SELinux, confined users and Systemtap

While we’re waiting for CVE-2016-5195 to be patched, RedHat released a workaround for the most common form of the exploit being run in the wild. It uses systemtap to block access to mem_write function.

I wanted to apply it and started tests, only to find that stap returned EPERM while loading the module! As I’m running with SELinux enabled, I checked the /var/log/audit/audit.log. Surprisingly there was no AVCs with deny! Although most of the calls are audited, you can mark some to be silently dropped by audit. You can disable that filter using semanage dontaudit off. I run stap again and… bingo!

1
2
3

type=AVC msg=audit(1477060612.940:562): avc:  denied  { sys_module } for  pid=8331 comm="staprun" capability=16  scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=capability

type=SYSCALL msg=audit(1477060612.940:562): arch=c000003e syscall=175 success=no exit=-1 a0=7ff92877b010 a1=24d96 a2=7ff928e921f0 a3=53 items=0 ppid=7828 pid=8331 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="staprun" exe="/usr/bin/staprun" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)

Apparently SELinux is blocking loading of the module. I checked the comments on the RedHat KB article and no one else was hit by that problem. I tested in on another vm and it worked fine. Something wasn’t right, but I had a clue!

The affected system runs with confined users and I run the stap within staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 context. On the system it worked fine, I run the command in unconfined domain. Suspecting a bug in SELinux policy, I generated the policy module:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# grep staprun /var/log/audit/audit.log | audit2allow -M local_stap

To make this policy package active, execute:

semodule -i local_stap.pp

# cat local_stap.te
module local_stap 1.0;

require {
    type sysadm_t;
    class capability sys_module;
}

#============= sysadm_t ==============
allow sysadm_t self:capability sys_module;

and loaded it with semodule -i local_stap.pp.

I rerun stap command with workaround and this time it worked as expected! Don’t forget to disable auditing everything as it can easly fill out /var/log: semanage dontaudit on.