Open
Description
Describe the bug
we are seeing a handful of denials for system packages/utilities on AL2023 with selinux set to enforcing
To Reproduce
Steps to reproduce the behavior:
- set selinux to enforcing
- reboot
- run through avc denials using
ausearch,audit2allow, etc. - see errors for things installed by the distro
Expected behavior
no errors from os packages/binaries
Additional context
sample errors:
agetty:
[ 2169.299193] audit: type=1400 audit(1737679530.227:1339): avc: denied { write } for pid=24469 comm="agetty" name="agetty" dev="nvme0n1p1" ino=2740348 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:getty_exec_t:s0 tclass=file permissive=0
systemd-hostnamed:
[ 1593.836724] audit: type=1400 audit(1737678954.774:1227): avc: denied { write } for pid=20911 comm="systemd-hostnam" name="systemd-hostnamed" dev="nvme0n1p1" ino=3051267 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:systemd_hostnamed_exec_t:s0 tclass=file permissive=0
systemd-sysctl:
[ 6364.970535] audit: type=1400 audit(1737683725.842:2867): avc: denied { write } for pid=59367 comm="systemd-sysctl" name="systemd-sysctl" dev="nvme0n1p1" ino=3079890 scontext=system_u:system_r:systemd_sysctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_sysctl_exec_t:s0 tclass=file permissive=0
systemd-user-runtime-dir:
[ 2179.440022] audit: type=1400 audit(1737679540.366:1350): avc: denied { write } for pid=24591 comm="systemd-user-ru" name="systemd-user-runtime-dir" dev="nvme0n1p1" ino=3051285 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:systemd_logind_exec_t:s0 tclass=file permissive=0
systemd-userwork
[ 7391.521785] audit: type=1400 audit(1737684752.208:3161): avc: denied { write } for pid=65670 comm="systemd-userwor" name="systemd-userwork" dev="nvme0n1p1" ino=3051288 scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:object_r:systemd_userdbd_exec_t:s0 tclass=file permissive=0
xtables-nft-multi
[ 7452.598338] audit: type=1400 audit(1737684813.457:3196): avc: denied { write } for pid=66027 comm="iptables" name="xtables-nft-multi" dev="nvme0n1p1" ino=3037588 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
[ 7452.794450] audit: type=1400 audit(1737684813.457:3197): avc: denied { write } for pid=66028 comm="ip6tables" name="xtables-nft-multi" dev="nvme0n1p1" ino=3037588 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file permissive=0
selinux contexts for binaries:
# ls -lZ /usr/sbin/agetty /usr/lib/systemd/systemd-hostnamed /usr/lib/systemd/systemd-sysctl /usr/lib/systemd/systemd-user-runtime-dir /usr/lib/systemd/systemd-userwork /usr/sbin/xtables-nft-multi
-rwxr-xr-x. 1 root root system_u:object_r:systemd_hostnamed_exec_t:s0 53920 Jun 17 2024 /usr/lib/systemd/systemd-hostnamed
-rwxr-xr-x. 1 root root system_u:object_r:systemd_sysctl_exec_t:s0 28960 Jun 17 2024 /usr/lib/systemd/systemd-sysctl
-rwxr-xr-x. 1 root root system_u:object_r:systemd_logind_exec_t:s0 24544 Jun 17 2024 /usr/lib/systemd/systemd-user-runtime-dir
-rwxr-xr-x. 1 root root system_u:object_r:systemd_userdbd_exec_t:s0 32992 Jun 17 2024 /usr/lib/systemd/systemd-userwork
-rwxr-xr-x. 1 root root system_u:object_r:getty_exec_t:s0 58856 Mar 20 2024 /usr/sbin/agetty
-rwxr-xr-x. 1 root root system_u:object_r:iptables_exec_t:s0 229608 Jan 31 2023 /usr/sbin/xtables-nft-multi
packages those binaries came from:
# rpm -qf /usr/sbin/agetty /usr/lib/systemd/systemd-hostnamed /usr/lib/systemd/systemd-sysctl /usr/lib/systemd/systemd-user-runtime-dir /usr/lib/systemd/systemd-userwork /usr/sbin/xtables-nft-multi
util-linux-core-2.37.4-1.amzn2023.0.4.x86_64
systemd-252.23-2.amzn2023.x86_64
systemd-udev-252.23-2.amzn2023.x86_64
systemd-252.23-2.amzn2023.x86_64
systemd-252.23-2.amzn2023.x86_64
iptables-nft-1.8.8-3.amzn2023.0.2.x86_64
sample output of audit2allow -d -r -v:
require {
type systemd_userdbd_exec_t;
type getty_t;
type iptables_t;
type getty_exec_t;
type systemd_sysctl_exec_t;
type systemd_hostnamed_t;
type iptables_exec_t;
type systemd_sysctl_t;
type systemd_userdbd_t;
type systemd_logind_t;
type systemd_logind_exec_t;
type systemd_hostnamed_exec_t;
class file write;
}
#============= getty_t ==============
# src="getty_t" tgt="getty_exec_t" class="file", perms="write"
# comm="agetty" exe="" path=""
allow getty_t getty_exec_t:file write;
#============= iptables_t ==============
# src="iptables_t" tgt="iptables_exec_t" class="file", perms="write"
# comm="iptables" exe="" path=""
allow iptables_t iptables_exec_t:file write;
#============= systemd_hostnamed_t ==============
# src="systemd_hostnamed_t" tgt="systemd_hostnamed_exec_t" class="file", perms="write"
# comm="systemd-hostnam" exe="" path=""
allow systemd_hostnamed_t systemd_hostnamed_exec_t:file write;
#============= systemd_logind_t ==============
# src="systemd_logind_t" tgt="systemd_logind_exec_t" class="file", perms="write"
# comm="systemd-user-ru" exe="" path=""
allow systemd_logind_t systemd_logind_exec_t:file write;
#============= systemd_sysctl_t ==============
# src="systemd_sysctl_t" tgt="systemd_sysctl_exec_t" class="file", perms="write"
# comm="systemd-sysctl" exe="" path=""
allow systemd_sysctl_t systemd_sysctl_exec_t:file write;
#============= systemd_userdbd_t ==============
# src="systemd_userdbd_t" tgt="systemd_userdbd_exec_t" class="file", perms="write"
# comm="systemd-userwor" exe="" path=""
allow systemd_userdbd_t systemd_userdbd_exec_t:file write;