selinux is preventing auditd, acpid and nmb to use /var/run

General support questions
Post Reply
cwahlgren
Posts: 12
Joined: 2017/03/03 09:06:03

selinux is preventing auditd, acpid and nmb to use /var/run

Post by cwahlgren » 2019/04/12 08:28:15

Hi,

Within a week two of my up-to-date VMs (VirtualBox 6) with CentOS 7.6 selinux is preventing auditd, acpid and nmb to use '/var/run'.
I have other up-to-date VMs with CentOS 7.6 that are using same services with Enforcing and I'm not seeing this problem there.
The VMs has separated disk images and created at very different occations.

Using any SELinux tools (sealert) so far hasn't revealed any denied accesses to /var/run, but for nmb I get this with sealert after setting selinux to permissive:

...

Code: Select all

    Raw Audit Messages
    type=AVC msg=audit(1555057352.741:37): avc:  denied  { dac_override } for  pid=2946 comm="nmbd" capability=1  scontext=system_u:system_r:nmbd_t:s0 tcontext=system_u:system_r:nmbd_t:s0 tclass=capability permissive=1


    type=SYSCALL msg=audit(1555057352.741:37): arch=x86_64 syscall=open success=yes exit=ECHILD a0=7ffe9d64e9b8 a1=841 a2=1a4 a3=7ffe9d64e9f8 items=0 ppid=1 pid=2946 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nmbd exe=/usr/sbin/nmbd subj=system_u:system_r:nmbd_t:s0 key=(null)

    Hash: nmbd,nmbd_t,nmbd_t,capability,dac_override
...

Code: Select all

[root@db-d01 ~]# systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: timeout) since Fri 2019-04-12 09:53:23 CEST; 6min ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 2650 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 2636 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)

Apr 12 09:51:53 db-d01.test augenrules[2650]: rate_limit 0
Apr 12 09:51:53 db-d01.test augenrules[2650]: backlog_limit 8192
Apr 12 09:51:53 db-d01.test augenrules[2650]: lost 0
Apr 12 09:51:53 db-d01.test augenrules[2650]: backlog 1
Apr 12 09:51:53 db-d01.test systemd[1]: PID file /var/run/auditd.pid not readable (yet?) after start-post.
Apr 12 09:53:23 db-d01.test systemd[1]: auditd.service start-post operation timed out. Stopping.
Apr 12 09:53:23 db-d01.test auditd[2639]: The audit daemon is exiting.
Apr 12 09:53:23 db-d01.test systemd[1]: Failed to start Security Auditing Service.
Apr 12 09:53:23 db-d01.test systemd[1]: Unit auditd.service entered failed state.
Apr 12 09:53:23 db-d01.test systemd[1]: auditd.service failed.
[root@db-d01 ~]# systemctl status acpid
● acpid.service - ACPI Event Daemon
   Loaded: loaded (/usr/lib/systemd/system/acpid.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Fri 2019-04-12 09:53:23 CEST; 7min ago
  Process: 2674 ExecStart=/usr/sbin/acpid $OPTIONS (code=exited, status=1/FAILURE)

Apr 12 09:53:23 db-d01.test systemd[1]: Starting ACPI Event Daemon...
Apr 12 09:53:23 db-d01.test acpid[2674]: can't open socket /var/run/acpid.socket: Permission denied
Apr 12 09:53:23 db-d01.test systemd[1]: acpid.service: control process exited, code=exited status=1
Apr 12 09:53:23 db-d01.test systemd[1]: Failed to start ACPI Event Daemon.
Apr 12 09:53:23 db-d01.test systemd[1]: Unit acpid.service entered failed state.
Apr 12 09:53:23 db-d01.test systemd[1]: acpid.service failed.

[root@db-d01 ~]# systemctl restart nmb
Job for nmb.service failed because the control process exited with error code. See "systemctl status nmb.service" and "journalctl -xe" for details.
[root@db-d01 ~]# systemctl status nmb
● nmb.service - Samba NMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/nmb.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2019-04-12 10:01:14 CEST; 6s ago
     Docs: man:nmbd(8)
           man:samba(7)
           man:smb.conf(5)
  Process: 3585 ExecStart=/usr/sbin/nmbd --foreground --no-process-group $NMBDOPTIONS (code=exited, status=1/FAILURE)
 Main PID: 3585 (code=exited, status=1/FAILURE)

Apr 12 10:01:14 db-d01.test systemd[1]: Starting Samba NMB Daemon...
Apr 12 10:01:14 db-d01.test nmbd[3585]: [2019/04/12 10:01:14.467916,  0] ../lib/util/pidfile.c:204(pidfile_create)
Apr 12 10:01:14 db-d01.test nmbd[3585]:   pidfile_create: ERROR: Failed to create PID file /run/nmbd.pid (Permission denied)
Apr 12 10:01:14 db-d01.test systemd[1]: nmb.service: main process exited, code=exited, status=1/FAILURE
Apr 12 10:01:14 db-d01.test systemd[1]: Failed to start Samba NMB Daemon.
Apr 12 10:01:14 db-d01.test systemd[1]: Unit nmb.service entered failed state.
Apr 12 10:01:14 db-d01.test systemd[1]: nmb.service failed.


cwahlgren
Posts: 12
Joined: 2017/03/03 09:06:03

Re: selinux is preventing auditd, acpid and nmb to use /var/run

Post by cwahlgren » 2019/06/04 12:13:50

It seems there was some file system issues on these VMs, as some packages failed RPM verification as well (.so files missing, a lot of changed or missing files under /etc/selinux/targeted/... Strange that same "services" were affected on both servers - they don't have a common VDI (Virtual Disk Image).

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: selinux is preventing auditd, acpid and nmb to use /var/run

Post by TrevorH » 2019/06/04 16:19:27

/var/run is a symlink to /run which is a filesystem based on tmpfs so will be recreated on each boot.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply