Hi all,
I'm running into a SELinux permission issue when simply changing the ownership of a directory and I've got no clue why this happens.
The program in question is smokeping. It runs as root with the context of "system_u:system_r:smokeping_t" and tries to write to /var/lib/smokeping/rrd. When having /var/lib/smokeping (and its subfolders) owned by root, everything works fine. As soon as I change the ownership to apache:apache and remove permissions for other users (e.g. 0770), an EACCES pops up but no avc denied shows up in the audit log.
Here's what I got so far:
$ ls -dZ /var/lib/smokeping/rrd drwxr-xr-x. root root system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd $ runcon -t smokeping_t -r system_r smokeping --debug # (works fine)
$ chown apache: /var/lib/smokeping/rrd $ chmod 770 /var/lib/smokeping/rrd $ ls -dZ /var/lib/smokeping/rrd drwxrwx---. apache apache system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd $ runcon -t smokeping_t -r system_r smokeping --debug # (breaks)
an strace shows:
$ grep -h EACCES /tmp/smokeping.pid.* open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/foo.rrd", 0x1219138) = -1 EACCES (Permission denied) open("/var/lib/smokeping/rrd/foo.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/foo~bar.rrd", 0x1219138) = -1 EACCES (Permission denied) open("/var/lib/smokeping/rrd/foo~bar.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/foo~baz.rrd", 0x1219138) = -1 EACCES (Permission denied) open("/var/lib/smokeping/rrd/foo~baz.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/threshold", 0x1219138) = -1 EACCES (Permission denied) mkdir("/var/lib/smokeping/rrd/threshold", 0755) = -1 EACCES (Permission denied)
imho smokeping *should* be able to perform these actions (well, except for /etc/shadow):
$ sesearch -s smokeping_t -t smokeping_var_lib_t -Ad Found 2 semantic av rules: allow smokeping_t smokeping_var_lib_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow smokeping_t smokeping_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
When circumventing SELinux using either setenforce 0 or semanage permissive -a smokeping_t it works fine again.
Does anyone have a clue?
Thanks!
- Philippe
Hi Philippe
I'm running into a SELinux permission issue when simply changing the ownership of a directory and I've got no clue why this happens.
The program in question is smokeping. It runs as root with the context of "system_u:system_r:smokeping_t" and tries to write to /var/lib/smokeping/rrd. When having /var/lib/smokeping (and its subfolders) owned by root, everything works fine. As soon as I change the ownership to apache:apache and remove permissions for other users (e.g. 0770), an EACCES pops up but no avc denied shows up in the audit log.
Here's what I got so far:
$ ls -dZ /var/lib/smokeping/rrd drwxr-xr-x. root root system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd $ runcon -t smokeping_t -r system_r smokeping --debug # (works fine)
$ chown apache: /var/lib/smokeping/rrd $ chmod 770 /var/lib/smokeping/rrd $ ls -dZ /var/lib/smokeping/rrd drwxrwx---. apache apache system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd $ runcon -t smokeping_t -r system_r smokeping --debug # (breaks)
an strace shows:
$ grep -h EACCES /tmp/smokeping.pid.* open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/foo.rrd", 0x1219138) = -1 EACCES (Permission denied) open("/var/lib/smokeping/rrd/foo.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/foo~bar.rrd", 0x1219138) = -1 EACCES (Permission denied) open("/var/lib/smokeping/rrd/foo~bar.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/foo~baz.rrd", 0x1219138) = -1 EACCES (Permission denied) open("/var/lib/smokeping/rrd/foo~baz.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/threshold", 0x1219138) = -1 EACCES (Permission denied) mkdir("/var/lib/smokeping/rrd/threshold", 0755) = -1 EACCES (Permission denied)
As the process runs confined, root is not the same root as if you run it interactively after sudo su - or the like.
Root for the somkeping process is like a normal user. It can't override DAC permissions. If root has no permissions to write to the folder it simply can't overrule that permission because DAC_OVERRIDE is denied. There should be some audit messages logged with dac_override .
A Dan Walsh blogpost about dac override with some details: https://danwalsh.livejournal.com/80232.html
- Thomas
Hi Philippe,
On 4/24/19 1:10 PM, Thomas Mueller wrote:
Hi Philippe
I'm running into a SELinux permission issue when simply changing the ownership of a directory and I've got no clue why this happens.
The program in question is smokeping. It runs as root with the context of "system_u:system_r:smokeping_t" and tries to write to /var/lib/smokeping/rrd. When having /var/lib/smokeping (and its subfolders) owned by root, everything works fine. As soon as I change the ownership to apache:apache and remove permissions for other users (e.g. 0770), an EACCES pops up but no avc denied shows up in the audit log.
Here's what I got so far:
$ ls -dZ /var/lib/smokeping/rrd drwxr-xr-x. root root system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd $ runcon -t smokeping_t -r system_r smokeping --debug # (works fine)
$ chown apache: /var/lib/smokeping/rrd $ chmod 770 /var/lib/smokeping/rrd $ ls -dZ /var/lib/smokeping/rrd drwxrwx---. apache apache system_u:object_r:smokeping_var_lib_t:s0 /var/lib/smokeping/rrd $ runcon -t smokeping_t -r system_r smokeping --debug # (breaks)
an strace shows:
$ grep -h EACCES /tmp/smokeping.pid.* open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/foo.rrd", 0x1219138) = -1 EACCES (Permission denied) open("/var/lib/smokeping/rrd/foo.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/foo~bar.rrd", 0x1219138) = -1 EACCES (Permission denied) open("/var/lib/smokeping/rrd/foo~bar.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/foo~baz.rrd", 0x1219138) = -1 EACCES (Permission denied) open("/var/lib/smokeping/rrd/foo~baz.rrd", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) stat("/var/lib/smokeping/rrd/threshold", 0x1219138) = -1 EACCES (Permission denied) mkdir("/var/lib/smokeping/rrd/threshold", 0755) = -1 EACCES (Permission denied)
As the process runs confined, root is not the same root as if you run it interactively after sudo su - or the like.
Root for the somkeping process is like a normal user. It can't override DAC permissions. If root has no permissions to write to the folder it simply can't overrule that permission because DAC_OVERRIDE is denied. There should be some audit messages logged with dac_override .
A Dan Walsh blogpost about dac override with some details: https://danwalsh.livejournal.com/80232.html
Just to be sure, could you please add rerun the scenario and execute command:
# ausearch -m AVC -ts today
and attach the output ?
Thanks, Lukas.
- Thomas
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
Hi Lukas,
ausearch shows only irrelevant logs from other processes but, apart from me playing around with runcon, nothing regarding smokeping: --%snip%-- ---- time->Wed Apr 24 11:43:39 2019 type=PROCTITLE msg=audit(1556099019.516:249260): proctitle=72756E636F6E002D7400736D6F6B6570696E675F74002D720073797374656D5F72006964 type=PATH msg=audit(1556099019.516:249260): item=0 name="/usr/bin/id" inode=7818 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL cap_fp= 0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1556099019.516:249260): cwd="/root" type=SYSCALL msg=audit(1556099019.516:249260): arch=c000003e syscall=59 success=no exit=-13 a0=7ffd17daa993 a1=7ffd17daabd0 a2=7ffd17daabe0 a3=7ffd17daa4a0 items=1 ppid=26931 pid=132 01 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5004 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key =(null) type=AVC msg=audit(1556099019.516:249260): avc: denied { entrypoint } for pid=13201 comm="runcon" path="/usr/bin/id" dev="dm-1" ino=7818 scontext=unconfined_u:system_r:smokeping_t :s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 ---- time->Wed Apr 24 11:45:25 2019 type=PROCTITLE msg=audit(1556099125.154:249313): proctitle=72756E636F6E002D7400736D6F6B6570696E675F74002D720073797374656D5F72006C73002F7661722F6C69622F736D6F6B6570696E672F7272642F666 F6F type=PATH msg=audit(1556099125.154:249313): item=0 name="/usr/bin/ls" inode=7824 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL cap_fp= 0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1556099125.154:249313): cwd="/root" type=SYSCALL msg=audit(1556099125.154:249313): arch=c000003e syscall=59 success=no exit=-13 a0=7ffc3f10e103 a1=7ffc3f10e340 a2=7ffc3f10e358 a3=7ffc3f10dc20 items=1 ppid=26931 pid=141 85 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5004 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key =(null) type=AVC msg=audit(1556099125.154:249313): avc: denied { entrypoint } for pid=14185 comm="runcon" path="/usr/bin/ls" dev="dm-1" ino=7824 scontext=unconfined_u:system_r:smokeping_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 --%snip%--
Also I do not have any dontaudit rules for smokeping_t that would hide the log events in question.
- Philippe
Hi Thomas,
thanks a lot! Unfortunately the audit logs didn't show any denials for dac_override and I missed the point completely here. Dan's blogpost looks promising, I'll take a look.
- Philippe
selinux@lists.fedoraproject.org