Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1091

Stop hiding AVCs for "unlabeled_t"

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-8.5.0
    • selinux-policy
    • None
    • Moderate
    • rhel-security-selinux
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None
    • 0

      Description of problem:

      Currently there are quite a lot dontaudit rules to hide any AVC encountered when a file or directory is "unlabeled_t":
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      1. sesearch --dontaudit -t unlabeled_t -p search | grep unlabeled
        dontaudit confined_admindomain unlabeled_t:dir { getattr ioctl lock open read search };
        dontaudit dmesg_t unlabeled_t:dir { getattr open search };
        dontaudit guest_usertype unlabeled_t:dir { getattr ioctl lock open read search }

        ;
        dontaudit hostname_t unlabeled_t:dir

        { getattr open search };
        dontaudit hwclock_t unlabeled_t:dir { getattr open search }

        ;
        dontaudit init_t unlabeled_t:dir

        { getattr mounton open search };
        dontaudit kmod_t unlabeled_t:dir { getattr open search };
        dontaudit lvm_t unlabeled_t:dir { getattr open search };
        dontaudit mplayer_t unlabeled_t:dir { getattr ioctl lock open read search };
        dontaudit pam_console_t unlabeled_t:dir { getattr open search };
        dontaudit staff_usertype unlabeled_t:dir { getattr ioctl lock open read search };
        dontaudit sulogin_t unlabeled_t:dir { getattr open search };
        dontaudit sysadm_usertype unlabeled_t:dir { getattr ioctl lock open read search };
        dontaudit syslogd_t unlabeled_t:dir { getattr open search };
        dontaudit udev_t unlabeled_t:dir { getattr open search };
        dontaudit unconfined_usertype unlabeled_t:dir { getattr ioctl lock open read search };
        dontaudit user_usertype unlabeled_t:dir { getattr ioctl lock open read search };
        dontaudit webadm_usertype unlabeled_t:dir { getattr ioctl lock open read search };
        dontaudit xguest_usertype unlabeled_t:dir { getattr ioctl lock open read search };

        # sesearch --dontaudit -t unlabeled_t -p open | grep unlabeled
        dontaudit confined_admindomain unlabeled_t:dir { getattr ioctl lock open read search };
        dontaudit dmesg_t unlabeled_t:dir { getattr open search };
        dontaudit guest_usertype unlabeled_t:dir { getattr ioctl lock open read search };
        dontaudit hostname_t unlabeled_t:dir { getattr open search };
        dontaudit hwclock_t unlabeled_t:dir { getattr open search };
        dontaudit init_t unlabeled_t:dir { getattr mounton open search }

        ;
        dontaudit kmod_t unlabeled_t:dir

        { getattr open search };
        dontaudit lvm_t unlabeled_t:dir { getattr open search }

        ;
        dontaudit mplayer_t unlabeled_t:dir

        { getattr ioctl lock open read search };
        dontaudit pam_console_t unlabeled_t:dir { getattr open search };
        dontaudit staff_usertype unlabeled_t:dir { getattr ioctl lock open read search }

        ;
        dontaudit sulogin_t unlabeled_t:dir

        { getattr open search };
        dontaudit sysadm_usertype unlabeled_t:dir { getattr ioctl lock open read search };
        dontaudit syslogd_t unlabeled_t:dir { getattr open search }

        ;
        dontaudit udev_t unlabeled_t:dir

        { getattr open search }

        ;
        dontaudit unconfined_usertype unlabeled_t:dir

        { getattr ioctl lock open read search };
        dontaudit user_usertype unlabeled_t:dir { getattr ioctl lock open read search }

        ;
        dontaudit webadm_usertype unlabeled_t:dir

        { getattr ioctl lock open read search };
        dontaudit xguest_usertype unlabeled_t:dir { getattr ioctl lock open read search }

        ;

                    • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      IMHO these dontaudit rules should be deleted because it's important for the admin to find out something failed because one of the top directory was "unlabeled_t", which is a configuration error.

      Not doing so results in Support Engineers to lose quite a lot of time in the troubleshooting and usually end up having a senior Backline enter the game and lose time on this as well.

      Last example in mind: an issue with "smbcontrol" when having Samba on a custom location /prox4trace/samba/

      We could see through stracing the command that "mkdir" was failing although the target context was correct:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      4441 [smbcontrol_t] 09:55:22.857637 mkdir("/prox4trace/samba/locks" [samba_var_t], 0755) = -1 EACCES (Permission denied) <0.000047>
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      But since there was no AVC due to having a dontaudit rule, I had to come up with an internal reproducer to verify my assumption (i.e. that /prox4trace was unlabeled).

      Version-Release number of selected component (if applicable):

      selinux-policy-3.14.3-80.el8_5.2.noarch

      How reproducible:

      Always

      Steps to Reproduce:

      1. Compile the reproducer "smbcontrol.c" (attached for convenience)

      1. gcc -o /usr/local/bin/smbcontrol smbcontrol.c
      2. chcon -t smbcontrol_exec_t /usr/local/bin/smbcontrol

      2. Label custom path appropriately

      1. mkdir -p /prox4trace/samba
      2. semanage fcontext -a -t samba_var_t "/prox4trace/samba(/.*)?"
      3. restorecon -Frv /prox4trace/samba
      1. chcon -t unlabeled_t /prox4trace

      3. Execute the reproducer under strace

      1. strace -fttTvyy --secontext -e mkdir – /usr/local/bin/smbcontrol
        [smbcontrol_t] 08:34:24.924786 mkdir("/prox4trace/samba/locks", 0755) = -1 EACCES (Permission denied) <0.000136>
        mkdir: Permission denied
        08:34:24.926068 +++ exited with 255 +++

      Actual results:

      Failure and no AVC

      Expected results:

      Failure but AVC

      Additional info:

      Without dontaudit, it's obvious:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      time->Fri Mar 18 08:36:06 2022
      type=PROCTITLE msg=audit(1647588966.030:322): proctitle="/usr/local/bin/smbcontrol"
      type=SYSCALL msg=audit(1647588966.030:322): arch=c000003e syscall=83 success=no exit=-13 a0=4006a8 a1=1ed a2=7fff0ebfabf8 a3=3 items=0 ppid=14112 pid=14115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="smbcontrol" exe="/usr/local/bin/smbcontrol" subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
      type=AVC msg=audit(1647588966.030:322): avc: denied

      { search }

      for pid=14115 comm="smbcontrol" name="prox4trace" dev="dm-0" ino=35621073 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: