Trying SELinux again on CentOS 5.1 - not quite HOPELESS

Robert Nichols rnicholsNOSPAM at comcast.net
Tue Mar 4 08:10:51 UTC 2008 

Eric Paris wrote:
> On Mon, 2008-03-03 at 21:34 -0600, Robert Nichols wrote:
>> 1) The bulk of the AVCs are coming from 'pidof' running in context
>> system_u:system_r:dhcpc_t needing "ptrace" capability for every
>> tcontext that might show up in /proc.  audit2allow is NOT the
>> solution for that.  Apart from the problem of individually allowing
>> every possible tcontext, allowing "ptrace" for just any process
>> that might be running with that scontext would be a big security
>> hole.
> 
> sounds like you want 2 rules
> 
> allow dhcpc_t named_t:process ptrace
> dontaudit dhcpc_t *:process ptrace
> 
> never tried it, but I think that will take care of it.  dhcpc_t will be
> able to only troll around in the correct /proc directories and your logs
> will be empty from all the denials.
>
>> 2) Here is what happened when the news fetch started.  This looks
>> like the classic problem of using shell I/O redirection to do the
>> unthinkable and send the output from a command to a file.  Why
>> someone thought that 'grephistory' needed to be restricted is
>> totally unfathomable to me:
>>
>> avc:  denied  { write } for  pid=6305 comm="grephistory" path="/var/local/suck/suck.new-ids" dev=hda6 ino=189277 
>> scontext=root:system_r:innd_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file
>> avc:  denied  { read write } for  pid=6305 comm="grephistory" path="socket:[63191]" dev=sockfs ino=63191 
>> scontext=root:system_r:innd_t:s0-s0:c0.c1023 tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tclass=tcp_socket
>> avc:  denied  { getattr } for  pid=6305 comm="grephistory" path="/var/local/suck/suck.new-ids" dev=hda6 ino=189277 
>> scontext=root:system_r:innd_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file
> 
> Its no grephistory that is confined.  The program that called it was
> running as innd_t and so when it called grephistory it continued to run
> in the innd_t domain.

The program that called grephistory was running from root's crontab.  No way
was that running as innd_t.  Perhaps grephistory transitioned to that
domain to ensure access to the innd database.  I guess I could make that
file news_spool_t, or just create it somewhere in the news spool, where innd
normally operates.  That still leaves the 2nd AVC, path="socket[63191]".
I have no idea what that socket is for.  OK, I just ran an strace on
grephistory, and the only socket it uses is to /dev/log.  What, innd_t isn't
allowed to talk to syslogd?!?!?

> 
>> 3) Here are the complaints resulting from running "enscript -f
>> Courier9 /etc/dhclient-exit-hooks" (output going to an HP printer).
>> I have no idea what the problem is here, but it looks major:
>>
>> avc:  denied  { getattr } for  pid=6927 comm="python" path="/var/run/cups/cups.sock" dev=hda6 ino=283435 
>> scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file
>> avc:  denied  { read } for  pid=6927 comm="python" name="random" dev=tmpfs ino=2188 scontext=system_u:system_r:hald_t:s0 
>> tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
>> avc:  denied  { write } for  pid=6927 comm="python" name="cups.sock" dev=hda6 ino=283435 
>> scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file
>> avc:  denied  { connectto } for  pid=6927 comm="python" path="/var/run/cups/cups.sock" 
>> scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>> avc:  denied  { read } for  pid=6927 comm="python" name="0" dev=hda6 ino=283436 scontext=system_u:system_r:hald_t:s0 
>> tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=file
>> avc:  denied  { getattr } for  pid=6927 comm="python" path="/var/run/cups/certs/0" dev=hda6 ino=283436 
>> scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=file
>> avc:  denied  { getattr } for  pid=6955 comm="sh" path="/usr/bin/hpijs" dev=hda5 ino=65915 
>> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_exec_t:s0 tclass=file
>> avc:  denied  { execute } for  pid=6955 comm="sh" name="hpijs" dev=hda5 ino=65915 
>> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_exec_t:s0 tclass=file
>> avc:  denied  { read } for  pid=6955 comm="sh" name="hpijs" dev=hda5 ino=65915 
>> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_exec_t:s0 tclass=file
>> avc:  denied  { execute_no_trans } for  pid=6955 comm="sh" path="/usr/bin/hpijs" dev=hda5 ino=65915 
>> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_exec_t:s0 tclass=file
> 
> /me leaves this one for Dan to look at in the morning.  some of it looks
> like a simple bug dan needs to fix in policy and isn't your fault (aka
> the cupsd_t -> hplip_exec_t stuff) but the right way to fix the hald_t
> -> cups issue I'm not sure of and we should leave that to the policy
> expert.

Could still be my fault.  I'm running hplip-1.7.4a-3.fc6, not the older
version that's in CentOS 5.1 (which doesn't support my printer), but FC6
was the basis for RHEL5/CentOS-5.

>> 4) Oh yes, some mail arrived around this time.  Here are the complaints
>> from procmail.  Someone apparently feels that 'pidof' should be locked
>> away for life without parole.
>>
>> avc:  denied  { read } for  pid=5231 comm="pidof" name="stat" dev=proc ino=217317389 
>> scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=file
>> avc:  denied  { getattr } for  pid=5231 comm="pidof" path="/proc/3316/stat" dev=proc ino=217317389 
>> scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=file
> 
> remember, its not that pidof is being locked away without parole, its
> that dhcpc_t is being locked away.  2 options really: open up dhcpc_t
> policy with audit2allow -a/rinse/repeat (or do it in permissive one time
> rather than rinse repeat which you seem to have discovered) or add a new
> transition so that dhcpc_t can run pidof in an unconfined domain.  I'm
> sure Dan will give details on this when he wakes up.
> 
>> 5) There are also a bunch of AVCs that occur during system boot and shutdown.
>> For example, here are a couple that come up during boot.  Now of course
>> 'klogd' should be denied read permission for /proc/kmesg -- that is just
>> _such_ an _evil_ thing for it to be doing!  As for mcstransd, looks like
>> it found it's way down into /var/named/chroot/proc and obviously couldn't
>> be trusted there.
>>
>> avc:  denied  { read } for  pid=2747 comm="klogd" path="/proc/kmsg" dev=proc ino=-268435447 
>> scontext=system_u:system_r:klogd_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
>> avc:  denied  { search } for  pid=2768 comm="mcstransd" name="/" dev=proc ino=1 
>> scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir
> 
> Hmmmm, both of these are an issue with your having proc mounted inside
> the named chroot, why klogd is looking at the /proc/kmsg inside the
> chroot I have no idea.  I thought that labeling for /proc would be
> correct even with strange mount points, I'll have to think about this
> when I get up in the morning.  It is almost midnight here.

That's a non-issue, then.  Somehow I missed the "named_conf_t" on that
first AVC.  If I had SELinux running in enforcing mode, there would be
no need to run named chroot-ed.

>> The phrase, "Not ready for prime time" comes to mind.
> 
> I think we both agree you have the dhcp client do some pretty damn
> extraordinary things and no access control system is going to allow all
> of this out of the box.  Somce things we can still fix easily (dontaudit
> and labeling for innd_t) and some things that I'm not sure what's wrong
> but I'm not the policy guru.  Just remember you are trying to make
> dhcpc_t do things it was absolutely not designed to do.  While I'll
> admit coming at this with no experience may make it seem daunting I'm
> sure you'll agree that most of the issues can be solved with little
> trouble.  (I wish I could say all, but I don't even know the solution to
> all of them without a little playing a dabbling)
> 
> as a sidebar, you might consider adding an audit rule like
> 
> auditctl -a exit,always -S kill -F pid=1
> 
> this will add audit syscall overhead (which maybe be an issue if you box
> can't handle a bit more load) but will give you 'better' path names and
> such in your denial messages so you don't usually have to hunt down
> things like inode numbers....

Thanks, Eric.  That's a bit more encouraging.  I'm going to give this a
rest for a week or so.  Right now I've restored my system back to the
way it was before I started experimenting.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

More information about the fedora-selinux-list mailing list