Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: PATH record contains (null) for file descriptor operation #140

Open
cgzones opened this issue Sep 12, 2022 · 2 comments
Open

BUG: PATH record contains (null) for file descriptor operation #140

cgzones opened this issue Sep 12, 2022 · 2 comments
Labels
bug

Comments

@cgzones
Copy link
Contributor

cgzones commented Sep 12, 2022

System: Debian sid
Kernel: Linux hostname 5.19.0-1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.6-1 (2022-09-01) x86_64 GNU/Linux
Auditd: 3.0.9

Triggering a SELinux denial on a file descriptor operation (e.g. fchmod(2)) creates an audit record path field with a name of (null).
Since the path of the file descriptor is exported by reading the symlink target of /proc/<PID>/fd/<FD> the audit subsystem should be able to provide it.

time->Fri Sep  9 17:09:59 2022
type=PROCTITLE msg=audit(1662736199.136:580): proctitle=2F7573722F6C6F63616C2F62696E2F74657374002F6574632F706173737764
type=PATH msg=audit(1662736199.136:580): item=0 name=(null) inode=917101 dev=fe:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:conf_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1662736199.136:580): cwd="/home/christian"
type=SYSCALL msg=audit(1662736199.136:580): arch=c000003e syscall=91 success=no exit=-13 a0=3 a1=1a0 a2=0 a3=70495e20e660 items=1 ppid=2340 pid=91666 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=3 comm="test" exe="/usr/local/bin/test" subj=xuser_u:xuser_r:xuser_t:s0 key=(null)
type=AVC msg=audit(1662736199.136:580): avc:  denied  { setattr } for  pid=91666 comm="test" name="passwd" dev="dm-1" ino=917101 scontext=xuser_u:xuser_r:xuser_t:s0 tcontext=system_u:object_r:conf_t:s0 tclass=file permissive=0

type=PROCTITLE msg=audit(09/09/22 17:09:59.136:580) : proctitle=/usr/local/bin/test /etc/passwd 
type=PATH msg=audit(09/09/22 17:09:59.136:580) : item=0 name=(null) inode=917101 dev=fe:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/09/22 17:09:59.136:580) : cwd=/home/christian 
type=SYSCALL msg=audit(09/09/22 17:09:59.136:580) : arch=x86_64 syscall=fchmod success=no exit=EACCES(Permission denied) a0=0x3 a1=0640 a2=0x0 a3=0x70495e20e660 items=1 ppid=2340 pid=91666 auid=christian uid=christian gid=christian euid=christian suid=christian fsuid=christian egid=christian sgid=christian fsgid=christian tty=pts6 ses=3 comm=test exe=/usr/local/bin/test subj=xuser_u:xuser_r:xuser_t:s0 key=(null) 
type=AVC msg=audit(09/09/22 17:09:59.136:580) : avc:  denied  { setattr } for  pid=91666 comm=test name=passwd dev="dm-1" ino=917101 scontext=xuser_u:xuser_r:xuser_t:s0 tcontext=system_u:object_r:conf_t:s0 tclass=file permissive=0
@cgzones cgzones mentioned this issue Sep 12, 2022
Closed
@freedom1b2830
Copy link

in the latest Arch Linux (last used a month ago) observed this bug.

@hqh2010
Copy link

hqh2010 commented Jul 28, 2023

@cgzones
https://github.com/linux-audit/audit-kernel/pulls

@pcmoore pcmoore added the bug label Feb 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cgzones @pcmoore @hqh2010 @freedom1b2830