Selinux permission denied and no log in audit.log

So you execute a script and get a “Permission denied” and you know you have enabled SELinux. OK to disable the selinux is not an option (and never will be), so the first thing to check is the audit log to see what is the error and what the selinux tools will offer to solve it.

But there are no entries in the audit log when you execute your script!

So you decide to temporarily disable the selinux to check if this permission denied issues is still caused by it with:

setenforce 0

And the script just executes fine no error! Then again you put back the Enforcing with:

setenforce 1
./myscript
Permission Denied

And NO added lines in audit.log (/var/log/audit/audit.log in our system!). Apparently the logging is just fine, because it got sometime entries, but when executing our script, which is just a simple:

 
find /mnt/storA/servers/webroots/

After some research it appeared that

not all AVC denials may be logged when SELinux denies access.

Too many applications and system libraries check for permissions, which might not use or even need after that and the logging could grow exponentially or be less informative for the real cause of a problem!

So to solve such problems in many selinux rules there is a directive to silence the AVC denial:

dontaudit

which could be temporary disabled by

semodule -DB

This command will disable the dontaudit in the selinux rules and will rebuild them and reload the new build!
Then you can enable it again with:

semodule -B

* A real world example

It’s always interesting when it is involved selinux and monitoring agent like nagios-nrpe checking some directories or devices. You know a process, which suppose to answer if something works or not should have access to this thing, but selinux follows

the model of least-privilege

really closely!

Here is our case we have a bash script with the simple find command, which need to check directories for existence of files for the last 1 minutes. And we got every time “Permission denied” when executing

find /mnt/storA/servers/webroots/

We’ve already added two additional rules:

[root@srv ~]# cat nrpe-http-search.te

module nrpe-http-search 1.0;

require {
        type nrpe_t;
        type httpd_sys_rw_content_t;
        class dir search;
}

#============= nrpe_t ==============
allow nrpe_t httpd_sys_rw_content_t:dir search;
[root@srv ~]# cat nrpe-http-all.te

module nrpe-http-all 1.0;

require {
        type nrpe_t;
        type httpd_sys_rw_content_t;
        class dir read;
}

#============= nrpe_t ==============
allow nrpe_t httpd_sys_rw_content_t:dir read;
[root@srv ~]#

The audit log was clean and still “Permission Denied”!

And after disabling the “dontaudit” rules it immediately showed what is wrong:

type=AVC msg=audit(1546778575.434:4431): avc:  denied  { read } for  pid=19176 comm="find" name="site1-docroot" dev="sda4" ino=508854809 scontext=system_u:system_r:nrpe_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1546778575.434:4431): arch=c000003e syscall=262 success=no exit=-13 a0=ffffffffffffff9c a1=9d4028 a2=9d3f98 a3=100 items=0 ppid=19174 pid=19176 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm="find" exe="/usr/bin/find" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=PROCTITLE msg=audit(1546778575.434:4431): proctitle=66696E64002F6D6E742F73746F72616765312F736572766572732F7372763230312E6D7974762E62672F726F6F7466732F73746F72616765312F666C762F666C762F6469656D6173706F7274325F6D656469756D5F322E73747265616D2F002D6D617864657074680031002D6D6D696E002D32
type=AVC msg=audit(1546778575.439:4432): avc:  denied  { read } for  pid=19179 comm="find" name="site2-docroot" dev="sda4" ino=508854811 scontext=system_u:system_r:nrpe_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1546778575.439:4432): arch=c000003e syscall=262 success=no exit=-13 a0=ffffffffffffff9c a1=21f0028 a2=21eff98 a3=100 items=0 ppid=19174 pid=19179 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm="find" exe="/usr/bin/find" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=PROCTITLE msg=audit(1546778575.439:4432): proctitle=66696E64002F6D6E742F73746F72616765312F736572766572732F7372763230312E6D7974762E62672F726F6F7466732F73746F72616765312F666C762F666C762F6E6F766173706F72745F6D656469756D5F322E73747265616D2F002D6D617864657074680031002D6D6D696E002D32
type=AVC msg=audit(1546778575.444:4433): avc:  denied  { read } for  pid=19184 comm="find" name="site3-docroot" dev="sda4" ino=508854815 scontext=system_u:system_r:nrpe_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1546778575.444:4433): arch=c000003e syscall=262 success=no exit=-13 a0=ffffffffffffff9c a1=c52028 a2=c51f98 a3=100 items=0 ppid=19174 pid=19184 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm="find" exe="/usr/bin/find" subj=system_u:system_r:nrpe_t:s0 key=(null)

If you put the above audit log in a file named text-read and execute:

[root@srv ~]# cat test|audit2allow 


#============= nrpe_t ==============

#!!!! This avc is allowed in the current policy
allow nrpe_t httpd_sys_rw_content_t:lnk_file read;

You got the answer what is wrong! There were symbolic links in the directory “find /mnt/storA/servers/webroots/” and the nrpe_t cannot follow them!
And the solution was:

[root@srv ~]# cat test|audit2allow -M nrpe-links-read
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i nrpe-links-read.pp

[root@srv ~]# semodule -i nrpe-links-read.pp
[root@srv ~]# 

And now our nrpe agent was able to execute our script, which checked all the sub-directories in the web servers’ documentroots for files.

Search the dontaudit rules

In fact nrpe_t nrpe_t SELinux type has 272 rules in our system with “dontaudit”:

sesearch --dontaudit -s nrpe_t
Found 272 semantic av rules:
   dontaudit domain domain : rds_socket { read write } ; 
   dontaudit daemon initrc_t : unix_dgram_socket { read write } ; 
   dontaudit daemon firstboot_t : nfc_socket { read write } ; 
   dontaudit domain domain : tun_socket { read write } ;
....
....
....

We included only the command and 5 lines of output to show you how you can search in the rules for “dontaudit”.

Leave a Reply

Your email address will not be published. Required fields are marked *