SELinux Archive on lore.kernel.org
 help / color / Atom feed
* execve silently blocked
@ 2019-10-02 19:25 Ian Pilcher
  2019-10-02 19:41 ` Dominick Grift
  0 siblings, 1 reply; 3+ messages in thread
From: Ian Pilcher @ 2019-10-02 19:25 UTC (permalink / raw)
  To: selinux

I am writing an SELinux policy for a daemon that needs to exec an
external program.  The execve call is being denied (permission denied),
but no denial is being logged, even after disabling dontaudit rules
(semodule -DB).

(The execve call does succeed in permissive mode.)

How can I troubleshoot this?

Thanks!

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: execve silently blocked
  2019-10-02 19:25 execve silently blocked Ian Pilcher
@ 2019-10-02 19:41 ` Dominick Grift
  2019-10-02 20:08   ` Ian Pilcher
  0 siblings, 1 reply; 3+ messages in thread
From: Dominick Grift @ 2019-10-02 19:41 UTC (permalink / raw)
  To: Ian Pilcher; +Cc: selinux

[-- Attachment #1: Type: text/plain, Size: 1057 bytes --]

On Wed, Oct 02, 2019 at 02:25:22PM -0500, Ian Pilcher wrote:
> I am writing an SELinux policy for a daemon that needs to exec an
> external program.  The execve call is being denied (permission denied),
> but no denial is being logged, even after disabling dontaudit rules
> (semodule -DB).

Are you also looking for "selinux_err" records?

`ausearch -m avc,user_avc,selinux_err -i`

will return avc, user_avc and selinux_err records if auditd is running.

> 
> (The execve call does succeed in permissive mode.)
> 
> How can I troubleshoot this?
> 
> Thanks!
> 
> -- 
> ========================================================================
> Ian Pilcher                                         arequipeno@gmail.com
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: execve silently blocked
  2019-10-02 19:41 ` Dominick Grift
@ 2019-10-02 20:08   ` Ian Pilcher
  0 siblings, 0 replies; 3+ messages in thread
From: Ian Pilcher @ 2019-10-02 20:08 UTC (permalink / raw)
  To: selinux

On 10/2/19 2:41 PM, Dominick Grift wrote:
> Are you also looking for "selinux_err" records?

Nope, because I had never heard of them before.  :-)

That found the error:

   type=SELINUX_ERR msg=audit(1570044939.773:845):
   op=security_compute_sid
   invalid_context=system_u:system_r:denatc_sudo_t:s0
   scontext=system_u:system_r:denatc_t:s0
   tcontext=system_u:object_r:sudo_exec_t:s0 tclass=process

It seems that I was missing a role-type statement:

   role system_r types denatc_sudo_t;

Adding that gets me back to more conventional denials, which I know how
to deal with.

Thanks!

-- 
========================================================================
Ian Pilcher                                         arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-02 19:25 execve silently blocked Ian Pilcher
2019-10-02 19:41 ` Dominick Grift
2019-10-02 20:08   ` Ian Pilcher

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox