From: Stephen Smalley <sds@tycho.nsa.gov>
To: "Christian Göttsche" <cgzones@googlemail.com>, selinux@vger.kernel.org
Subject: Re: Odd systemd source context for non pid 1 process
Date: Tue, 5 Nov 2019 14:19:01 -0500 [thread overview]
Message-ID: <57bbaee4-4338-30f2-3d12-bbf6a6aaabe6@tycho.nsa.gov> (raw)
In-Reply-To: <CAJ2a_Df4Mwf8eiatG92fywoCoEDpozYGz+jvPLRN8vcXy2a70g@mail.gmail.com>
On 11/5/19 2:02 PM, Christian Göttsche wrote:
> While trying out a custom SELinux policy for systemd, some denials
> during system boot seem odd to me.
> systemd pid 1 runs as systemd_t and has no execute_no_trans permissions.
> The system runs in enforced mode, but systemd_t is currently a
> permissive domain.
> For debug purpose `auditallow systemd_t domain:process2 {
> nnp_transition nosuid_transition };` is active.
>
>
> <<<<<<<< log snippets
>
> /var/log/messages
>
> Nov 5 19:45:44 debian-test kernel: [ 8.224135] audit: type=1400
> audit(1572979544.695:7): avc: denied { create } for pid=446
> comm="(imesyncd)" name="timesync"
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
> Nov 5 19:45:44 debian-test kernel: [ 8.225640] audit: type=1400
> audit(1572979544.695:8): avc: denied { setattr } for pid=446
> comm="(imesyncd)" name="timesync" dev="tmpfs" ino=13506
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
> Nov 5 19:45:44 debian-test kernel: [ 8.227405] audit: type=1400
> audit(1572979544.695:9): avc: denied { read } for pid=446
> comm="(imesyncd)" name="timesync" dev="tmpfs" ino=13506
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
> Nov 5 19:45:44 debian-test kernel: [ 8.229030] audit: type=1400
> audit(1572979544.695:10): avc: denied { open } for pid=446
> comm="(imesyncd)" path="/run/systemd/timesync" dev="tmpfs" ino=13506
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
> Nov 5 19:45:44 debian-test kernel: [ 8.229032] audit: type=1400
> audit(1572979544.695:11): avc: denied { getattr } for pid=446
> comm="(imesyncd)" path="/run/systemd/timesync" dev="tmpfs" ino=13506
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
> Nov 5 19:45:44 debian-test kernel: [ 8.235688] audit: type=1400
> audit(1572979544.707:12): avc: denied { mounton } for pid=446
> comm="(imesyncd)" path="/run/systemd/unit-root/run/systemd/timesync"
> dev="tmpfs" ino=13506 scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
>
>
> ausearch -m avc,user_avc,selinux_err -i
>
> ----
> type=AVC msg=audit(11/05/19 19:45:44.887:22) : avc: granted {
> nnp_transition } for pid=446 comm=(imesyncd)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:systemd_timesyncd_t:s0 tclass=process2
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.907:25) : proctitle=(crub_all)
> type=SYSCALL msg=audit(11/05/19 19:45:44.907:25) : arch=x86_64
> syscall=sched_setscheduler success=yes exit=0 a0=0x0 a1=SCHED_IDLE
> a2=0x7ffd35f38f50 a3=0x7ffd35f38f38 items=0 ppid=1 pid=475 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=(crub_all)
> exe=/usr/lib/systemd/systemd subj=system_u:system_r:systemd_t:s0
> key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.907:25) : avc: denied {
> setsched } for pid=475 comm=(crub_all)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:systemd_t:s0 tclass=process permissive=1
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.907:26) : proctitle=(crub_all)
> type=SYSCALL msg=audit(11/05/19 19:45:44.907:26) : arch=x86_64
> syscall=fcntl success=yes exit=0 a0=0x34 a1=F_SETLKW a2=0x7ffd35f38df0
> a3=0x0 items=0 ppid=1 pid=475 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=(crub_all) exe=/usr/lib/systemd/systemd
> subj=system_u:system_r:systemd_t:s0 key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.907:26) : avc: denied { lock }
> for pid=475 comm=(crub_all) path=socket:[13561] dev="sockfs"
> ino=13561 scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:systemd_t:s0 tclass=unix_dgram_socket
> permissive=1
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.911:27) : proctitle=(crub_all)
> type=PATH msg=audit(11/05/19 19:45:44.911:27) : item=0
> name=/proc/self/ns/net inode=4026532232 dev=00:04 mode=file,444
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=CWD msg=audit(11/05/19 19:45:44.911:27) : cwd=/
> type=SYSCALL msg=audit(11/05/19 19:45:44.911:27) : arch=x86_64
> syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x55e784768331
> a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=475
> auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root fsgid=root tty=(none) ses=unset comm=(crub_all)
> exe=/usr/lib/systemd/systemd subj=system_u:system_r:systemd_t:s0
> key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.911:27) : avc: denied { open }
> for pid=475 comm=(crub_all) path=net:[4026532232] dev="nsfs"
> ino=4026532232 scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
> type=AVC msg=audit(11/05/19 19:45:44.911:27) : avc: denied { read }
> for pid=475 comm=(crub_all) dev="nsfs" ino=4026532232
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.915:29) : proctitle=(crub_all)
> type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=2
> name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=1 name=/bin/bash
> inode=263600 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=0
> name=/sbin/e2scrub_all inode=263379 dev=08:01 mode=file,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:fsadm_exec_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=CWD msg=audit(11/05/19 19:45:44.915:29) : cwd=/
> type=EXECVE msg=audit(11/05/19 19:45:44.915:29) : argc=4 a0=/bin/bash
> a1=/sbin/e2scrub_all a2=-A a3=-r
> type=SYSCALL msg=audit(11/05/19 19:45:44.915:29) : arch=x86_64
> syscall=execve success=yes exit=0 a0=0x55e784f70b40 a1=0x55e78504dde0
> a2=0x55e78502a200 a3=0x55e784f71240 items=3 ppid=1 pid=475 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=e2scrub_all exe=/usr/bin/bash
> subj=system_u:system_r:fsadm_t:s0 key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.915:29) : avc: granted {
> nnp_transition } for pid=475 comm=(crub_all)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:fsadm_t:s0 tclass=process2
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.935:31) : proctitle=(d-logind)
> type=PATH msg=audit(11/05/19 19:45:44.935:31) : item=1
> name=/run/systemd/inhibit inode=14807 dev=00:15 mode=dir,755 ouid=root
> ogid=root rdev=00:00
> obj=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
> nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/05/19 19:45:44.935:31) : item=0
> name=/run/systemd/ inode=11588 dev=00:15 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:systemd_runtime_t:s0
> nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=CWD msg=audit(11/05/19 19:45:44.935:31) : cwd=/
> type=SYSCALL msg=audit(11/05/19 19:45:44.935:31) : arch=x86_64
> syscall=mkdir success=yes exit=0 a0=0x55e784f6aeb0 a1=0755 a2=0x0
> a3=0x7 items=2 ppid=1 pid=481 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=(d-logind) exe=/usr/lib/systemd/systemd
> subj=system_u:system_r:systemd_t:s0 key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.935:31) : avc: denied { create
> } for pid=481 comm=(d-logind) name=inhibit
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
> tclass=dir permissive=1
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.959:35) :
> proctitle=/usr/sbin/vnstatd -n
> type=PATH msg=audit(11/05/19 19:45:44.959:35) : item=1
> name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/05/19 19:45:44.959:35) : item=0
> name=/usr/sbin/vnstatd inode=262216 dev=08:01 mode=file,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:vnstatd_exec_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=CWD msg=audit(11/05/19 19:45:44.959:35) : cwd=/
> type=EXECVE msg=audit(11/05/19 19:45:44.959:35) : argc=2
> a0=/usr/sbin/vnstatd a1=-n
> type=SYSCALL msg=audit(11/05/19 19:45:44.959:35) : arch=x86_64
> syscall=execve success=yes exit=0 a0=0x55e784fe5500 a1=0x55e78500df40
> a2=0x55e78501ae70 a3=0x55e784fe5580 items=2 ppid=1 pid=476 auid=unset
> uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat
> sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd
> exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.959:35) : avc: granted {
> nnp_transition } for pid=476 comm=(vnstatd)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:vnstatd_t:s0 tclass=process2
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:45.099:37) : proctitle=(d-logind)
> type=PATH msg=audit(11/05/19 19:45:45.099:37) : item=1
> name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/05/19 19:45:45.099:37) : item=0
> name=/lib/systemd/systemd-logind inode=268205 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:systemd_logind_exec_t:s0 nametype=NORMAL
> cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=CWD msg=audit(11/05/19 19:45:45.099:37) : cwd=/
> type=EXECVE msg=audit(11/05/19 19:45:45.099:37) : argc=1
> a0=/lib/systemd/systemd-logind
> type=BPRM_FCAPS msg=audit(11/05/19 19:45:45.099:37) : fver=0 fp=none
> fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
> old_pi=none old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
> old_pa=none pp=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
> pi=none pe=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
> pa=none frootid=0
> type=SYSCALL msg=audit(11/05/19 19:45:45.099:37) : arch=x86_64
> syscall=execve success=yes exit=0 a0=0x55e784fb9a40 a1=0x55e785050a20
> a2=0x55e78502e650 a3=0x55e784fb9840 items=2 ppid=1 pid=481 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=systemd-logind
> exe=/usr/lib/systemd/systemd-logind
> subj=system_u:system_r:systemd_logind_t:s0 key=(null)
> type=AVC msg=audit(11/05/19 19:45:45.099:37) : avc: granted {
> nnp_transition } for pid=481 comm=(d-logind)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process2
>
>>>>>>>>> log snippets
>
>
> Somehow the source context is systemd_t, while the pid is not 1 (and
> the proctitle is not systemd).
> Is maybe the context transition in the `nnp_transition` case delayed?
No. Not sure what it is that you are seeing. Maybe auditallow
execute_no_trans or double check that your policy isn't allowing it
(e.g. sesearch -A -s systemd_t -p execute_no_trans)
next prev parent reply other threads:[~2019-11-05 19:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-05 19:02 Odd systemd source context for non pid 1 process Christian Göttsche
2019-11-05 19:19 ` Stephen Smalley [this message]
2019-11-06 16:42 ` Christian Göttsche
2019-11-06 16:48 ` Dominick Grift
2019-11-07 16:26 ` Christian Göttsche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57bbaee4-4338-30f2-3d12-bbf6a6aaabe6@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).