Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 389569 - sec-policy/selinux-nagios appearantly misses some cases.
Summary: sec-policy/selinux-nagios appearantly misses some cases.
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-04 22:45 UTC by Nico Baggus
Modified: 2011-12-20 18:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Baggus 2011-11-04 22:45:26 UTC 
Check raid causes some messages (new?)
And diskcheck causes failures on mountpoints
(I have no sugestion on handling that).


Reproducible: Always

Actual Results:  

avc:  denied  { read } for  pid=17047 comm="check_raid" name="mdstat" dev=proc ino=4026531968 scontext=system_u:system_r:nrpe_t tcontext=system_u:object_r:proc_mdstat_t tclass=file
avc:  denied  { open } for  pid=17047 comm="check_raid" name="mdstat" dev=proc ino=4026531968 scontext=system_u:system_r:nrpe_t tcontext=system_u:object_r:proc_mdstat_t tclass=file
avc:  denied  { ioctl } for  pid=17047 comm="check_raid" path="/proc/mdstat" dev=proc ino=4026531968 scontext=system_u:system_r:nrpe_t tcontext=system_u:object_r:proc_mdstat_t tclass=file

---
avc:  denied  { getattr } for  pid=16695 comm="check_disk" path="/dev/pts" dev=devpts ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:devpts_t tclass=dir
avc:  denied  { getattr } for  pid=16695 comm="check_disk" path="/var" dev=md5 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:var_t tclass=dir
avc:  denied  { getattr } for  pid=16695 comm="check_disk" path="/proc/bus/usb" dev=usbfs ino=1427 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:usbfs_t tclass=dir
avc:  denied  { search } for  pid=16695 comm="check_disk" name="fs" dev=proc ino=6013 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir
avc:  denied  { getattr } for  pid=16695 comm="check_disk" path="/proc/sys/fs/binfmt_misc" dev=binfmt_misc ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir
avc:  denied  { getattr } for  pid=16717 comm="check_disk" path="/boot" dev=md2 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:boot_t tclass=dir
avc:  denied  { getattr } for  pid=16717 comm="check_disk" path="/data" dev=md7 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:default_t tclass=dir
avc:  denied  { getattr } for  pid=16732 comm="check_disk" path="/sys/fs/fuse/connections" dev=fusectl ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:fusefs_t tclass=dir
avc:  denied  { getattr } for  pid=16798 comm="check_disk" path="/sys" dev=sysfs ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:sysfs_t tclass=dir
avc:  denied  { getattr } for  pid=16798 comm="check_disk" path="/dev/pts" dev=devpts ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:devpts_t tclass=dir
avc:  denied  { search } for  pid=16798 comm="check_disk" name="/" dev=sysfs ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:sysfs_t tclass=dir
avc:  denied  { getattr } for  pid=16798 comm="check_disk" path="/boot" dev=md2 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:boot_t tclass=dir
avc:  denied  { getattr } for  pid=16798 comm="check_disk" path="/var" dev=md5 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:var_t tclass=dir
avc:  denied  { getattr } for  pid=16798 comm="check_disk" path="/data" dev=md7 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:default_t tclass=dir
avc:  denied  { getattr } for  pid=16798 comm="check_disk" path="/proc/bus/usb" dev=usbfs ino=1427 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:usbfs_t tclass=dir
avc:  denied  { search } for  pid=16798 comm="check_disk" name="fs" dev=proc ino=6013 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir
avc:  denied  { getattr } for  pid=16798 comm="check_disk" path="/proc/sys/fs/binfmt_misc" dev=binfmt_misc ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir
avc:  denied  { getattr } for  pid=16816 comm="check_disk" path="/sys/fs/fuse/connections" dev=fusectl ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:fusefs_t tclass=dir
avc:  denied  { getattr } for  pid=16850 comm="check_disk" path="/var" dev=md5 ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:var_t tclass=dir
avc:  denied  { getattr } for  pid=16893 comm="check_disk" path="/sys" dev=sysfs ino=1 scontext=system_u:system_r:nagios_checkdisk_plugin_t tcontext=system_u:object_r:sysfs_t tclass=dir
-------




--The module--
module nrpe 1.0;

require {
        type nrpe_t;
        type proc_mdstat_t;
        type system_cronjob_t;
        class tcp_socket getattr;
        class unix_dgram_socket getattr;
        class file { read getattr open ioctl };
}

#============= nrpe_t ==============
allow nrpe_t proc_mdstat_t:file { read getattr open ioctl };


It look like this bug but appearantly it isn't completely fixed.
https://bugs.gentoo.org/show_bug.cgi?id=379199
Comment 1 Nico Baggus 2011-11-04 22:56:51 UTC 
The cronjob can be liften from the nrpe case,
it was a leftover from a false positive on an lsof command.

This should be sufficient...
---8<---
module nrpe 1.0;

require {
        type nrpe_t;
        type proc_mdstat_t;
        class file { read getattr open ioctl };
}

#============= nrpe_t ==============
allow nrpe_t proc_mdstat_t:file { read getattr open ioctl };
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-07 19:44:09 UTC 
ACK on the nrpe read access to /proc/mdstat.

On the getattr support needed for directories, this should be in place. Can you give me the output of the following two commands?

~# sesearch -t mountpoint -A -d
~# seinfo -amountpoint -x
Comment 3 Nico Baggus 2011-11-07 23:21:40 UTC 
# sesearch -t mountpoint -A -d
Found 5 semantic av rules:
   allow cupsd_config_t mountpoint : dir { getattr search open } ; 
   allow exim_t mountpoint : dir getattr ; 
   allow consolekit_t mountpoint : dir { getattr search open } ; 
   allow mount_t mountpoint : file { getattr mounton } ; 
   allow mount_t mountpoint : dir { getattr mounton search open } ;
Comment 4 Nico Baggus 2011-11-07 23:25:43 UTC 
#  seinfo -amountpoint -x
   mountpoint
      named_conf_t
      sysctl_fs_t
      user_home_dir_t
      mail_spool_t
      autofs_t
      capifs_t
      device_t
      devpts_t
      fusefs_t
      cifs_t
      dosfs_t
      file_t
      nfs_t
      proc_t
      ramfs_t
      spufs_t
      src_t
      sysfs_t
      tmpfs_t
      usbfs_t
      vxfs_t
      xenfs_t
      ecryptfs_t
      removable_t
      user_home_t
      rpc_pipefs_t
      proc_xen_t
      var_log_t
      vmblock_t
      binfmt_misc_fs_t
      anon_inodefs_t
      home_root_t
      audit_spool_t
      cgroup_t
      squash_t
      sysctl_t
      boot_t
      lib_t
      mnt_t
      root_t
      sysv_t
      tmp_t
      usr_t
      var_t
      auditd_log_t
      mqueue_spool_t
      hugetlbfs_t
      initrc_state_t
      default_t
      iso9660_t
      var_lib_t
      var_run_t
Comment 5 Nico Baggus 2011-11-07 23:26:57 UTC 
If you can explain why you need info i can learn more about How to solve similar problems... TIA
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-11 10:44:23 UTC 
Certainly;

The denial I'm focusing on is of the following form:

avc:  denied  { getattr } for  pid=16695 comm="check_disk" path="/var" dev=md5
ino=2 scontext=system_u:system_r:nagios_checkdisk_plugin_t
tcontext=system_u:object_r:var_t tclass=dir

In the policy, there is a line that sais:

files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)

This line translates to:

allow nagios_checkdisk_plugin_t mountpoint:dir getattr;

In other words, the denial we see shouldn't be there, since var_t has the attribute "mountpoint", so nagios_checkdisk_plugin_t should be able to "getattr" on this directory.

This leads me to believe there is a build issue with the module, so I'll work on this first and see if I can reproduce.
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-11 10:57:55 UTC 
Ah <insert expletive here>. That patch apparently isn't included in selinux-nagios-2.20110726-r1. I'll have it in with the -r2 release.

From the looks of it, that should have all denials you mentioned fixed. I'll see to have this in hardened-dev overlay as soon as possible.
Comment 8 Nico Baggus 2011-11-11 11:24:51 UTC 
OK, i'll see the update comming then, and test it.
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-12 21:20:49 UTC 
In hardened-dev overlay
Comment 10 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-15 10:53:15 UTC 
Moved to main portage tree, ~arch'ed.
Comment 11 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-20 18:55:17 UTC 
stabilized