amazon-linux-2023 icon indicating copy to clipboard operation
amazon-linux-2023 copied to clipboard
verified publisher icon amazonlinux

[Bug] - denials for system packages/utilities with selinux set to enforcing

Open jcorley-sysdig opened this issue 11 months ago • 2 comments

Describe the bug we are seeing a handful of denials for system packages/utilities on AL2023 with selinux set to enforcing

To Reproduce Steps to reproduce the behavior:

  1. set selinux to enforcing
  2. reboot
  3. run through avc denials using ausearch, audit2allow, etc.
  4. see errors for things installed by the distro

Expected behavior no errors from os packages/binaries

Additional context sample errors:

agetty:

[ 2169.299193] audit: type=1400 audit(1737679530.227:1339): avc:  denied  { write } for  pid=24469 comm="agetty" name="agetty" dev="nvme0n1p1" ino=2740348 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:getty_exec_t:s0 tclass=file permissive=0

systemd-hostnamed:

[ 1593.836724] audit: type=1400 audit(1737678954.774:1227): avc:  denied  { write } for  pid=20911 comm="systemd-hostnam" name="systemd-hostnamed" dev="nvme0n1p1" ino=3051267 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:systemd_hostnamed_exec_t:s0 tclass=file permissive=0

systemd-sysctl:

[ 6364.970535] audit: type=1400 audit(1737683725.842:2867): avc:  denied  { write } for  pid=59367 comm="systemd-sysctl" name="systemd-sysctl" dev="nvme0n1p1" ino=3079890 scontext=system_u:system_r:systemd_sysctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_sysctl_exec_t:s0 tclass=file permissive=0

systemd-user-runtime-dir:

[ 2179.440022] audit: type=1400 audit(1737679540.366:1350): avc:  denied  { write } for  pid=24591 comm="systemd-user-ru" name="systemd-user-runtime-dir" dev="nvme0n1p1" ino=3051285 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:systemd_logind_exec_t:s0 tclass=file permissive=0

systemd-userwork

[ 7391.521785] audit: type=1400 audit(1737684752.208:3161): avc:  denied  { write } for  pid=65670 comm="systemd-userwor" name="systemd-userwork" dev="nvme0n1p1" ino=3051288 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:object_r:systemd_userdbd_exec_t:s0 tclass=file permissive=0

xtables-nft-multi

[ 7452.598338] audit: type=1400 audit(1737684813.457:3196): avc:  denied  { write } for  pid=66027 comm="iptables" name="xtables-nft-multi" dev="nvme0n1p1" ino=3037588 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
[ 7452.794450] audit: type=1400 audit(1737684813.457:3197): avc:  denied  { write } for  pid=66028 comm="ip6tables" name="xtables-nft-multi" dev="nvme0n1p1" ino=3037588 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0

selinux contexts for binaries:

# ls -lZ /usr/sbin/agetty /usr/lib/systemd/systemd-hostnamed /usr/lib/systemd/systemd-sysctl /usr/lib/systemd/systemd-user-runtime-dir /usr/lib/systemd/systemd-userwork /usr/sbin/xtables-nft-multi 
-rwxr-xr-x. 1 root root system_u:object_r:systemd_hostnamed_exec_t:s0  53920 Jun 17  2024 /usr/lib/systemd/systemd-hostnamed
-rwxr-xr-x. 1 root root system_u:object_r:systemd_sysctl_exec_t:s0     28960 Jun 17  2024 /usr/lib/systemd/systemd-sysctl
-rwxr-xr-x. 1 root root system_u:object_r:systemd_logind_exec_t:s0     24544 Jun 17  2024 /usr/lib/systemd/systemd-user-runtime-dir
-rwxr-xr-x. 1 root root system_u:object_r:systemd_userdbd_exec_t:s0    32992 Jun 17  2024 /usr/lib/systemd/systemd-userwork
-rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0              58856 Mar 20  2024 /usr/sbin/agetty
-rwxr-xr-x. 1 root root system_u:object_r:iptables_exec_t:s0          229608 Jan 31  2023 /usr/sbin/xtables-nft-multi

packages those binaries came from:

# rpm -qf /usr/sbin/agetty /usr/lib/systemd/systemd-hostnamed /usr/lib/systemd/systemd-sysctl /usr/lib/systemd/systemd-user-runtime-dir /usr/lib/systemd/systemd-userwork /usr/sbin/xtables-nft-multi 
util-linux-core-2.37.4-1.amzn2023.0.4.x86_64
systemd-252.23-2.amzn2023.x86_64
systemd-udev-252.23-2.amzn2023.x86_64
systemd-252.23-2.amzn2023.x86_64
systemd-252.23-2.amzn2023.x86_64
iptables-nft-1.8.8-3.amzn2023.0.2.x86_64

sample output of audit2allow -d -r -v:

require {
	type systemd_userdbd_exec_t;
	type getty_t;
	type iptables_t;
	type getty_exec_t;
	type systemd_sysctl_exec_t;
	type systemd_hostnamed_t;
	type iptables_exec_t;
	type systemd_sysctl_t;
	type systemd_userdbd_t;
	type systemd_logind_t;
	type systemd_logind_exec_t;
	type systemd_hostnamed_exec_t;
	class file write;
}

#============= getty_t ==============
# src="getty_t" tgt="getty_exec_t" class="file", perms="write"
# comm="agetty" exe="" path=""
allow getty_t getty_exec_t:file write;

#============= iptables_t ==============
# src="iptables_t" tgt="iptables_exec_t" class="file", perms="write"
# comm="iptables" exe="" path=""
allow iptables_t iptables_exec_t:file write;

#============= systemd_hostnamed_t ==============
# src="systemd_hostnamed_t" tgt="systemd_hostnamed_exec_t" class="file", perms="write"
# comm="systemd-hostnam" exe="" path=""
allow systemd_hostnamed_t systemd_hostnamed_exec_t:file write;

#============= systemd_logind_t ==============
# src="systemd_logind_t" tgt="systemd_logind_exec_t" class="file", perms="write"
# comm="systemd-user-ru" exe="" path=""
allow systemd_logind_t systemd_logind_exec_t:file write;

#============= systemd_sysctl_t ==============
# src="systemd_sysctl_t" tgt="systemd_sysctl_exec_t" class="file", perms="write"
# comm="systemd-sysctl" exe="" path=""
allow systemd_sysctl_t systemd_sysctl_exec_t:file write;

#============= systemd_userdbd_t ==============
# src="systemd_userdbd_t" tgt="systemd_userdbd_exec_t" class="file", perms="write"
# comm="systemd-userwor" exe="" path=""
allow systemd_userdbd_t systemd_userdbd_exec_t:file write;

jcorley-sysdig avatar Jan 24 '25 02:01 jcorley-sysdig

@jcorley-sysdig try audit2why -drv also for a description of why the access was denied, or just add the -w flag to your comand, i.e audit2allow -drvw

From man pages:

audit2allow - generate SELinux policy allow/dontaudit rules from logs of denied operations

audit2why - translates SELinux audit messages into a description of why the access was denied (audit2allow -w)

zcobol avatar Jan 24 '25 04:01 zcobol

thanks for the pointer @zcobol ! the why is the same for all of them:

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

jcorley-sysdig avatar Jan 24 '25 15:01 jcorley-sysdig