Logs filled with SELinux "audit" spam |
|||||||
Issue description
On my cheza I find that my logs are filled with spam that looks like this. It repeats every 5 seconds:
[ 161.090272] kauditd_printk_skb: 48 callbacks suppressed
[ 161.090277] audit: type=1400 audit(1535135343.421:1634): avc: denied { dac_read_search } for pid=2618 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 161.114323] audit: type=1400 audit(1535135343.421:1635): avc: denied { dac_read_search } for pid=2077 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 161.132954] audit: type=1400 audit(1535135343.422:1636): avc: denied { dac_read_search } for pid=2077 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 161.151583] audit: type=1400 audit(1535135343.422:1637): avc: denied { dac_read_search } for pid=2077 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 161.170181] audit: type=1400 audit(1535135343.422:1638): avc: denied { dac_read_search } for pid=2077 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 161.188799] audit: type=1400 audit(1535135343.423:1639): avc: denied { dac_read_search } for pid=2077 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 161.207406] audit: type=1400 audit(1535135343.423:1640): avc: denied { dac_read_search } for pid=2077 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 161.226016] audit: type=1400 audit(1535135343.423:1641): avc: denied { dac_read_search } for pid=2077 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 161.244622] audit: type=1400 audit(1535135343.423:1642): avc: denied { dac_read_search } for pid=2077 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
[ 161.263233] audit: type=1400 audit(1535135343.427:1643): avc: denied { dac_read_search } for pid=2077 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=cap_userns permissive=0
I've tracked this down to starting at <https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1165591>. Reverting that CL gets rid of the spam. Can we get a fix for this, please?
,
Aug 24
Removing rickyz@, since I no longer work on Chrome.
,
Sep 20
http://ag/5071180 should take care of this once it makes it through the Android PFQ.
,
Sep 21
Just booted up grunt with the newest ARC++ container and confirmed that the dac_read_search audit messages are gone.
,
Sep 26
This breaks Android CTS.
09/25 14:35:32.991 INFO | utils:0287| [stdout] junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
09/25 14:35:32.993 INFO | utils:0287| [stdout] neverallow { domain -traced_probes } self:capability dac_read_search;
09/25 14:35:32.994 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow sdcardd sdcardd:capability { dac_read_search };
09/25 14:35:32.994 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow vold vold:capability { dac_read_search };
09/25 14:35:32.994 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow vold_prepare_subdirs vold_prepare_subdirs:capability { dac_read_search };
09/25 14:35:32.994 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow init init:capability { dac_read_search };
09/25 14:35:32.994 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow postinstall_dexopt postinstall_dexopt:capability { dac_read_search };
09/25 14:35:32.995 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow zygote zygote:capability { dac_read_search };
09/25 14:35:32.995 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow uncrypt uncrypt:capability { dac_read_search };
09/25 14:35:32.996 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow dnsmasq dnsmasq:capability { dac_read_search };
09/25 14:35:32.996 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow installd installd:capability { dac_read_search };
09/25 14:35:32.996 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow netd netd:capability { dac_read_search };
09/25 14:35:32.996 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow vendor_init vendor_init:capability { dac_read_search };
09/25 14:35:32.996 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow install_recovery install_recovery:capability { dac_read_search };
09/25 14:35:32.997 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow ueventd ueventd:capability { dac_read_search };
09/25 14:35:32.997 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow dumpstate dumpstate:capability { dac_read_search };
09/25 14:35:32.997 INFO | utils:0287| [stdout] libsepol.report_failure: neverallow violated by allow lmkd lmkd:capability { dac_read_search };
09/25 14:35:32.997 INFO | utils:0287| [stdout] libsepol.check_assertions: 15 neverallow failures occurred
We should either fix those program to not to use dac_read_search (if it's necessary to use it, or silent the with dontaudit
,
Sep 26
,
Sep 26
I got the context. The kernel makes it happens. So maybe we should cherry-pick this back to pi (instead of pi-arc only)?
,
Sep 26
I believe so. Filed b/116685057 for tracking the CTS cherrypick. Let's leave this one as verified. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by bmgordon@chromium.org
, Aug 24