Trying to execute some HIDS Samhain commands raises SELinux permissions error (working in permissive mode, not in enforcing):
Code:
--------- sh_readconf.c --- 433 ---------
Could not open the local configuration file for reading because
of the following error: Permission denied (errnum = -1041)
If this is a permission problem, you need to change file permissions
to make the file readable for the effective UID: 0
----------------------------------------------
ALERT : [2022-02-18T14:12:53+0000] msg=<PANIC - File not accessible>, userid=<0>, path=</etc/samhainrc>
ALERT : [2022-02-18T14:12:53+0000] msg=<EXIT>, program=<Samhain>, status=<exit_failure>
The received denial is:
Code:
root@unknown7:~# journalctl -xe | grep "denied" | grep "samhain"
Feb 18 14:01:32 unknown7 audit[2273]: AVC avc: denied { getattr } for pid=2273 comm="samhain" path="/etc/samhainrc" dev="mmcblk0p2" ino=41107 scontext=root:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:samhain_etc_t:s15:c0.c1023 tclass=file permissive=1
So using audit2allow:
Code:
cat samhain.log | audit2allow samhain > samhain.te
cat samhain.te
root@unknown7:~# cat samhain.te
#============= sysadm_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
mlsconstrain file { relabelto } ((h1 dom h2 -Fail-) ); Constraint DENIED
mlsconstrain file { read getattr execute } ((l1 dom l2 -Fail-) or (t1 == { system_cronjob_t ksmtuned_t logwatch_t sssd_t virtd_t } -Fail-) and (h1 dom l2 -Fail-) or (t1 == { pam_console_t kernel_t bootloader_t consoletype_t crond_t cupsd_t system_dbusd_t devicekit_disk_t dmidecode_t dpkg_t dpkg_script_t fsadm_t getty_t hald_t init_t initrc_t iptables_t kudzu_t local_login_t auditctl_t auditd_t klogd_t syslogd_t logrotate_t lvm_t mcelog_t mount_t NetworkManager_t quota_t mdadm_t readahead_t remote_login_t rlogind_t rpm_t rpm_script_t rshd_t secadm_t load_policy_t newrole_t semanage_t setfiles_t setrans_t fsdaemon_t sshd_t tmpreaper_t udev_t vbetool_t xguest_wm_t xdm_t } -Fail-) or (t2 == { devtty_t null_device_t ptmx_t security_t zero_device_t crond_t cupsd_t cupsd_var_run_t initctl_t devlog_t syslogd_t setrans_var_run_t sssd_t sssd_var_lib_t svirt_var_run_t virt_log_t } -Fail-) ); Constraint DENIED
mlsconstrain file { write create setattr relabelfrom append unlink link rename mounton } ((l1 eq l2 -Fail-) or (t1 == { devicekit_disk_t lvm_t shutdown_t virtd_t } -Fail-) and (h1 dom l2 -Fail-) and (l1 domby l2) or (t2 == printer_device_t -Fail-) and (l1 dom l2 -Fail-) and (h1 domby h2) or (t1 == { auditadm_su_t pam_console_t kernel_t bootloader_t consoletype_t crond_t cupsd_t dpkg_t dpkg_script_t fsadm_t ftpd_t getty_t init_t initrc_t kudzu_t local_login_t auditd_t audisp_t syslogd_t logrotate_t insmod_t mount_t mdadm_t remote_login_t rlogind_t rpm_t rpm_script_t rshd_t samhain_t samhaind_t secadm_t secadm_su_t newrole_t semanage_t setfiles_t setrans_t sshd_t sysadm_su_t tmpreaper_t udev_t passwd_t vbetool_t vlock_t xguest_wm_t xdm_t } -Fail-) or (t2 == { devtty_t null_device_t ptmx_t security_t zero_device_t crond_t cupsd_t cupsd_var_run_t initctl_t devlog_t syslogd_t setrans_var_run_t sssd_t sssd_var_lib_t svirt_var_run_t virt_log_t } -Fail-) ); Constraint DENIED
# Possible cause is the source user (root) and target user (system_u) are different.
# Possible cause is the source level (s0) and target level (s15:c0.c1023) are different.
allow sysadm_t samhain_etc_t:file getattr;
Adding such lines to sysadm.te or samhain.te has no effect.
Any way to solve this permission issue?
When
Code:
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
and
Code:
# Possible cause is the source user (root) and target user (system_u) are different.
# Possible cause is the source level (s0) and target level (s15:c0.c1023) are different.
lines are involved it seems that thr usual audit2allow strategy is not working.
Any ideas?