#565 Issue closed: SELinux denied message

Labels: bug, fixed / solved / done

goldzahn opened issue at 2015-03-17 10:09:

Hi,

in Rhel7 we run SELinux in enforcing mode (targeted policy) with the boolean "deny_execmem=1" so that execmem is always denied in domain unconfined. This leads to a SELinux denied message while running "rear mkrescue" (rear 1.17)

type=SYSCALL msg=audit(1426579245.727:87599): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=18245 pid=18720 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="grep" exe="/usr/bin/grep" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1426579245.727:87599): avc: denied { execmem } for pid=18720 comm="grep" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

In bugzilla I found a similar grep related problem which was caused by "grep -P" (https://bugzilla.redhat.com/show_bug.cgi?id=1079534)

grep -P seems to be used in the following rear scripts:

layout/save/GNU/Linux/51_current_disk_usage.sh
output/USB/Linux-i386/30_create_extlinux.sh
output/USB/Linux-i386/85_make_USB_bootable.sh
prep/TAPE/default/40_check_tape_drive.sh
prep/USB/Linux-i386/35_check_usb_disk.sh

Maybe it would be possible to do it without -P? Setting deny_execmem=0 is not really an option for security reasons.

Best regards
Goldzahn

gdha commented at 2015-03-19 12:16:

@goldzahn Thank you for reporting this - proper SELinux support is important - need time to investigate the possibilities. You may always prepare a pull request if you have time and tested your changes properly.

gdha commented at 2015-12-11 10:04:

See also pull request #737

gdha commented at 2015-12-11 10:10:

@goldzahn if you have some time could you test out the git version of rear which now includes the pull request #737

goldzahn commented at 2015-12-11 13:58:

@gdha Still produces the avc. The pull request changed two scripts, but there are 4 more of it using "-P"
Running grep -Enr "grep -[a-zA-Z]{0,6}P":
/usr/share/rear/layout/save/GNU/Linux/51_current_disk_usage.sh:5:df -Plh |grep -vP '^(encfs)' > $VAR_DIR/layout/config/df.txt
/usr/share/rear/output/USB/Linux-i386/30_create_extlinux.sh:6: strings $file | grep -P -m1 "^(EXT|SYS)LINUX \d+.\d+" | cut -d' ' -f2
/usr/share/rear/prep/TAPE/default/40_check_tape_drive.sh:22:grep -qP '\bONLINE\b' "$TMP_DIR/tape_status"
/usr/share/rear/prep/USB/Linux-i386/35_check_usb_disk.sh:12 StopIfError "USB device '$USB_DEVICE' is already mounted on $(grep -P "^$REAL_USB_DEVICE\s" /proc/mounts | cut -d' ' -f2 |tail -1)"

gdha commented at 2015-12-11 16:34:

@goldzahn I just did a full recovery with Selinux and everything seems to work fine. Could you confirm?

goldzahn commented at 2015-12-16 13:58:

@gdha Yes, I can. Now everything seems to be fine. I could run "rear checklayout", "rear mkrescue" and also a full recovery of a SELinux-enabled Rhel7-VM without problems (deny_execmem=1 was set).
Thanks

[Export of Github issue for rear/rear.]