Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 529326 - avc denials for loading a policy
Summary: avc denials for loading a policy
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on: 529366 530866
Blocks:
  Show dependency tree
 
Reported: 2014-11-15 13:09 UTC by Eric Gisse
Modified: 2015-06-05 16:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
make the avc whines go away! (selinux.patch,948 bytes, patch)
2014-11-15 13:12 UTC, Eric Gisse 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Gisse 2014-11-15 13:09:33 UTC 
(This is running off current development refrence policy.)

Ironically, selinux is trying to block me from loading policy modules, eg:

Nov 15 06:55:41 testbed kernel: [169387.945060] audit: type=1400 audit(1416056141.747:4585): avc:  denied  { read } for  pid=3558 comm="load_policy" path="/var/lib/selinux/strict/active/modules/400/selinuxutil/hll" dev="dm-4" ino=817545 ipaddr=173.173.113.156 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:semanage_var_lib_t tclass=file permissive=1
Nov 15 06:55:41 testbed kernel: [169387.993469] audit: type=1400 audit(1416056141.795:4587): avc:  denied  { read } for  pid=3560 comm="setfiles" path="/var/lib/selinux/strict/active/modules/400/selinuxutil/hll" dev="dm-4" ino=817545 ipaddr=173.173.113.156 scontext=root:sysadm_r:setfiles_t tcontext=root:object_r:semanage_var_lib_t tclass=file permissive=1

The sysadm_t --> setfiles_t/load_policy_t transition is clearly working fine, however the transition from either into semanage_var_lib_t isn't working so well.

In fact there is no transition out:

testbed hardened-refpolicy # sesearch -s setfiles_t -T


testbed hardened-refpolicy # sesearch -s load_policy_t -T


testbed hardened-refpolicy #


Fortunately this is pretty easy to fix because there are two handy macros for file/directory management. Neither permision group for setfiles_t or load_policy_t appears to be a bad idea here, and is essential for policy loading to be possible in an enforcing environment.



Reproducible: Always
Comment 1 Eric Gisse 2014-11-15 13:12:15 UTC 
Created attachment 389382 [details, diff]
make the avc whines go away!
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-15 18:52:54 UTC 
I'm going to wait on this until the 2.4 cil interpretation bug has been fixed; I didn't have any issues with using the 2.4_rc* series to load policy modules (in enforcing, strict mode) so either there was a fallback routine, or it wasn't needed, or you're executing commands that I haven't tested.
Comment 3 Eric Gisse 2014-11-15 22:48:41 UTC 
Fair enough.

Replication for me is straight forward:

1) newrole -r sysadm_r 
2) Build policy module
3) semodule -i module.pp
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-22 16:49:05 UTC 
It looks like the denials are harmless (in enforcing mode, stuff still seems to work), but I've asked the mailinglist to confirm. Also, I would have expected that this needs to be semanage_store_t, perhaps a transition + fc definition is missing.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-27 20:46:13 UTC 
I'm not forgetting this, but waiting for upstream feedback.

See http://marc.info/?l=selinux&m=141683660207783&w=2
Comment 6 Jason Zaman gentoo-dev 2014-12-07 00:08:00 UTC 
userspace 2.4-rc7 is in ~arch, the denials seem to be fixed.
Comment 7 Jason Zaman gentoo-dev 2015-06-05 16:20:15 UTC 
2.4 userland is stable