From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 4 Apr 2014 16:07:25 -0400 Subject: [refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion (avc_running) failure upon running groupadd or useradd In-Reply-To: <1395779408-29213-3-git-send-email-sven.vermeulen@siphos.be> References: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be> <1395779408-29213-3-git-send-email-sven.vermeulen@siphos.be> Message-ID: <533F10FD.2000909@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/25/2014 04:30 PM, Sven Vermeulen wrote: > When trying to create a group, the following error occurs: > > ~# groupadd test > groupadd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' > failed. > zsh: abort groupadd test > > In the denial logs, the following AVC denial is shown: > > Jan 23 13:57:17 maelstrom kernel: [11395.396588] type=1400 > audit(1390481837.876:989): avc: denied { create } for pid=14296 > comm="groupadd" scontext=staff_u:sysadm_r:groupadd_t > tcontext=staff_u:sysadm_r:groupadd_t tclass=netlink_selinux_socket > > In permissive mode, we notice that it both creates and binds to the > netlink_selinux_socket. > > Same with useradd. > > Allowing the create/bind fixes the problem. I think we should start a new seutil interface which provides the necessary access for domains that have a userspace AVC. However, since this seems to only initialize a userspace AVC to do context_to_sid_raw, I wonder if it makes sense to keep this explicit netlink_selinux_socket access. > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/usermanage.te | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te > index 74be7ef..8e1308c 100644 > --- a/policy/modules/admin/usermanage.te > +++ b/policy/modules/admin/usermanage.te > @@ -199,6 +199,7 @@ allow groupadd_t self:shm create_shm_perms; > allow groupadd_t self:sem create_sem_perms; > allow groupadd_t self:msgq create_msgq_perms; > allow groupadd_t self:msg { send receive }; > +allow groupadd_t self:netlink_selinux_socket { bind create }; > allow groupadd_t self:unix_dgram_socket create_socket_perms; > allow groupadd_t self:unix_stream_socket create_stream_socket_perms; > allow groupadd_t self:unix_dgram_socket sendto; > @@ -459,6 +460,7 @@ allow useradd_t self:shm create_shm_perms; > allow useradd_t self:sem create_sem_perms; > allow useradd_t self:msgq create_msgq_perms; > allow useradd_t self:msg { send receive }; > +allow useradd_t self:netlink_selinux_socket { bind create }; > allow useradd_t self:unix_dgram_socket create_socket_perms; > allow useradd_t self:unix_stream_socket create_stream_socket_perms; > allow useradd_t self:unix_dgram_socket sendto; > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com