From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 9 Apr 2014 18:52:38 +0200
Subject: [refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion
 (avc_running) failure upon running groupadd or useradd
In-Reply-To: <533F10FD.2000909@tresys.com>
References: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be>
	<1395779408-29213-3-git-send-email-sven.vermeulen@siphos.be>
	<533F10FD.2000909@tresys.com>
Message-ID: <20140409165238.GA24282@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Apr 04, 2014 at 04:07:25PM -0400, Christopher J. PeBenito wrote:
> On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
> > When trying to create a group, the following error occurs:
> > 
> > ~# groupadd test
> > groupadd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running'
> > failed.
> > zsh: abort      groupadd test
> > 
> > In the denial logs, the following AVC denial is shown:
> > 
> > Jan 23 13:57:17 maelstrom kernel: [11395.396588] type=1400
> > audit(1390481837.876:989): avc:  denied  { create } for  pid=14296
> > comm="groupadd" scontext=staff_u:sysadm_r:groupadd_t
> > tcontext=staff_u:sysadm_r:groupadd_t tclass=netlink_selinux_socket
> > 
> > In permissive mode, we notice that it both creates and binds to the
> > netlink_selinux_socket.
> > 
> > Same with useradd.
> > 
> > Allowing the create/bind fixes the problem.
> 
> I think we should start a new seutil interface which provides the necessary access for domains that have a userspace AVC.  However, since this seems to only initialize a userspace AVC to do context_to_sid_raw, I wonder if it makes sense to keep this explicit netlink_selinux_socket access.
[...]
> > +allow groupadd_t self:netlink_selinux_socket { bind create };

Hi Chris & refpolicy folks

I'm afraid I don't follow.

I understand that netlink_selinux_socket class is related to userspace
SELinux support (netlink interface for interaction between userspace and
kernel towards the SELinux subsystem) but you lost me at "to only initialize
a userspace AVC to do context_to_sid_raw".

Do you mean that the permissions (bind + create) do not really mean that
there is any communication otherwise (as there is no send_msg/recv_msg)? If
so, does this then mean that the application shouldn't be calling
avc_context_to_sid_raw at all?

Wkr,
	Sven Vermeulen