While we’re waiting for CVE-2016-5195
to be patched, RedHat released a workaround for the most common form of the exploit being run in the wild. It uses systemtap
to block access to mem_write
function.
I wanted to apply it and started tests, only to find that stap
returned EPERM
while loading the module! As I’m running with SELinux enabled, I checked the /var/log/audit/audit.log
. Surprisingly there was no AVCs with deny! Although most of the calls are audited, you can mark some to be silently dropped by audit. You can disable that filter using semanage dontaudit off
. I run stap
again and… bingo!
type=AVC msg=audit(1477060612.940:562): avc: denied { sys_module } for pid=8331 comm="staprun" capability=16 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1477060612.940:562): arch=c000003e syscall=175 success=no exit=-1 a0=7ff92877b010 a1=24d96 a2=7ff928e921f0 a3=53 items=0 ppid=7828 pid=8331 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="staprun" exe="/usr/bin/staprun" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
Apparently SELinux is blocking loading of the module. I checked the comments on the RedHat KB article and no one else was hit by that problem. I tested in on another vm and it worked fine. Something wasn’t right, but I had a clue!
The affected system runs with confined users and I run the stap
within staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
context. On the system it worked fine, I run the command in unconfined domain. Suspecting a bug in SELinux policy, I generated the policy module:
# grep staprun /var/log/audit/audit.log | audit2allow -M local_stap To make this policy package active, execute: semodule -i local_stap.pp # cat local_stap.te module local_stap 1.0; require { type sysadm_t; class capability sys_module; } #============= sysadm_t ============== allow sysadm_t self:capability sys_module;
and loaded it with semodule -i local_stap.pp
.
I rerun stap
command with workaround and this time it worked as expected!
Don’t forget to disable auditing everything as it can easly fill out /var/log: semanage dontaudit on
.
Leave a comment