Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 660764 - `su' segmentation fault with SELinux enabled
Summary: `su' segmentation fault with SELinux enabled
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: AMD64 Linux
: Normal major (vote)
Assignee: Jason Zaman
URL:
Whiteboard: sec-policy r1
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-09 01:43 UTC by Noah McNallie
Modified: 2018-07-12 17:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge information (emerge--info.txt,5.43 KB, text/plain)
2018-07-09 01:43 UTC, Noah McNallie
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Noah McNallie 2018-07-09 01:43:26 UTC
Created attachment 538886 [details]
emerge information

There seems to be an issue when root runs `su' with SELinux enabled. There does not seem to be a problem when other users run `su'. The following occures:

-- BEGIN ERROR --
[root@domain][~]# su - rtorrent
su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Segmentation fault
[root@domain][~]#
-- END ERROR --

I tried allowing the only two denials that I see related to `su' in dmesg:

-- BEGIN TEXT --
[root@domain][/etc/selinux/mcs/policy]# audit2allow -M tmp
[542047.056105] audit: type=1400 audit(1531099090.236:1141): avc:  denied  { signal } for  pid=1354 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0
[542047.052500] audit: type=1400 audit(1531099090.233:1140): avc:  denied  { create } for  pid=1354 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=netlink_selinux_socket permissive=0
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i tmp.pp

[root@domain][/etc/selinux/mcs/policy]# semodule -i tmp.pp
[root@domain][/etc/selinux/mcs/policy]# su - rtorrent
su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Aborted
[root@domain][/etc/selinux/mcs/policy]# semodule -r tmp
libsemanage.semanage_direct_remove_key: Removing last tmp module (no other tmp module exists at another priority).
-- END TEXT --

And then removed the module as it did not seem to have any benefit. dmesg shows this:

'[543295.214129] traps: su[3024] general protection ip:7f11e4cfca0b sp:7ffe5c06fde0 error:0 in libc-2.26.so[7f11e4cdc000+1c7000]'

I tried to re-emerge 'sys-apps/shadow-4.6::gentoo' with no success. 

I am not able to use `strace` so I can not provide that information:

-- BEGIN STRACE --
[root@domain][/etc/selinux/mcs/policy]# strace su - rtorrent
execve("/bin/su", ["su", "-", "rtorrent"], 0x7ffe77076480 /* 26 vars */) = -1 EPERM (Operation not permitted)
fstat(2, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
write(2, "strace: exec: Operation not perm"..., 38strace: exec: Operation not permitted
) = 38
getpid()                                = 3163
exit_group(1)                           = ?
+++ exited with 1 +++
[root@ldomain][/etc/selinux/mcs/policy]#
-- END STRACE --

The VPS seems fine other than this, which has been an issue for a few months since I put a SELinux policy in place.

Please let me know what more information that I can provide. This is an 'mcs' policy.
Comment 1 Jason Zaman gentoo-dev 2018-07-12 17:37:29 UTC
Fixed in 2.20180701-r1