Discussion:
selinux_set_callback() problem
Russell Coker
2016-02-04 21:32:20 UTC
Permalink
type=USER_AVC msg=audit(1454447396.743:48359): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status }
for auid=0 uid=0 gid=0 path="/lib/systemd/system/reboot.target"
cmdline="reboot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:systemd_unit_file_t:SystemLow tclass=service
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

I'm seeing entries like the above from the Debian/Jessie systemd in audit.log.
Below is the relevant code from the systemd source:

_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
va_list ap;

#ifdef HAVE_AUDIT
if (get_audit_fd() >= 0) {
_cleanup_free_ char *buf = NULL;
int r;

va_start(ap, fmt);
r = vasprintf(&buf, fmt, ap);
va_end(ap);

if (r >= 0) {
audit_log_user_avc_message(get_audit_fd(),
AUDIT_USER_AVC, buf,
NULL, NULL, NULL, 0);
return 0;
}
}
#endif

va_start(ap, fmt);
log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__, __FUNCTION__, fmt,
ap);
va_end(ap);

return 0;
}

Then the following line is in the access_init() function to enable it:

selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);

Any suggestions as to where I should start working on this?

Sorry if it's a newbie question, I haven't worked on SE Linux library code for
a while.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Stephen Smalley
2016-02-05 18:29:05 UTC
Permalink
Post by Russell Coker
type=USER_AVC msg=audit(1454447396.743:48359): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status }
for auid=0 uid=0 gid=0 path="/lib/systemd/system/reboot.target"
cmdline="reboot" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:systemd_unit_file_t:SystemLow tclass=service
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
I'm seeing entries like the above from the Debian/Jessie systemd in audit.log.
_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
va_list ap;
#ifdef HAVE_AUDIT
if (get_audit_fd() >= 0) {
_cleanup_free_ char *buf = NULL;
int r;
va_start(ap, fmt);
r = vasprintf(&buf, fmt, ap);
va_end(ap);
if (r >= 0) {
audit_log_user_avc_message(get_audit_fd(),
AUDIT_USER_AVC, buf,
NULL, NULL, NULL, 0);
return 0;
}
}
#endif
va_start(ap, fmt);
log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__, __FUNCTION__, fmt,
ap);
va_end(ap);
return 0;
}
selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
Any suggestions as to where I should start working on this?
Sorry if it's a newbie question, I haven't worked on SE Linux library code for
a while.
What exactly is the problem? Is it that the scontext has a raw context
and the tcontext has a translated context? Or is it that it was denied
when it should have been allowed?

The callback itself is obviously being executed or you wouldn't have the
audit message at all.
Russell Coker
2016-02-06 01:58:00 UTC
Permalink
Post by Stephen Smalley
Post by Russell Coker
type=USER_AVC msg=audit(1454447396.743:48359): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc: denied { status } for auid=0 uid=0 gid=0
path="/lib/systemd/system/reboot.target"
cmdline="reboot"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:systemd_unit_file_t:SystemLow tclass=service
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
I'm seeing entries like the above from the Debian/Jessie systemd in
_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
va_list ap;
#ifdef HAVE_AUDIT
if (get_audit_fd() >= 0) {
_cleanup_free_ char *buf = NULL;
int r;
va_start(ap, fmt);
r = vasprintf(&buf, fmt, ap);
va_end(ap);
if (r >= 0) {
audit_log_user_avc_message(get_audit_fd(),
AUDIT_USER_AVC, buf,
NULL, NULL, NULL, 0);
return 0;
}
}
#endif
va_start(ap, fmt);
log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__, __FUNCTION__, fmt,
ap);
va_end(ap);
return 0;
}
selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
Any suggestions as to where I should start working on this?
Sorry if it's a newbie question, I haven't worked on SE Linux library
code for a while.
What exactly is the problem? Is it that the scontext has a raw context
and the tcontext has a translated context? Or is it that it was denied
when it should have been allowed?
The callback itself is obviously being executed or you wouldn't have the
audit message at all.
The problem is a translated context which breaks audit2allow. Even if it
didn't break audit2allow it wouldn't be a good thing to have as the text
representations can (in theory at least) change.

# audit2allow -l < /var/log/audit/audit.log
libsepol.mls_from_string: invalid MLS context SystemLow
libsepol.mls_from_string: could not construct mls context structure
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:systemd_unit_file_t:SystemLow to sid
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Nicolas Iooss
2016-02-06 10:58:11 UTC
Permalink
Post by Russell Coker
Post by Stephen Smalley
Post by Russell Coker
type=USER_AVC msg=audit(1454447396.743:48359): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc: denied { status } for auid=0 uid=0 gid=0
path="/lib/systemd/system/reboot.target"
cmdline="reboot"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:systemd_unit_file_t:SystemLow tclass=service
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
I'm seeing entries like the above from the Debian/Jessie systemd in
_printf_(2, 3) static int log_callback(int type, const char *fmt, ...)
{
Post by Stephen Smalley
Post by Russell Coker
va_list ap;
#ifdef HAVE_AUDIT
if (get_audit_fd() >= 0) {
_cleanup_free_ char *buf = NULL;
int r;
va_start(ap, fmt);
r = vasprintf(&buf, fmt, ap);
va_end(ap);
if (r >= 0) {
audit_log_user_avc_message(get_audit_fd(),
AUDIT_USER_AVC, buf,
NULL, NULL, NULL, 0);
return 0;
}
}
#endif
va_start(ap, fmt);
log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__,
__FUNCTION__,
Post by Stephen Smalley
Post by Russell Coker
fmt,
ap);
va_end(ap);
return 0;
}
selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
Any suggestions as to where I should start working on this?
Sorry if it's a newbie question, I haven't worked on SE Linux library
code for a while.
What exactly is the problem? Is it that the scontext has a raw context
and the tcontext has a translated context? Or is it that it was denied
when it should have been allowed?
The callback itself is obviously being executed or you wouldn't have the
audit message at all.
The problem is a translated context which breaks audit2allow. Even if it
didn't break audit2allow it wouldn't be a good thing to have as the text
representations can (in theory at least) change.
In systemd git log, there is
https://github.com/systemd/systemd/commit/24154879845c6aa68a82d3a606f037e9df7527e0
which seems to fix this issue for systemd >=226. Nevertheless there may
have been a regression since then. Which version of systemd are you using?

-- Nicolas
Russell Coker
2016-03-25 06:47:00 UTC
Permalink
Thanks for pointing that out. I was using Debian/Jessie (which is older than that) and I've now backported systemd from Debian/Unstable for Jessie which solves that problem and has some other SE Linux fixes.
Post by Russell Coker
Post by Russell Coker
Post by Stephen Smalley
Post by Russell Coker
type=USER_AVC msg=audit(1454447396.743:48359): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc: denied { status } for auid=0 uid=0 gid=0
path="/lib/systemd/system/reboot.target"
cmdline="reboot"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:systemd_unit_file_t:SystemLow
tclass=service
Post by Russell Coker
Post by Stephen Smalley
Post by Russell Coker
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
I'm seeing entries like the above from the Debian/Jessie systemd
in
Post by Russell Coker
Post by Stephen Smalley
Post by Russell Coker
_printf_(2, 3) static int log_callback(int type, const char *fmt,
...)
Post by Russell Coker
{
Post by Stephen Smalley
Post by Russell Coker
va_list ap;
#ifdef HAVE_AUDIT
if (get_audit_fd() >= 0) {
_cleanup_free_ char *buf = NULL;
int r;
va_start(ap, fmt);
r = vasprintf(&buf, fmt, ap);
va_end(ap);
if (r >= 0) {
audit_log_user_avc_message(get_audit_fd(),
Post by Russell Coker
Post by Stephen Smalley
Post by Russell Coker
AUDIT_USER_AVC, buf,
NULL, NULL, NULL, 0);
return 0;
}
}
#endif
va_start(ap, fmt);
log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__,
__FUNCTION__,
Post by Stephen Smalley
Post by Russell Coker
fmt,
ap);
va_end(ap);
return 0;
}
Then the following line is in the access_init() function to
selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
Any suggestions as to where I should start working on this?
Sorry if it's a newbie question, I haven't worked on SE Linux
library
Post by Russell Coker
Post by Stephen Smalley
Post by Russell Coker
code for a while.
What exactly is the problem? Is it that the scontext has a raw
context
Post by Russell Coker
Post by Stephen Smalley
and the tcontext has a translated context? Or is it that it was
denied
Post by Russell Coker
Post by Stephen Smalley
when it should have been allowed?
The callback itself is obviously being executed or you wouldn't
have the
Post by Russell Coker
Post by Stephen Smalley
audit message at all.
The problem is a translated context which breaks audit2allow. Even
if it
Post by Russell Coker
didn't break audit2allow it wouldn't be a good thing to have as the
text
Post by Russell Coker
representations can (in theory at least) change.
In systemd git log, there is
https://github.com/systemd/systemd/commit/24154879845c6aa68a82d3a606f037e9df7527e0
which seems to fix this issue for systemd >=226. Nevertheless there may
have been a regression since then. Which version of systemd are you using?
-- Nicolas
------------------------------------------------------------------------
_______________________________________________
Selinux mailing list
To get help, send an email containing "help" to
--
Sent from my Samsung Galaxy Note 3 with K-9 Mail.
Loading...