Re: Odd systemd source context for non pid 1 process

From: Dominick Grift <dac.override@gmail.com>
To: "Christian Göttsche" <cgzones@googlemail.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>, selinux@vger.kernel.org
Subject: Re: Odd systemd source context for non pid 1 process
Date: Wed, 6 Nov 2019 17:48:11 +0100	[thread overview]
Message-ID: <20191106164811.GB1528184@brutus.lan> (raw)
In-Reply-To: <CAJ2a_Dc9mxQzuhxrbhq90LMfDVx0i-33GPegrhxVeRgXg2A4zA@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 5320 bytes --]

On Wed, Nov 06, 2019 at 05:42:35PM +0100, Christian Göttsche wrote:
> > No.  Not sure what it is that you are seeing.  Maybe auditallow
> > execute_no_trans or double check that your policy isn't allowing it
> > (e.g. sesearch -A -s systemd_t -p execute_no_trans)
> 
> No execute_no_trans are logged (with an auditallow rule).
> There is actually one execute_no_trans over itself (systemd_exec_t --
> /usr/lib/systemd/systemd).
> So systemd might re-exec or fork to get another pid.
> But the pid in the denials is, in the case of systemd-logind, the
> final pid of that daemon.
> 
> Also in the audit logs, the odd denial (e.g. 11/06/19 17:31:39.298:30)
> is prior to the nnp_transition info (e.g. 11/06/19 17:31:39.466:35).
> 

There is a "RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown" in systemd-logind.service
That means that systemd will create /run/systemd/inhibit on behalf of systemd-logind

> 
> <<<<<<<< log snippets
> 
> $ ps -efZ | grep logind
> system_u:system_r:systemd_logind_t:s0 root 478     1  0 17:31 ?
> 00:00:00 /lib/systemd/systemd-logind
> 
> type=PROCTITLE msg=audit(11/06/19 17:31:39.298:30) : proctitle=(d-logind)
> type=PATH msg=audit(11/06/19 17:31:39.298:30) : item=1
> name=/run/systemd/inhibit inode=14431 dev=00:15 mode=dir,755 ouid=root
> ogid=root rdev=00:00
> obj=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
> nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/06/19 17:31:39.298:30) : item=0
> name=/run/systemd/ inode=10008 dev=00:15 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:systemd_runtime_t:s0
> nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=CWD msg=audit(11/06/19 17:31:39.298:30) : cwd=/
> type=SYSCALL msg=audit(11/06/19 17:31:39.298:30) : arch=x86_64
> syscall=mkdir success=yes exit=0 a0=0x559af6611a00 a1=0755 a2=0x0
> a3=0x7 items=2 ppid=1 pid=478 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=(d-logind) exe=/usr/lib/systemd/systemd
> subj=system_u:system_r:systemd_t:s0 key=(null)
> type=AVC msg=audit(11/06/19 17:31:39.298:30) : avc:  denied  { create
> } for  pid=478 comm=(d-logind) name=inhibit
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
> tclass=dir permissive=1
> 
> .. later...
> 
> type=PROCTITLE msg=audit(11/06/19 17:31:39.466:35) : proctitle=(d-logind)
> type=PATH msg=audit(11/06/19 17:31:39.466:35) : item=1
> name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/06/19 17:31:39.466:35) : item=0
> name=/lib/systemd/systemd-logind inode=268205 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:systemd_logind_exec_t:s0 nametype=NORMAL
> cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=CWD msg=audit(11/06/19 17:31:39.466:35) : cwd=/
> type=EXECVE msg=audit(11/06/19 17:31:39.466:35) : argc=1
> a0=/lib/systemd/systemd-logind
> type=BPRM_FCAPS msg=audit(11/06/19 17:31:39.466:35) : fver=0 fp=none
> fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
> old_pi=none old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
> old_pa=none pp=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
> pi=none pe=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
> pa=none frootid=0
> type=SYSCALL msg=audit(11/06/19 17:31:39.466:35) : arch=x86_64
> syscall=execve success=yes exit=0 a0=0x559af6603750 a1=0x559af66ad680
> a2=0x559af6690250 a3=0x559af66035c0 items=2 ppid=1 pid=478 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=systemd-logind
> exe=/usr/lib/systemd/systemd-logind
> subj=system_u:system_r:systemd_logind_t:s0 key=(null)
> type=AVC msg=audit(11/06/19 17:31:39.466:35) : avc:  granted  {
> nnp_transition } for  pid=478 comm=(d-logind)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process2
> 
> 
> >>>>>>>> log snippets

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]