Project

General

Tags

15sp4(1) alp(1) alpmarble(1) apparmor(1) baremetal(1) bug(6) bugbusters(35) bugs(1) bulkupdate(14) difficult(1) dpdk(1) fail(21) feature(4) featureQA(1) filesystems(1) fips(5) flaky(2) fosdem(1) future-technologies(3) gce(1) hpc(2) incidents(1) infra(3) ipmi(1) ipxe(1) jeos(2) kdump(1) kernel(2) kvm(1) load-testing(1)

Custom queries

Profile

Actions
Copy link

action #174178

open

[security][tumbleweed] Add sealert tests to setroubleshootd

Added by tjyrinki_suse 3 months ago. Updated 17 days ago.

Status:
Blocked
Priority:
Normal
Assignee:
amanzini
Category:
-
Target version:
-
Start date:
Due date:
% Done:

50%

Estimated time:
8.00 h
Difficulty:
Tags:
selinux

Description

Motivation

Test sealert tool on SELinux enabled Tumbleweed.

Acceptance Criteria

  1. Run certain commands testing adding and triggering an alert, an example below. listing of alerts can be done with either -l "*" or -l specific_UUID.

localhost:~ # sealert -l "*" || echo "FAILED"
localhost:~ # touch /tmp/pokusny_kralik && chcon -t httpd_sys_content_t /tmp/pokusny_kralik
localhost:~ # journalctl -u setroubleshootd.service | grep pokusny_kralik
localhost:~ # runcon -u guest_u -r guest_r -t user_tmp_t -- cat /tmp/pokusny_kralik;sleep 10
localhost:~ # sealert_command=$(journalctl -u setroubleshootd.service | grep -m 1 pokusny_kralik|grep -o "sealert.*")
localhost:~ # sealert -l 350d88fb-70f9-4e7a-a1b2-0a06615abfd2
localhost:~ # sealert_command

One should get output something like the following:

SELinux is preventing pokusny_kralik from 'read, write' accesses on the chr_file /dev/pts/0.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pokusny_kralik should be allowed read write access on the 0 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.

Allow the access for now by executing:
# ausearch -c 'pokusny_kralik' --raw | audit2allow -M my-pokusnykralik
# semodule -X 300 -i my-pokusnykralik.pp

And there should be output:

Additional Information:
Source Context                guest_u:guest_r:user_tmp_t:s0
Target Context                unconfined_u:object_r:devpts_t:s0
Target Objects                /dev/pts/0 [ chr_file ]
Source                        pokusny_kralik
Source Path                   pokusny_kralik
Port                          <Unknown>
...
...
...

After that, one can run:

localhost:~ # analyze log -a 
localhost:~ # ausearch -m AVC > test_output
localhost:~ # jsealert -a

And fix avc using plugin (e.g. boolean is predictable)

localhost:~ # getsebool -a | less (choose some boolean)
localhost:~ # sealert -f UUID
localhost:~ # getsebool -a | grep $choosen

Further Information

See ticket #174175 for the related basic setroubleshootd testing.

Related issues 2 (1 open1 closed)

Related to openQA Tests (public) - action #174175: [security][tumbleweed] Add setroubleshootd testsResolvedamanzini

Actions
Blocks openQA Tests (public) - action #174184: [security][tumbleweed] Add sealert GUI tests to setroubleshootdBlocked

Actions
Actions
Copy link
 #1

Updated by tjyrinki_suse 3 months ago

  • Related to action #174175: [security][tumbleweed] Add setroubleshootd tests added
Actions
Copy link
 #2

Updated by tjyrinki_suse 3 months ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by tjyrinki_suse 3 months ago

  • Description updated (diff)
Actions
Copy link
 #4

Updated by tjyrinki_suse 3 months ago

  • Blocks action #174184: [security][tumbleweed] Add sealert GUI tests to setroubleshootd added
Actions
Copy link
 #5

Updated by tjyrinki_suse about 1 month ago

  • Status changed from New to Workable
  • Estimated time set to 8.00 h

This could be workable now that other changes and standard setroubleshootd tests have been added.

Actions
Copy link
 #6

Updated by amanzini 20 days ago

  • Assignee set to amanzini
Actions
Copy link
 #7

Updated by amanzini 19 days ago

  • Status changed from Workable to In Progress
Actions
Copy link
 #8

Updated by amanzini 19 days ago · Edited

testing on a just-installed tumbleweed.

# cat /etc/os-release 
NAME="openSUSE Tumbleweed"
# VERSION="20250216"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20250216"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
# CPE 2.3 format, boo#1217921
CPE_NAME="cpe:2.3:o:opensuse:tumbleweed:20250216:*:*:*:*:*:*:*"
#CPE 2.2 format
#CPE_NAME="cpe:/o:opensuse:tumbleweed:20250216"
BUG_REPORT_URL="https://bugzilla.opensuse.org"
SUPPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed"
LOGO="distributor-logo-Tumbleweed"

reproducing steps seems not correct ? In the journal for setroubleshootd I can only see start-stop of the service:

#journalctl -eu setroubleshootd
Feb 18 10:05:35 twselinux systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Feb 18 10:05:35 twselinux systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Feb 18 10:05:52 twselinux systemd[1]: setroubleshootd.service: Deactivated successfully.
Feb 18 10:07:13 twselinux systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Feb 18 10:07:13 twselinux systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Feb 18 10:07:23 twselinux systemd[1]: setroubleshootd.service: Deactivated successfully.
Feb 18 10:10:40 twselinux systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Feb 18 10:10:41 twselinux systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Feb 18 10:10:51 twselinux systemd[1]: setroubleshootd.service: Deactivated successfully.
Feb 18 10:15:53 twselinux systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Feb 18 10:15:53 twselinux systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Feb 18 10:16:03 twselinux systemd[1]: setroubleshootd.service: Deactivated successfully.
Feb 18 10:16:39 twselinux systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Feb 18 10:16:39 twselinux systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Feb 18 10:16:49 twselinux systemd[1]: setroubleshootd.service: Deactivated successfully.
Feb 18 10:32:36 twselinux systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Feb 18 10:32:36 twselinux systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Feb 18 10:32:46 twselinux systemd[1]: setroubleshootd.service: Deactivated successfully.
Feb 18 10:36:21 twselinux systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Feb 18 10:36:21 twselinux systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Feb 18 10:36:35 twselinux systemd[1]: setroubleshootd.service: Deactivated successfully.
Feb 18 11:06:30 twselinux systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Feb 18 11:06:30 twselinux systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Feb 18 11:06:41 twselinux systemd[1]: setroubleshootd.service: Deactivated successfully.
Feb 18 11:32:46 twselinux systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Feb 18 11:32:46 twselinux systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Feb 18 11:32:56 twselinux systemd[1]: setroubleshootd.service: Deactivated successfully.
Feb 18 11:33:05 twselinux systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Feb 18 11:33:05 twselinux systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Feb 18 11:33:16 twselinux systemd[1]: setroubleshootd.service: Deactivated successfully.

while deny alerts can be found in audit.log:

twselinux:~ # sealert -a /var/log/audit/audit.log 
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing runcon from using the transition access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that runcon should be allowed transition access on processes labeled user_tmp_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'runcon' --raw | audit2allow -M my-runcon
# semodule -X 300 -i my-runcon.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Context                guest_u:guest_r:user_tmp_t:s0
Target Objects                /usr/bin/cat [ process ]
Source                        runcon
Source Path                   runcon
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           coreutils-9.6-1.1.x86_64
SELinux Policy RPM            selinux-policy-targeted-20250212-1.2.noarch
Local Policy RPM              selinux-policy-targeted-20250212-1.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     twselinux
Platform                      Linux twselinux 6.13.2-1-default #1 SMP
                              PREEMPT_DYNAMIC Mon Feb 10 09:00:08 UTC 2025
                              (306384d) x86_64 x86_64
Alert Count                   14
First Seen                    2025-02-18 11:23:10 CET
Last Seen                     2025-02-18 12:33:57 CET
Local ID                      89f7cd7b-cfdf-42e9-b08b-bfdc5ce4b815

Raw Audit Messages
type=AVC msg=audit(1739878437.666:424): avc:  denied  { transition } for  pid=4094 comm="runcon" path="/usr/bin/cat" dev="vda2" ino=33461 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=guest_u:guest_r:user_tmp_t:s0 tclass=process permissive=0


Hash: runcon,unconfined_t,user_tmp_t,process,transition

twselinux:~ # sealert -l 89f7cd7b-cfdf-42e9-b08b-bfdc5ce4b815 
Error
query_alerts error (1003): id (89f7cd7b-cfdf-42e9-b08b-bfdc5ce4b815) not found
twselinux:~ # sealert -l "*"
twselinux:~ # sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

notice also that sealert -l '*' does not give any output

Actions
Copy link
 #9

Updated by amanzini 19 days ago

Identified issue caused by a missing dependency in the package. Filed https://bugzilla.suse.com/show_bug.cgi?id=1237302

Actions
Copy link
 #10

Updated by amanzini 18 days ago

  • % Done changed from 0 to 20
Actions
Copy link
 #11

Updated by amanzini 18 days ago

  • % Done changed from 20 to 30

kinda slow progress due to https://bugzilla.suse.com/show_bug.cgi?id=1237388
we can consider running a partial test using sealert -a /var/log/audit/audit.log as an event source and switch to sealert -l once the bug will be cleared

Actions
Copy link
 #12

Updated by amanzini 17 days ago

  • Status changed from In Progress to Blocked
  • % Done changed from 30 to 50
Actions
Copy link

Also available in: Atom PDF