You are not logged in.

Pages: 1

#1 2015-07-30 08:53:41

esvstn
Member
Registered: 2015-07-30
Posts: 1

SELinux denies access but audit don't show any AVC denials

[systemd] SELinux denies access but neither journalctl nor audit don't show any AVC denials.
After installing SELinux to my system I faced with the problem. At first I loaded system in «permissive» mode and set  «/usr/lib/systemd/systemd» type to «init_exec_t». The resultant domain of systemd process became «init_t».  Then I configured chains of transitions from «init_t» domain to domains of other services. Finally, I troubleshot all AVC denials arising on boot and set «enforcing» mode.
While system was booting, the string appeared on the screen: «systemd[1]: Failed to start Flush Journal to Persistent Storage». I found that sector of log:

июл 28 13:34:43 localhost unknown[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
июл 28 13:34:43 localhost kernel: audit: type=1130 audit(1438079683.186:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
июл 28 13:34:43 localhost journalctl[189]: Failed to kill journal service: Access denied
июл 28 13:34:43 localhost unknown[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-udevd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
июл 28 13:34:43 localhost kernel: audit: type=1130 audit(1438079683.290:11): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-udevd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
июл 28 13:34:43 localhost systemd[1]: systemd-journal-flush.service: main process exited, code=exited, status=1/FAILURE
июл 28 13:34:43 localhost systemd[1]: Failed to start Flush Journal to Persistent Storage.
июл 28 13:34:43 localhost systemd[1]: Unit systemd-journal-flush.service entered failed state.
июл 28 13:34:43 localhost systemd[1]: systemd-journal-flush.service failed.
июл 28 13:34:43 localhost unknown[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-journal-flush comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
июл 28 13:34:43 localhost unknown[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-vconsole-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

I suspect that «systemd-journal-flush.service» is guilty. What it execute?

[Service]
ExecStart=/usr/bin/journalctl --flush

I changed my shell to «init_t» domain and tried to do «flush» manually.

/bin/journalctl --flush
Failed to kill journal service: Access denied

I decided to look at the journalctl source code to figure out what does it cannot. It is that chunk:

if (access("/run/systemd/journal/flushed", F_OK) >= 0)
                return 0;

        /* OK, let's actually do the full logic, send SIGUSR1 to the
         * daemon and set up inotify to wait for the flushed file to appear */
        r = bus_open_system_systemd(&bus);
        if (r < 0)
                return log_error_errno(r, "Failed to get D-Bus connection: %m");

        r = sd_bus_call_method(
                        bus,
                        "org.freedesktop.systemd1",
                        "/org/freedesktop/systemd1",
                        "org.freedesktop.systemd1.Manager",
                        "KillUnit",
                        &error,
                        NULL,
                        "ssi", "systemd-journald.service", "main", SIGUSR1);
        if (r < 0) {
                log_error("Failed to kill journal service: %s", bus_error_message(&error, r));
                return r;
        }

I conclude that something is prevents to send DBus message. I tried to do it manually yet again:

$ qdbus-qt4 --system org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager.KillUnit systemd-journald.service main SIGUSR1
Cannot find 'org.freedesktop.systemd1.Manager.KillUnit' in object /org/freedesktop/systemd1 at org.freedesktop.systemd1
$ dbus-send --system --dest=org.freedesktop.systemd1 --type=method_call --print-reply /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager.KillUnit string:systemd-journald.service string:main int32:SIGUSR1
Error org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.

But there are still no AVC denials in log.

$ cat /var/log/audit/audit.log | grep -i avc
$ journalctl -b | grep -i avc

I disabled dontaudit rules («semodule -DB») but there was no effect.
Information about my system:

  • Platform: x86_64

  • Kernel: 3.18.4-1-selinux

  • Systemd-selinux-222-1

  • Dbus-selinux-1.8.18-1

  • Selinux-refpolicy from https://github.com/TresysTechnology/refpolicy (modified by me)

  • Selinux modules: base.pp init.pp libraries.pp logging.pp selinuxutil.pp modutils.pp userdomain.pp miscfiles.pp sysadm.pp authlogin.pp sysnetwork.pp storage.pp application.pp locallogin.pp getty.pp xserver.pp mount.pp unconfined.pp udev.pp avahi.pp cups.pp dbus.pp alsa.pp dhcp.pp networkmanager.pp ssh.pp policykit.pp ntp.pp

Please help me to resolve the issue.

Offline

Pages: 1

Board footer

Powered by FluxBB