Re: [CentOS] SElinux AVC signull
Am 18.01.2019 um 16:17 schrieb Sean :
>
> I don't have access to a CentOS 6.10 system handy, but it looks like a
> policy issue. If I take you're ausearch output and pipe it to
> audit2allow on my CentOS 7.6 system, I get the following:
>
> #= httpd_t ==
>
> # This avc is allowed in the current policy
> allow httpd_t httpd_sys_script_t:process signull;
Hi Sean, thanks to crosscheck this under EL7.
As showed under EL6 its denied:
# grep signull /var/log/audit/audit.log | audit2allow -m test
module test 1.0;
require {
type httpd_t;
type httpd_sys_script_t;
class process signull;
}
#= httpd_t ==
allow httpd_t httpd_sys_script_t:process signull;
but this brings some insights. It seems therefore to be a allowable policy
as it is already allowed under el7. I even found a related changelog entry
in the newer EL7 package:
# rpm -qp --changelog selinux-policy-targeted-3.13.1-229.el7.noarch.rpm |egrep
'signul.*apache script'
- Allow httpd to send signull to apache script domains and don't audit leaks
So, this let me build and load a custom module with confidence. Thanks!
> Noting that on my 7.6 system with selinux enforcing with selinux
> policy packages at version 3.13.1-229, it notes that your denial would
> not happen. If you don't have it installed policycoreutils-python
> provides the audit2allow and audit2why binaries which can help you
> generate a policy to avoid this denial if you want.
>
> Also, I often find that to truly diagnose the issue, I need to run the
> following:
>
> # semodule --disable_dontaudit --build
> # setenforce permissive
> # tail -f /var/log/audit/audit.log | grep denied | tee ~/denials.out
>
> ... then reproduce the problem, and kill the tail. The resulting
> denials.out file will have a lot of unrelated denials, but if you run
> audit2allow against the entire file, you'll be able to determine which
> ones are not relevant by the comments produced (much like above where
> it told us the "avc is allowed"). You can also use this to generate a
> custom policy module for your system.
>
> Sometimes there are denials that are not audited which are relevant to
> the problem, which seems problematic to me...that there is a default
> set of things that get denied but do not appear in the audit logs.
> That's a different conversation though.
>
> Anyway, after the data is collected for the denials.out file you can
> reset to your normal operating stance...
>
> # semodule --build
> # setenforce enforcing
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SElinux AVC signull
Hi Leon,
I don't have access to a CentOS 6.10 system handy, but it looks like a
policy issue. If I take you're ausearch output and pipe it to
audit2allow on my CentOS 7.6 system, I get the following:
#= httpd_t ==
# This avc is allowed in the current policy
allow httpd_t httpd_sys_script_t:process signull;
Noting that on my 7.6 system with selinux enforcing with selinux
policy packages at version 3.13.1-229, it notes that your denial would
not happen. If you don't have it installed policycoreutils-python
provides the audit2allow and audit2why binaries which can help you
generate a policy to avoid this denial if you want.
Also, I often find that to truly diagnose the issue, I need to run the
following:
# semodule --disable_dontaudit --build
# setenforce permissive
# tail -f /var/log/audit/audit.log | grep denied | tee ~/denials.out
... then reproduce the problem, and kill the tail. The resulting
denials.out file will have a lot of unrelated denials, but if you run
audit2allow against the entire file, you'll be able to determine which
ones are not relevant by the comments produced (much like above where
it told us the "avc is allowed"). You can also use this to generate a
custom policy module for your system.
Sometimes there are denials that are not audited which are relevant to
the problem, which seems problematic to me...that there is a default
set of things that get denied but do not appear in the audit logs.
That's a different conversation though.
Anyway, after the data is collected for the denials.out file you can
reset to your normal operating stance...
# semodule --build
# setenforce enforcing
From: Leon Fauster
To: CentOS mailing list
Cc:
Bcc:
Date: Thu, 17 Jan 2019 18:35:23 +0100
Subject: [CentOS] SElinux AVC signull
I have some perl scripts running via CGI to print some monitoring
informations out.
# cat /etc/redhat-release
CentOS release 6.10 (Final)
# getenforce
Enforcing
# LANG=C ausearch -m avc --start today
type=SYSCALL msg=audit(1547733474.941:28): arch=c03e syscall=62
success=no exit=-13 a0=641 a1=0 a2=7f33500079b0 a3=31372f656d6f7268
items=0 ppid=1399 pid=1439 auid=4294967295 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd" exe="/opt/rh/httpd24/root/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1547733474.941:28): avc: denied { signull } for
pid=1439 comm="httpd" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
I see a lot of such entries but I don't see any service misbehaviour.
All scripts are running fine.
Any hints how to classify this AVC; "Denied Signull"?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] SElinux AVC signull
I have some perl scripts running via CGI to print some monitoring informations
out.
# cat /etc/redhat-release
CentOS release 6.10 (Final)
# getenforce
Enforcing
# LANG=C ausearch -m avc --start today
type=SYSCALL msg=audit(1547733474.941:28): arch=c03e syscall=62 success=no
exit=-13 a0=641 a1=0 a2=7f33500079b0 a3=31372f656d6f7268 items=0 ppid=1399
pid=1439 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=4294967295 comm="httpd"
exe="/opt/rh/httpd24/root/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
key=(null)
type=AVC msg=audit(1547733474.941:28): avc: denied { signull } for pid=1439
comm="httpd" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
I see a lot of such entries but I don't see any service misbehaviour. All
scripts are running fine.
Any hints how to classify this AVC; "Denied Signull"?
--
LF
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
