[CentOS] SElinux AVC signull

Sean smalder73 at gmail.com
Fri Jan 18 15:17:50 UTC 2019 

Hi Leon,

I don't have access to a CentOS 6.10 system handy, but it looks like a
policy issue.  If I take you're ausearch output and pipe it to
audit2allow on my CentOS 7.6 system, I get the following:

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t httpd_sys_script_t:process signull;

Noting that on my 7.6 system with selinux enforcing with selinux
policy packages at version 3.13.1-229, it notes that your denial would
not happen.  If you don't have it installed policycoreutils-python
provides the audit2allow and audit2why binaries which can help you
generate a policy to avoid this denial if you want.

Also, I often find that to truly diagnose the issue, I need to run the
following:

# semodule --disable_dontaudit --build
# setenforce permissive
# tail -f /var/log/audit/audit.log | grep denied | tee ~/denials.out

... then reproduce the problem, and kill the tail.  The resulting
denials.out file will have a lot of unrelated denials, but if you run
audit2allow against the entire file, you'll be able to determine which
ones are not relevant by the comments produced (much like above where
it told us the "avc is allowed").  You can also use this to generate a
custom policy module for your system.

Sometimes there are denials that are not audited which are relevant to
the problem, which seems problematic to me...that there is a default
set of things that get denied but do not appear in the audit logs.
That's a different conversation though.

Anyway, after the data is collected for the denials.out file you can
reset to your normal operating stance...

# semodule --build
# setenforce enforcing

From: Leon Fauster <leonfauster at googlemail.com>
To: CentOS mailing list <centos at centos.org>
Cc:
Bcc:
Date: Thu, 17 Jan 2019 18:35:23 +0100
Subject: [CentOS] SElinux AVC signull
I have some perl scripts running via CGI to print some monitoring
informations out.

# cat /etc/redhat-release
CentOS release 6.10 (Final)

# getenforce
Enforcing

# LANG=C ausearch -m avc --start today
type=SYSCALL msg=audit(1547733474.941:28): arch=c000003e syscall=62
success=no exit=-13 a0=641 a1=0 a2=7f33500079b0 a3=31372f656d6f7268
items=0 ppid=1399 pid=1439 auid=4294967295 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd" exe="/opt/rh/httpd24/root/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1547733474.941:28): avc:  denied  { signull } for
pid=1439 comm="httpd" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process


I see a lot of such entries but I don't see any service misbehaviour.
All scripts are running fine.

Any hints how to classify this AVC; "Denied Signull"?

More information about the CentOS mailing list