Bug 437098

Summary:	[gentoo-hardened] cgroup permission errors in restricted mode
Product:	Gentoo Linux	Reporter:	Reuben Martin <reuben.m>
Component:	Hardened	Assignee:	SE Linux Bugs <selinux>
Status:	RESOLVED WORKSFORME
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	sec-policy
Package list:		Runtime testing required:	---
Attachments:	emerge info

Description Reuben Martin 2012-10-03 20:52:32 UTC

When booting a hardened image in restricted mode, I am getting a bunch of errors during boot that have something to do with cgroups.

In permissive mode there are no such errors, and the audit logs are clean.

Here's the OpenRC terminal output:

cgroup_addrm_files: failed to add tasks, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add notify_on_release, err=-13
cgroup_addrm_files: failed to add cgroup.event_control, err=-13
cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
cgroup_addrm_files: failed to add release_agent, err=-13
/etc/init.d/sysfs: line 85: /sys/fs/cgroup/openrc/notify_on_release: Permission
denied
cgroup_addrm_files: failed to add tasks, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add notify_on_release, err=-13
cgroup_addrm_files: failed to add cgroup.event_control, err=-13
cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
cgroup_addrm_files: failed to add release_agent, err=-13
cgroup_addrm_files: failed to add tasks, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add notify_on_release, err=-13
cgroup_addrm_files: failed to add cgroup.event_control, err=-13
cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
cgroup_addrm_files: failed to add release_agent, err=-13
cgroup_addrm_files: failed to add tasks, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add notify_on_release, err=-13
cgroup_addrm_files: failed to add cgroup.event_control, err=-13
cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
cgroup_addrm_files: failed to add release_agent, err=-13
cgroup_addrm_files: failed to add tasks, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add notify_on_release, err=-13
cgroup_addrm_files: failed to add cgroup.event_control, err=-13
cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
cgroup_addrm_files: failed to add release_agent, err=-13
cgroup_addrm_files: failed to add tasks, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add notify_on_release, err=-13
cgroup_addrm_files: failed to add cgroup.event_control, err=-13
cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
cgroup_addrm_files: failed to add release_agent, err=-13
cgroup_addrm_files: failed to add tasks, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add notify_on_release, err=-13
cgroup_addrm_files: failed to add cgroup.event_control, err=-13
cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
cgroup_addrm_files: failed to add release_agent, err=-13
cgroup_addrm_files: failed to add tasks, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add notify_on_release, err=-13
cgroup_addrm_files: failed to add cgroup.event_control, err=-13
cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
cgroup_addrm_files: failed to add release_agent, err=-13
cgroup_addrm_files: failed to add tasks, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add notify_on_release, err=-13
cgroup_addrm_files: failed to add cgroup.event_control, err=-13
cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
cgroup_addrm_files: failed to add release_agent, err=-13
cgroup_addrm_files: failed to add tasks, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add notify_on_release, err=-13
cgroup_addrm_files: failed to add cgroup.event_control, err=-13
cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
cgroup_addrm_files: failed to add release_agent, err=-13
cgroup_addrm_files: failed to add tasks, err=-13
cgroup_addrm_files: failed to add cgroup.procs, err=-13
cgroup_addrm_files: failed to add notify_on_release, err=-13
cgroup_addrm_files: failed to add cgroup.event_control, err=-13
cgroup_addrm_files: failed to add cgroup.clone_children, err=-13
cgroup_addrm_files: failed to add release_agent, err=-13

Reproducible: Always

Comment 1 Reuben Martin 2012-10-03 20:53:03 UTC

Created attachment 325620 [details]
emerge info

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-10-07 15:49:01 UTC

Yup, confirmed with stable & unstable. Seems it has something to do with the Linux kernel (?), didn't really notice this earlier and just recently updated the kernel to 3.5.4-hardened-r2.

Comment 3 Reuben Martin 2012-10-16 02:22:53 UTC

After you clued me in on showing otherwise hidden avc messages (semodule -DB) I seem to be able to mount cgroups properly.

Of the sec modules I've been creating, here's the output from:
$ grep -r 'cgroup\|mount' ./*/*.te | grep allow
./initrcfixes/initrcfixes.te:allow initrc_t mount_t:process { siginh rlimitinh noatsecure };
./mountfixes/mountfixes.te:allow mount_t cgroup_t:dir { write setattr };
./mountfixes/mountfixes.te:allow mount_t device_t:chr_file { read write };
./mountfixes/mountfixes.te:allow mount_t mnt_t:dir write;
./mountfixes/mountfixes.te:allow mount_t root_t:dir write;
./mountfixes/mountfixes.te:allow mount_t security_t:dir { write setattr };
./mountfixes/mountfixes.te:allow mount_t var_run_t:dir { write setattr };
./mountfixes/mountfixes.te:allow mount_t tmp_t:dir { write setattr };
./tmpfs/tmpfs.te:allow mount_t tmpfs_t:file { read write open getattr setattr create lock };
./tmpfs/tmpfs.te:allow mount_t tmpfs_t:dir { read write search open getattr setattr add_name };


Perhaps that is enough to get started. I suspect the crucial fixes are in that set of allow-rules. If not, I can post all the .te files I've created...

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-10-30 21:24:42 UTC

For some reason, the messages disappeared on my test VM (running Linux 3.6.3 now, with selinux-*-9999 policies). If you have made a kernel upgrade since you reported this, can you try remove the policy rules you added and see if you can reproduce the errors?

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-10 17:20:44 UTC

For me currently, this has disappeared the same way as it occurred: no idea what did it, but a fresh installation doesn't seem to show this anymore.

Comment 6 Reuben Martin 2012-11-10 20:40:11 UTC

I can't reproduce it anymore either.