dev=08:01 mode=0102755 ouid=0
ogid=42 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t:s0
nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PATH item=1
name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PROCTITLE
proctitle=2F7362696E2F756E69785F63686B7077640064656269616E75736572006E756C6C6F6B
Apr 05 14:59:25 debianserver audit[2424]: USER_AUTH pid=2424 uid=1000
auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
msg='op=PAM:authentication acct="debianuser" exe="/usr/bin/newrole"
hostname=? addr=? terminal=pts/1 res=
Apr 05 14:59:25 debianserver audit[2424]: AVC avc: denied { read }
for pid=2424 comm="newrole" name="shadow" dev="sda1" ino=152257
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file pe
Apr 05 14:59:25 debianserver audit[2424]: SYSCALL arch=c000003e
syscall=2 success=no exit=-13 a0=7f9037b667f1 a1=80000 a2=1b6 a3=80000
items=1 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1
Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:25 debianserver audit: PATH item=0 name="/etc/shadow"
inode=152257 dev=08:01 mode=0100640 ouid=0 ogid=42 rdev=00:00
obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PROCTITLE
proctitle=6E6577726F6C65002D720073797361646D5F72
Apr 05 14:59:25 debianserver audit[2427]: AVC avc: denied {
rlimitinh } for pid=2427 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2427]: AVC avc: denied { siginh }
for pid=2427 comm="unix_chkpwd"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2427]: SYSCALL arch=c000003e
syscall=59 success=yes exit=0 a0=7f903731ac0d a1=7ffffabf1f10
a2=7f903751e388 a3=7f9037f81260 items=2 ppid=2424 pid=2427 auid=1000
uid=1000 gid=1000 euid=1000 suid=1000 fsui
Apr 05 14:59:25 debianserver audit: EXECVE argc=3
a0="/sbin/unix_chkpwd" a1="debianuser" a2="chkexpiry"
Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:25 debianserver audit: PATH item=0
name="/sbin/unix_chkpwd" inode=627 dev=08:01 mode=0102755 ouid=0
ogid=42 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t:s0
nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PATH item=1
name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PROCTITLE
proctitle=2F7362696E2F756E69785F63686B7077640064656269616E757365720063686B657870697279
Apr 05 14:59:25 debianserver audit[2424]: USER_ACCT pid=2424 uid=1000
auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
msg='op=PAM:accounting acct="debianuser" exe="/usr/bin/newrole"
hostname=? addr=? terminal=pts/1 res=succ
Apr 05 14:59:25 debianserver newrole[2428]: pam_unix(newrole:session):
session opened for user debianuser by debianuser(uid=1000)
Apr 05 14:59:25 debianserver audit[2428]: USER_START pid=2428 uid=1000
auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
msg='op=PAM:session_open acct="debianuser" exe="/usr/bin/newrole"
hostname=? addr=? terminal=pts/1 res=s
Apr 05 14:59:25 debianserver audit[2428]: USER_ROLE_CHANGE pid=2428
uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
msg='newrole: old-context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
new-context=staff_u:sysadm_r:sysa
Apr 05 14:59:25 debianserver dbus[357]: [system] Rejected send
message, 2 matched rules; type="method_call", sender=":1.7" (uid=1000
pid=2428 comm="newrole -r sysadm_r ")
interface="org.freedesktop.login1.Manager" member="CreateSession"
Apr 05 14:59:25 debianserver newrole[2428]:
pam_systemd(newrole:session): Failed to create session: Access denied
Apr 05 14:59:25 debianserver audit[2428]: AVC avc: denied {
rlimitinh } for pid=2428 comm="bash"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2428]: AVC avc: denied { siginh }
for pid=2428 comm="bash"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2428]: AVC avc: denied {
noatsecure } for pid=2428 comm="bash"
scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
permissive=0
Apr 05 14:59:25 debianserver audit[2428]: SYSCALL arch=c000003e
syscall=59 success=yes exit=0 a0=55aa5e4bca00 a1=7ffffabf2588
a2=55aa5e4ba300 a3=7f903847db01 items=2 ppid=2424 pid=2428 auid=1000
uid=1000 gid=1000 euid=1000 suid=1000 fsui
Apr 05 14:59:25 debianserver audit: EXECVE argc=1 a0="-/bin/bash"
Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
Apr 05 14:59:25 debianserver audit: PATH item=0 name="/bin/bash"
inode=4205 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PATH item=1
name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL
Apr 05 14:59:25 debianserver audit: PROCTITLE proctitle="-/bin/bash"
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: newrole: pam_systemd fails after dbus message rejection
2017-04-05 13:11 newrole: pam_systemd fails after dbus message rejection cgzones
@ 2017-04-05 15:11 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2017-04-05 15:11 UTC (permalink / raw)
To: cgzones, selinux
On Wed, 2017-04-05 at 15:11 +0200, cgzones wrote:
> Hi list,
> when switching context with `newrole` I am getting the following
> error
> message, although the session is succesffully created and works fine:
>
> Apr 05 14:59:25 debianserver dbus[357]: [system] Rejected send
> message, 2 matched rules; type="method_call", sender=":1.7" (uid=1000
> pid=2428 comm="newrole -r sysadm_r ")
> interface="org.freedesktop.login1.Manager" member="CreateSession"
> Apr 05 14:59:25 debianserver newrole[2428]:
> pam_systemd(newrole:session): Failed to create session: Access denied
>
> Is this a dbus or pam_systemd problem?
>
> The issue is present with and without the dbus-send_policynote
> patch[1].
I see the same in Fedora. It isn't a SELinux denial, but rather a dbus
denial based on a file provided by systemd. /etc/dbus-
1/system.d/org.freedesktop.login1.conf only allows user=root to send
any call other than the ones whitelisted under the default context, and
CreateSession is not whitelisted there. I assume this is because any
other program that creates a session is setuid-root, and newrole is
instead using file capabilities these days? I am not sure what the
correct fix is for this issue, although it does not seem to be fatal as
you say. It appears that newrole only opens a session to support use
of pam_namespace, and this is not the default pam configuration for
newrole.
>
> Best regards,
> Christian Göttsche
>
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857660
>
>
> Verbose output without dontaudit rules active:
>
> Apr 05 14:59:21 debianserver audit[2424]: AVC avc: denied {
> rlimitinh } for pid=2424 comm="newrole"
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023 tclass=process
> permissive=0
> Apr 05 14:59:21 debianserver audit[2424]: AVC avc: denied { siginh
> }
> for pid=2424 comm="newrole"
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023 tclass=process
> permissive=0
> Apr 05 14:59:21 debianserver audit[2424]: SYSCALL arch=c000003e
> syscall=59 success=yes exit=0 a0=92c1a8 a1=91d108 a2=a01008 a3=59a
> items=2 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
> suid=1000 fsuid=1000 egid=1000 sgid=1000
> Apr 05 14:59:21 debianserver audit: BPRM_FCAPS fver=2
> fp=000000002020010f fi=0000000000000000 fe=1 old_pp=0000000000000000
> old_pi=0000000000000000 old_pe=0000000000000000
> new_pp=000000002020010f new_pi=0000000000000000 new_pe=00000000202
> Apr 05 14:59:21 debianserver audit: EXECVE argc=3 a0="newrole" a1="-
> r"
> a2="sysadm_r"
> Apr 05 14:59:21 debianserver audit: CWD cwd="/home/debianuser"
> Apr 05 14:59:21 debianserver audit: PATH item=0
> name="/usr/bin/newrole" inode=155812 dev=08:01 mode=0100755 ouid=0
> ogid=0 rdev=00:00 obj=system_u:object_r:newrole_exec_t:s0
> nametype=NORMAL cap_fp=000000002020010f cap_fe=1 cap_fver=2
> Apr 05 14:59:21 debianserver audit: PATH item=1
> name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01
> mode=0100755
> ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL
> Apr 05 14:59:21 debianserver audit: PROCTITLE
> proctitle=6E6577726F6C65002D720073797361646D5F72
> Apr 05 14:59:21 debianserver audit[2424]: AVC avc: denied { read }
> for pid=2424 comm="newrole" name="shadow" dev="sda1" ino=152257
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shadow_t:s0 tclass=file pe
> Apr 05 14:59:21 debianserver audit[2424]: SYSCALL arch=c000003e
> syscall=2 success=no exit=-13 a0=7f9037b667f1 a1=80000 a2=1b6
> a3=80000
> items=1 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
> suid=1000 fsuid=1000 egid=1000 sgid=1
> Apr 05 14:59:21 debianserver audit: CWD cwd="/home/debianuser"
> Apr 05 14:59:21 debianserver audit: PATH item=0 name="/etc/shadow"
> inode=152257 dev=08:01 mode=0100640 ouid=0 ogid=42 rdev=00:00
> obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
> Apr 05 14:59:21 debianserver audit: PROCTITLE
> proctitle=6E6577726F6C65002D720073797361646D5F72
> Apr 05 14:59:21 debianserver audit[2425]: AVC avc: denied {
> rlimitinh } for pid=2425 comm="unix_chkpwd"
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> permissive=0
> Apr 05 14:59:21 debianserver audit[2425]: AVC avc: denied { siginh
> }
> for pid=2425 comm="unix_chkpwd"
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> permissive=0
> Apr 05 14:59:21 debianserver audit[2425]: SYSCALL arch=c000003e
> syscall=59 success=yes exit=0 a0=7f903731ac0d a1=7ffffabf2000
> a2=7f90375223c0 a3=7f903941bfc0 items=2 ppid=2424 pid=2425 auid=1000
> uid=1000 gid=1000 euid=1000 suid=1000 fsui
> Apr 05 14:59:21 debianserver audit: EXECVE argc=3
> a0="/sbin/unix_chkpwd" a1="debianuser" a2="nullok"
> Apr 05 14:59:21 debianserver audit: CWD cwd="/home/debianuser"
> Apr 05 14:59:21 debianserver audit: PATH item=0
> name="/sbin/unix_chkpwd" inode=627 dev=08:01 mode=0102755 ouid=0
> ogid=42 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t:s0
> nametype=NORMAL
> Apr 05 14:59:21 debianserver audit: PATH item=1
> name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01
> mode=0100755
> ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL
> Apr 05 14:59:21 debianserver audit: PROCTITLE
> proctitle=2F7362696E2F756E69785F63686B7077640064656269616E75736572006
> E756C6C6F6B
> Apr 05 14:59:25 debianserver audit[2424]: AVC avc: denied { read }
> for pid=2424 comm="newrole" name="shadow" dev="sda1" ino=152257
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shadow_t:s0 tclass=file pe
> Apr 05 14:59:25 debianserver audit[2424]: SYSCALL arch=c000003e
> syscall=2 success=no exit=-13 a0=7f9037b667f1 a1=80000 a2=1b6
> a3=80000
> items=1 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
> suid=1000 fsuid=1000 egid=1000 sgid=1
> Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
> Apr 05 14:59:25 debianserver audit: PATH item=0 name="/etc/shadow"
> inode=152257 dev=08:01 mode=0100640 ouid=0 ogid=42 rdev=00:00
> obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
> Apr 05 14:59:25 debianserver audit: PROCTITLE
> proctitle=6E6577726F6C65002D720073797361646D5F72
> Apr 05 14:59:25 debianserver audit[2426]: AVC avc: denied {
> rlimitinh } for pid=2426 comm="unix_chkpwd"
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> permissive=0
> Apr 05 14:59:25 debianserver audit[2426]: AVC avc: denied { siginh
> }
> for pid=2426 comm="unix_chkpwd"
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> permissive=0
> Apr 05 14:59:25 debianserver audit[2426]: SYSCALL arch=c000003e
> syscall=59 success=yes exit=0 a0=7f903731ac0d a1=7ffffabf1fc0
> a2=7f90375223c0 a3=7f903941bfc0 items=2 ppid=2424 pid=2426 auid=1000
> uid=1000 gid=1000 euid=1000 suid=1000 fsui
> Apr 05 14:59:25 debianserver audit: EXECVE argc=3
> a0="/sbin/unix_chkpwd" a1="debianuser" a2="nullok"
> Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
> Apr 05 14:59:25 debianserver audit: PATH item=0
> name="/sbin/unix_chkpwd" inode=627 dev=08:01 mode=0102755 ouid=0
> ogid=42 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t:s0
> nametype=NORMAL
> Apr 05 14:59:25 debianserver audit: PATH item=1
> name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01
> mode=0100755
> ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL
> Apr 05 14:59:25 debianserver audit: PROCTITLE
> proctitle=2F7362696E2F756E69785F63686B7077640064656269616E75736572006
> E756C6C6F6B
> Apr 05 14:59:25 debianserver audit[2424]: USER_AUTH pid=2424 uid=1000
> auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> msg='op=PAM:authentication acct="debianuser" exe="/usr/bin/newrole"
> hostname=? addr=? terminal=pts/1 res=
> Apr 05 14:59:25 debianserver audit[2424]: AVC avc: denied { read }
> for pid=2424 comm="newrole" name="shadow" dev="sda1" ino=152257
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shadow_t:s0 tclass=file pe
> Apr 05 14:59:25 debianserver audit[2424]: SYSCALL arch=c000003e
> syscall=2 success=no exit=-13 a0=7f9037b667f1 a1=80000 a2=1b6
> a3=80000
> items=1 ppid=2415 pid=2424 auid=1000 uid=1000 gid=1000 euid=1000
> suid=1000 fsuid=1000 egid=1000 sgid=1
> Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
> Apr 05 14:59:25 debianserver audit: PATH item=0 name="/etc/shadow"
> inode=152257 dev=08:01 mode=0100640 ouid=0 ogid=42 rdev=00:00
> obj=system_u:object_r:shadow_t:s0 nametype=NORMAL
> Apr 05 14:59:25 debianserver audit: PROCTITLE
> proctitle=6E6577726F6C65002D720073797361646D5F72
> Apr 05 14:59:25 debianserver audit[2427]: AVC avc: denied {
> rlimitinh } for pid=2427 comm="unix_chkpwd"
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> permissive=0
> Apr 05 14:59:25 debianserver audit[2427]: AVC avc: denied { siginh
> }
> for pid=2427 comm="unix_chkpwd"
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=staff_u:staff_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
> permissive=0
> Apr 05 14:59:25 debianserver audit[2427]: SYSCALL arch=c000003e
> syscall=59 success=yes exit=0 a0=7f903731ac0d a1=7ffffabf1f10
> a2=7f903751e388 a3=7f9037f81260 items=2 ppid=2424 pid=2427 auid=1000
> uid=1000 gid=1000 euid=1000 suid=1000 fsui
> Apr 05 14:59:25 debianserver audit: EXECVE argc=3
> a0="/sbin/unix_chkpwd" a1="debianuser" a2="chkexpiry"
> Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
> Apr 05 14:59:25 debianserver audit: PATH item=0
> name="/sbin/unix_chkpwd" inode=627 dev=08:01 mode=0102755 ouid=0
> ogid=42 rdev=00:00 obj=system_u:object_r:chkpwd_exec_t:s0
> nametype=NORMAL
> Apr 05 14:59:25 debianserver audit: PATH item=1
> name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01
> mode=0100755
> ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL
> Apr 05 14:59:25 debianserver audit: PROCTITLE
> proctitle=2F7362696E2F756E69785F63686B7077640064656269616E75736572006
> 3686B657870697279
> Apr 05 14:59:25 debianserver audit[2424]: USER_ACCT pid=2424 uid=1000
> auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> msg='op=PAM:accounting acct="debianuser" exe="/usr/bin/newrole"
> hostname=? addr=? terminal=pts/1 res=succ
> Apr 05 14:59:25 debianserver newrole[2428]:
> pam_unix(newrole:session):
> session opened for user debianuser by debianuser(uid=1000)
> Apr 05 14:59:25 debianserver audit[2428]: USER_START pid=2428
> uid=1000
> auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> msg='op=PAM:session_open acct="debianuser" exe="/usr/bin/newrole"
> hostname=? addr=? terminal=pts/1 res=s
> Apr 05 14:59:25 debianserver audit[2428]: USER_ROLE_CHANGE pid=2428
> uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:newrole_t:s0-
> s0:c0.c1023
> msg='newrole: old-context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> new-context=staff_u:sysadm_r:sysa
> Apr 05 14:59:25 debianserver dbus[357]: [system] Rejected send
> message, 2 matched rules; type="method_call", sender=":1.7" (uid=1000
> pid=2428 comm="newrole -r sysadm_r ")
> interface="org.freedesktop.login1.Manager" member="CreateSession"
> Apr 05 14:59:25 debianserver newrole[2428]:
> pam_systemd(newrole:session): Failed to create session: Access denied
> Apr 05 14:59:25 debianserver audit[2428]: AVC avc: denied {
> rlimitinh } for pid=2428 comm="bash"
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
> permissive=0
> Apr 05 14:59:25 debianserver audit[2428]: AVC avc: denied { siginh
> }
> for pid=2428 comm="bash"
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
> permissive=0
> Apr 05 14:59:25 debianserver audit[2428]: AVC avc: denied {
> noatsecure } for pid=2428 comm="bash"
> scontext=staff_u:staff_r:newrole_t:s0-s0:c0.c1023
> tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=process
> permissive=0
> Apr 05 14:59:25 debianserver audit[2428]: SYSCALL arch=c000003e
> syscall=59 success=yes exit=0 a0=55aa5e4bca00 a1=7ffffabf2588
> a2=55aa5e4ba300 a3=7f903847db01 items=2 ppid=2424 pid=2428 auid=1000
> uid=1000 gid=1000 euid=1000 suid=1000 fsui
> Apr 05 14:59:25 debianserver audit: EXECVE argc=1 a0="-/bin/bash"
> Apr 05 14:59:25 debianserver audit: CWD cwd="/home/debianuser"
> Apr 05 14:59:25 debianserver audit: PATH item=0 name="/bin/bash"
> inode=4205 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
> Apr 05 14:59:25 debianserver audit: PATH item=1
> name="/lib64/ld-linux-x86-64.so.2" inode=132140 dev=08:01
> mode=0100755
> ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL
> Apr 05 14:59:25 debianserver audit: PROCTITLE proctitle="-/bin/bash"
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho
> .nsa.gov.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-04-05 15:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-05 13:11 newrole: pam_systemd fails after dbus message rejection cgzones
2017-04-05 15:11 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.