RFE: be able to filter out AVCs based on operation and "kmod" field #143
Comments
|
NOTE: The Red Hat bugzilla entry requires a login and is not publicly accessible. |
|
That's interesting. I haven't traced the code path in question, but a AVC denial indicates that SELinux is blocking the module request due to the loaded policy (i.e. dhcp_t is not allowed to load kernel modules), not because "ipv6.disable" was specified on the kernel command line. Has anyone considered simply making better use of SELinux's |
My standpoint it that if not allowed, such denials should rather be exposed than dontaudited. |
|
On 2023-06-06 03:17, Zdeněk Pytela wrote:
That's correct, and the bz is about rich filtering options for audit.
This could still miss early events before audit rules are in place.
> Has anyone considered simply making better use of SELinux's `dontaudit` rules to hide these failed module_request operations?
My standpoint it that if not allowed, such denials should rather be exposed than dontaudited.
My first thought was to see if there was a way to configure glibc to disable IPv6, eliminating the source of the problem?
|
That's a reasonable position, I was simply mentioning it as a solution to the problem. |
I personally haven't tried it, but one could block the creation of IPv6 sockets with libseccomp/seccomp by blocking the One could trial this fairly easily with the systemd |
Many administrators disable IPv6 through using "ipv6.disable=1" kernel command line parameter.
On SELinux enabled systems (which is the standard), this leads to getting "module_request" AVCs, as shown in the example below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(2022-10-14 01:31:46.241:157) : proctitle=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
type=AVC msg=audit(2022-10-14 01:31:46.241:157) : avc: denied { module_request } for pid=15612 comm=dhcpd kmod="net-pf-10" scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
type=SYSCALL msg=audit(2022-10-14 01:31:46.241:157) : arch=x86_64 syscall=socket success=no exit=EAFNOSUPPORT(Address family not supported by protocol) a0=inet6 a1=SOCK_DGRAM a2=udp a3=0x31 items=0 ppid=1 pid=15612 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhcpd exe=/usr/sbin/dhcpd subj=system_u:system_r:dhcpd_t:s0 key=(null)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
This happens because the glibc resolver tries IPv6 in parallel to IPv4.
For now, there is no way to hide this, either using audit or a selinux rule:
Filtering out every "module_request" is not wise, so we need some enhancement to filter out only "known modules" for example.
Steps to Reproduce:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
ddns-update-style interim;
update-static-leases on;
ignore client-updates;
authoritative;
allow booting;
allow bootp;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Actual results:
AVC
Expected results:
AVC but able to hide it wisely
See also: https://bugzilla.redhat.com/show_bug.cgi?id=2060017
The text was updated successfully, but these errors were encountered: