Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 554080

Summary: sys-apps/shadow-4.2.1-r1[selinux]: Failure to switch user w/ su (missing privileges) and segfault
Product: Gentoo Linux Reporter: Matthias Dahl <ua_gentoo_bugzilla>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: RESOLVED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r8
Package list:
Runtime testing required: ---

Description Matthias Dahl 2015-07-06 14:39:23 UTC 
Trying to switch to a different user on a SELinux- and grsecurity-enabled kernel w/ su fails with the following errors and denials:

# su testuser

su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Segmentation fault

From the log:

[608399.079722] audit: type=1400 audit(1436192977.416:886): avc:  denied  { create } for  pid=5345 comm="su" ipaddr=127.0.0.6 scontext=root:sysadm_r:sysadm_su_t tcontext=root:sysadm_r:sysadm_su_t tclass=netlink_selinux_socket permissive=0
[608399.080052] audit: type=1400 audit(1436192977.420:887): avc:  denied  { signal } for  pid=5345 comm="su" ipaddr=127.0.0.6 scontext=root:sysadm_r:sysadm_su_t tcontext=root:sysadm_r:sysadm_su_t tclass=process permissive=0
[608399.080065] audit: type=1400 audit(1436192977.420:888): avc:  denied  { signal } for  pid=5345 comm="su" ipaddr=127.0.0.6 scontext=root:sysadm_r:sysadm_su_t tcontext=root:sysadm_r:sysadm_su_t tclass=process permissive=0
[608399.080071] traps: su[5345] general protection ip:6fda22b8c588 sp:7dabe3bd5310 error:0 in libc-2.20.so[6fda22b56000+1a2000]
[608399.080091] grsec: From 127.0.0.6: Segmentation fault occurred at            (nil) in /bin/su[su:5345] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10684] uid/euid:0/0 gid/egid:0/0
[608399.080108] grsec: From 127.0.0.6: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /bin/su[su:5345] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10684] uid/euid:0/0 gid/egid:0/0

Reproducible: Always




The following relevant policy versions were installed at the time of testing:

sec-policy/selinux-base-2.20141203-r6:0
sec-policy/selinux-base-policy-2.20141203-r6:0

Kernel version running at the time of testing:

4.0.6-hardened-r2
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2015-07-15 13:44:20 UTC 
For your information, similar stuff has been reported in the past [1] but sadly with no result(s). I'm going to go address this in the su_restricted_domain_template() inside admin/su.if for Gentoo.

[1] http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2015-07-15 13:47:55 UTC 
Fixed in repo, will be in r8
Comment 3 Jason Zaman gentoo-dev 2015-08-04 18:23:03 UTC 
r8 is in ~arch now
Comment 4 Jason Zaman gentoo-dev 2015-09-06 12:54:20 UTC 
r8 is stable