SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* strange systemd audit message
@ 2019-01-30 13:02 Russell Coker
  2019-01-30 23:42 ` Chris PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2019-01-30 13:02 UTC (permalink / raw)
  To: selinux-refpolicy

I'm seeing the following every time I login as sysadm_r, whether it's via /
bin/login or sshd.  But the login works correctly anyway.  Any suggestions for 
what I should investigate?

type=PROCTITLE msg=audit(30/01/19 23:58:01.196:1595535) : proctitle=(systemd) 
type=SYSCALL msg=audit(30/01/19 23:58:01.196:1595535) : arch=x86_64 
syscall=execve success=no exit=EACCES(Permission denied) a0=0x55f2c3008780 
a1=0x55f2c2fbe740 a2=0x55f2c302f1e0 a3=0x55f2c2e06010 items=0 ppid=1 pid=19802 
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root 
fsgid=root tty=(none) ses=189 comm=(systemd) exe=/lib/systemd/systemd 
subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(30/01/19 23:58:01.196:1595535) : avc:  denied  { transition 
} for  pid=19802 comm=(systemd) path=/lib/systemd/systemd dev="dm-0" 
ino=3069920 scontext=system_u:system_r:init_t:s0 
tcontext=root:sysadm_r:sysadm_t:s0 tclass=process permissive=0

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: strange systemd audit message
  2019-01-30 13:02 strange systemd audit message Russell Coker
@ 2019-01-30 23:42 ` Chris PeBenito
  2019-01-31  7:53   ` Dominick Grift
  0 siblings, 1 reply; 3+ messages in thread
From: Chris PeBenito @ 2019-01-30 23:42 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/30/19 8:02 AM, Russell Coker wrote:
> I'm seeing the following every time I login as sysadm_r, whether it's via /
> bin/login or sshd.  But the login works correctly anyway.  Any suggestions for
> what I should investigate?
> 
> type=PROCTITLE msg=audit(30/01/19 23:58:01.196:1595535) : proctitle=(systemd)
> type=SYSCALL msg=audit(30/01/19 23:58:01.196:1595535) : arch=x86_64
> syscall=execve success=no exit=EACCES(Permission denied) a0=0x55f2c3008780
> a1=0x55f2c2fbe740 a2=0x55f2c302f1e0 a3=0x55f2c2e06010 items=0 ppid=1 pid=19802
> auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=189 comm=(systemd) exe=/lib/systemd/systemd
> subj=system_u:system_r:init_t:s0 key=(null)
> type=AVC msg=audit(30/01/19 23:58:01.196:1595535) : avc:  denied  { transition
> } for  pid=19802 comm=(systemd) path=/lib/systemd/systemd dev="dm-0"
> ino=3069920 scontext=system_u:system_r:init_t:s0
> tcontext=root:sysadm_r:sysadm_t:s0 tclass=process permissive=0

I never login directly as sysadm, but now that I try, I see it too.  I'm 
unaware of why this is happening; I'd have to look at the code to try to 
figure it out.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: strange systemd audit message
  2019-01-30 23:42 ` Chris PeBenito
@ 2019-01-31  7:53   ` Dominick Grift
  0 siblings, 0 replies; 3+ messages in thread
From: Dominick Grift @ 2019-01-31  7:53 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: Russell Coker, selinux-refpolicy\

Chris PeBenito <pebenito@ieee.org> writes:

> On 1/30/19 8:02 AM, Russell Coker wrote:
>> I'm seeing the following every time I login as sysadm_r, whether it's via /
>> bin/login or sshd.  But the login works correctly anyway.  Any suggestions for
>> what I should investigate?
>>
>> type=PROCTITLE msg=audit(30/01/19 23:58:01.196:1595535) : proctitle=(systemd)
>> type=SYSCALL msg=audit(30/01/19 23:58:01.196:1595535) : arch=x86_64
>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x55f2c3008780
>> a1=0x55f2c2fbe740 a2=0x55f2c302f1e0 a3=0x55f2c2e06010 items=0 ppid=1 pid=19802
>> auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
>> fsgid=root tty=(none) ses=189 comm=(systemd) exe=/lib/systemd/systemd
>> subj=system_u:system_r:init_t:s0 key=(null)
>> type=AVC msg=audit(30/01/19 23:58:01.196:1595535) : avc:  denied  { transition
>> } for  pid=19802 comm=(systemd) path=/lib/systemd/systemd dev="dm-0"
>> ino=3069920 scontext=system_u:system_r:init_t:s0
>> tcontext=root:sysadm_r:sysadm_t:s0 tclass=process permissive=0
>
> I never login directly as sysadm, but now that I try, I see it too.
> I'm unaware of why this is happening; I'd have to look at the code to
> try to figure it out.

I think its the systemd --user instance spawned by systemd --system on
behalf of root. Basically systemd --system pam code reads /etc/pam.d/systemd-user which calls pam_selinux
and then ends up interpretting either failsafe_context or default_contexts 

Just a guess though. Baasically it boils down to not having support
for systemd --user functionality in the policy.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-30 13:02 strange systemd audit message Russell Coker
2019-01-30 23:42 ` Chris PeBenito
2019-01-31  7:53   ` Dominick Grift

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox