[OpenAFS-devel] Cache manager using the wrong SELinux context
Hans.Ranke@ei.tum.de
Hans.Ranke@ei.tum.de
Thu, 03 Apr 2008 11:49:34 +0200
Hello,
this is Fedora 8 linux, kernel 2.6.24.3-50.fc8 on i686,
openafs 1.4.6-1.3.
Summary:
If SElinux is enforcing, I occasionally get an kernel error.
If SElinux is permissive, the logs suggest that the cache manager
sometimes uses the context of its caller (i.e. the process that
accesses AFS files) when it accesses cache files or the UDP socket.
Here are examples of the kernel errors:
Mar 31 11:15:29 repan kernel: openafs: Can't open inode 25076302
Mar 31 11:15:29 repan kernel: ------------[ cut here ]------------
Mar 31 11:15:29 repan kernel: kernel BUG at /usr/src/redhat/BUILD/openafs-1.4.6/src/libafs/MODLOAD-2.6.24.3-50.fc8-SP/osi_file.c:71!
Mar 31 11:15:29 repan kernel: invalid opcode: 0000 [#1] SMP
Mar 31 11:15:29 repan kernel: Modules linked in: i915 drm openafs(P)(U) rfcomm l2cap bluetooth fuse sunrpc nf_conntrack_ipv4 ipt_REJECT iptable_filter ip_tables nf
_conntrack_ipv6 xt_state nf_conntrack xt_tcpudp ip6t_ipv6header ip6t_REJECT ip6table_filter ip6_tables x_tables cpufreq_ondemand acpi_cpufreq loop dm_multipa
th ipv6 snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss i2c_i801 snd_pcm i2c_core parport_pc snd_timer parport snd_page_alloc button snd_hwdep snd pcspkr serio_raw tpm_infineon tpm tpm_bios soundcore sg sr_mod e1000e floppy cdrom dm_snapshot dm_zero dm_mirror dm_mod pata_acpi ata_generic ata_piix libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
Mar 31 11:15:29 repan kernel:
Mar 31 11:15:29 repan kernel: Pid: 2802, comm: sshd Tainted: P (2.6.24.3-50.fc8 #1)
Mar 31 11:15:29 repan kernel: EIP: 0060:[<f8eb234d>] EFLAGS: 00210292 CPU: 0
Mar 31 11:15:29 repan kernel: EIP is at osi_UFSOpen+0x155/0x1d4 [openafs]
Mar 31 11:15:29 repan kernel: EAX: 00000026 EBX: ef437000 ECX: 00200092 EDX: 00200000
Mar 31 11:15:29 repan kernel: ESI: f7030800 EDI: ef99e478 EBP: 017ea24e ESP: f3ad8cac
Mar 31 11:15:29 repan kernel: DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Mar 31 11:15:29 repan kernel: Process sshd (pid: 2802, ti=f3ad8000 task=ef5d13b0 task.ti=f3ad8000)
Mar 31 11:15:29 repan kernel: Stack: f8ec673b 017ea24e 00000001 eface480 f8f29b60 00000006 00000000 f8e974ad
Mar 31 11:15:29 repan kernel: f3ad8d40 f3ad8cf4 f3ad8cec 00000000 eface480 f6d7d000 00000006 00000000
Mar 31 11:15:29 repan kernel: 00000006 00000000 00000000 00000000 f6d3f7e0 eface480 00000000 00000000
Mar 31 11:15:29 repan kernel: Call Trace:
Mar 31 11:15:29 repan kernel: [<f8e974ad>] afs_UFSHandleLink+0x115/0x1d3 [openafs]
Mar 31 11:15:29 repan kernel: [<f8e92b15>] afs_lookup+0xa34/0xf3f [openafs]
Mar 31 11:15:29 repan kernel: [<f8eb61bf>] afs_linux_lookup+0x70/0x16e [openafs]
Mar 31 11:15:29 repan kernel: [<c04d5e50>] inode_has_perm+0x66/0x6e
Mar 31 11:15:29 repan kernel: [<c0497e59>] d_alloc+0x141/0x16f
Mar 31 11:15:29 repan kernel: [<c048f469>] do_lookup+0xa3/0x140
Mar 31 11:15:29 repan kernel: [<c0490b7c>] __link_path_walk+0x2cd/0xb4a
Mar 31 11:15:29 repan kernel: [<c0432c17>] current_fs_time+0x13/0x15
Mar 31 11:15:29 repan kernel: [<c049143d>] link_path_walk+0x44/0xb3
Mar 31 11:15:29 repan kernel: [<c045e06a>] audit_syscall_exit+0x2c7/0x2e3
Mar 31 11:15:29 repan kernel: [<c045dd79>] audit_syscall_entry+0x10d/0x137
Mar 31 11:15:29 repan kernel: [<c0491725>] do_path_lookup+0x162/0x1c4
Mar 31 11:15:29 repan kernel: [<c04906eb>] getname+0x59/0xad
Mar 31 11:15:29 repan kernel: [<c0491ef6>] __user_walk_fd+0x2f/0x40
Mar 31 11:15:29 repan kernel: [<c0487e55>] sys_faccessat+0x9c/0x133
Mar 31 11:15:29 repan kernel: [<c045e06a>] audit_syscall_exit+0x2c7/0x2e3
Mar 31 11:15:29 repan kernel: [<c045dd79>] audit_syscall_entry+0x10d/0x137
Mar 31 11:15:29 repan kernel: [<c0487f0b>] sys_access+0x1f/0x23
Mar 31 11:15:29 repan kernel: [<c04051da>] syscall_call+0x7/0xb
Mar 31 11:15:29 repan kernel: =======================
Mar 31 11:15:29 repan kernel: Code: ee f8 85 d2 74 04 f0 ff 42 60 b9 02 00 00 00 e8 d2 55 5d c7 3d 00 f0 ff ff 76 14 89 6c 24 04 c7 04 24 3b 67 ec f8 e8 0d d4 57 c7 <0f> 0b eb fe 89 43 04 8b 40 0c 8b 40 0c 8b 40 3c 89 03 b8 40 70
Mar 31 11:15:29 repan kernel: EIP: [<f8eb234d>] osi_UFSOpen+0x155/0x1d4 [openafs] SS:ESP 0068:f3ad8cac
Mar 31 11:15:29 repan kernel: ---[ end trace ece46aeb510c829f ]---
Apr 1 08:07:15 repan kernel: openafs: Can't open inode 25076053
Apr 1 08:07:15 repan kernel: ------------[ cut here ]------------
Apr 1 08:07:15 repan kernel: kernel BUG at /usr/src/redhat/BUILD/openafs-1.4.6/src/libafs/MODLOAD-2.6.24.3-50.fc8-SP/osi_file.c:71!
Apr 1 08:07:15 repan kernel: invalid opcode: 0000 [#1] SMP
Apr 1 08:07:15 repan kernel: Modules linked in: i915 drm openafs(P)(U) rfcomm l2cap bluetooth fuse sunrpc nf_conntrack_ipv4 ipt_REJECT iptable_filter ip_tables nf_conntrack_ipv6 xt_state nf_conntrack xt_tcpudp ip6t_ipv6header ip6t_REJECT ip6table_filter ip6_tables x_tables cpufreq_ondemand acpi_cpufreq loop dm_multipath ipv6 snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_hwdep e1000e i2c_i801 tpm_infineon snd sr_mod parport_pc i2c_core tpm serio_raw parport soundcore button pcspkr tpm_bios floppy cdrom sg dm_snapshot dm_zero dm_mirror dm_mod pata_acpi ata_generic ata_piix libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
Apr 1 08:07:15 repan kernel:
Apr 1 08:07:15 repan kernel: Pid: 4136, comm: sshd Tainted: P (2.6.24.3-50.fc8 #1)
Apr 1 08:07:15 repan kernel: EIP: 0060:[<f8eb234d>] EFLAGS: 00210296 CPU: 0
Apr 1 08:07:15 repan kernel: EIP is at osi_UFSOpen+0x155/0x1d4 [openafs]
Apr 1 08:07:15 repan kernel: EAX: 00000026 EBX: f6cbd000 ECX: 00200092 EDX: 00200000
Apr 1 08:07:15 repan kernel: ESI: f7016800 EDI: ef979a48 EBP: 017ea155 ESP: e65d8ca4
Apr 1 08:07:15 repan kernel: DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Apr 1 08:07:15 repan kernel: Process sshd (pid: 4136, ti=e65d8000 task=ef576690 task.ti=e65d8000)
Apr 1 08:07:15 repan kernel: Stack: f8ec673b 017ea155 00000000 ef67b038 ef67b038 ef67b3f0 00000000 f8e712ec
Apr 1 08:07:15 repan kernel: f7f38180 f8f1fc00 f8f1fc00 00000000 f8f1fc00 00000004 f8e7ce4c e65d8cfc
Apr 1 08:07:15 repan kernel: e5865c10 f8f1fc00 e65d8d58 e65d8d90 00000000 f8e7d484 efab6480 f8f1fc00
Apr 1 08:07:15 repan kernel: Call Trace:
Apr 1 08:07:15 repan kernel: [<f8e712ec>] DRead+0x2cc/0x35d [openafs]
Apr 1 08:07:15 repan kernel: [<f8e7ce4c>] FindItem+0x24/0xb7 [openafs]
Apr 1 08:07:15 repan kernel: [<f8e7d484>] afs_dir_LookupOffset+0x13/0x55 [openafs]
Apr 1 08:07:15 repan kernel: [<f8e926f4>] afs_lookup+0x613/0xf3f [openafs]
Apr 1 08:07:15 repan kernel: [<c04d0fbf>] search_process_keyrings+0x10d/0x1e0
Apr 1 08:07:15 repan kernel: [<c04d15cc>] request_key_and_link+0x24/0x284
Apr 1 08:07:15 repan kernel: [<f8eb61bf>] afs_linux_lookup+0x70/0x16e [openafs]
Apr 1 08:07:15 repan kernel: [<c04d5e50>] inode_has_perm+0x66/0x6e
Apr 1 08:07:15 repan kernel: [<c0497e59>] d_alloc+0x141/0x16f
Apr 1 08:07:15 repan kernel: [<c048f469>] do_lookup+0xa3/0x140
Apr 1 08:07:15 repan kernel: [<c0490b7c>] __link_path_walk+0x2cd/0xb4a
Apr 1 08:07:15 repan kernel: [<c0432c17>] current_fs_time+0x13/0x15
Apr 1 08:07:15 repan kernel: [<c049143d>] link_path_walk+0x44/0xb3
Apr 1 08:07:15 repan kernel: [<c045e06a>] audit_syscall_exit+0x2c7/0x2e3
Apr 1 08:07:15 repan kernel: [<c045dd79>] audit_syscall_entry+0x10d/0x137
Apr 1 08:07:15 repan kernel: [<c0491725>] do_path_lookup+0x162/0x1c4
Apr 1 08:07:15 repan kernel: [<c04906eb>] getname+0x59/0xad
Apr 1 08:07:15 repan kernel: [<c0491ef6>] __user_walk_fd+0x2f/0x40
Apr 1 08:07:15 repan kernel: [<c0487e55>] sys_faccessat+0x9c/0x133
Apr 1 08:07:15 repan kernel: [<c045e06a>] audit_syscall_exit+0x2c7/0x2e3
Apr 1 08:07:15 repan kernel: [<c045dd79>] audit_syscall_entry+0x10d/0x137
Apr 1 08:07:15 repan kernel: [<c0487f0b>] sys_access+0x1f/0x23
Apr 1 08:07:15 repan kernel: [<c04051da>] syscall_call+0x7/0xb
Apr 1 08:07:15 repan kernel: =======================
Apr 1 08:07:15 repan kernel: Code: ee f8 85 d2 74 04 f0 ff 42 60 b9 02 00 00 00 e8 d2 55 5d c7 3d 00 f0 ff ff 76 14 89 6c 24 04 c7 04 24 3b 67 ec f8 e8 0d d4 57 c7 <0f> 0b eb fe 89 43 04 8b 40 0c 8b 40 0c 8b 40 3c 89 03 b8 40 70
Apr 1 08:07:15 repan kernel: EIP: [<f8eb234d>] osi_UFSOpen+0x155/0x1d4 [openafs] SS:ESP 0068:e65d8ca4
Apr 1 08:07:15 repan kernel: ---[ end trace 8495d78836432f9a ]---
Below are samples of SELinux messages logged when SELinux is permissive.
Note that SELinux thinks that sshd or dbus-daemon are accessing
UDP Port 7001 or /usr/vice/cache/D1/V2774 (I verified the inum).
harroot@repan[7] sealert -l 27a6d581-4491-4982-a7e7-ae17b6edad4b
Summary:
SELinux is preventing sshd (sshd_t) "write" to <Unknown> (initrc_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by sshd. It is not expected that this access is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:system_r:initrc_t:s0
Target Objects None [ udp_socket ]
Source sshd
Source Path /usr/sbin/sshd
Port <Unknown>
Host repan.regent.e-technik.tu-muenchen.de
Source RPM Packages openssh-server-4.7p1-4.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-93.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name repan.regent.e-technik.tu-muenchen.de
Platform Linux repan.regent.e-technik.tu-muenchen.de
2.6.24.3-50.fc8 #1 SMP Thu Mar 20 14:47:10 EDT
2008 i686 i686
Alert Count 8
First Seen Mon Mar 31 11:15:28 2008
Last Seen Thu Apr 3 10:27:49 2008
Local ID 27a6d581-4491-4982-a7e7-ae17b6edad4b
Line Numbers
Raw Audit Messages
host=repan.regent.e-technik.tu-muenchen.de type=AVC msg=audit(1207211269.496:427): avc: denied { write } for pid=5324 comm="sshd" lport=7001 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
host=repan.regent.e-technik.tu-muenchen.de type=SYSCALL msg=audit(1207211269.496:427): arch=40000003 syscall=33 success=no exit=-2 a0=bfc84137 a1=0 a2=46300c a3=b880cd20 items=0 ppid=2204 pid=5324 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
harroot@repan[8] sealert -l 85f67f82-0bde-4514-ad9f-30a46e7e3bd8
Summary:
SELinux is preventing dbus-daemon (system_dbusd_t) "write" to ./V2774 (usr_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by dbus-daemon. It is not expected that this
access is required by dbus-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./V2774,
restorecon -v './V2774'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:system_dbusd_t:s0
Target Context system_u:object_r:usr_t:s0
Target Objects ./V2774 [ file ]
Source dbus-daemon
Source Path /bin/dbus-daemon
Port <Unknown>
Host repan.regent.e-technik.tu-muenchen.de
Source RPM Packages dbus-1.1.2-9.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-93.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name repan.regent.e-technik.tu-muenchen.de
Platform Linux repan.regent.e-technik.tu-muenchen.de
2.6.24.3-50.fc8 #1 SMP Thu Mar 20 14:47:10 EDT
2008 i686 i686
Alert Count 1
First Seen Thu Apr 3 10:42:26 2008
Last Seen Thu Apr 3 10:42:26 2008
Local ID 85f67f82-0bde-4514-ad9f-30a46e7e3bd8
Line Numbers
Raw Audit Messages
host=repan.regent.e-technik.tu-muenchen.de type=AVC msg=audit(1207212146.467:439): avc: denied { write } for pid=2021 comm="dbus-daemon" name="V2774" dev=dm-0 ino=25075960 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
host=repan.regent.e-technik.tu-muenchen.de type=SYSCALL msg=audit(1207212146.467:439): arch=40000003 syscall=5 success=no exit=-2 a0=b995de38 a1=98800 a2=0 a3=0 items=0 ppid=1 pid=2021 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0 key=(null)
Hans
--
Hans Ranke Ranke@tum.de
Lehrstuhl fuer Institute for
Entwurfsautomatisierung Electronic Design Automation
Technische Universitaet Muenchen, Germany
Phone +49 89 289 23660 Fax +49 89 289 63666